arp-fingerprint - Fingerprint a system using ARP
arp-fingerprint [
options]
target
The target should be specified as a single IP address or hostname. You cannot
specify multiple targets, IP networks or ranges.
If you use an IP address for the target, you can use the
-o option to
pass the
--numeric option to
arp-scan, which will prevent it
from attempting DNS lookups. This can speed up the fingerprinting process,
especially on systems with a slow or faulty DNS configuration.
arp-fingerprint fingerprints the specified target host using the ARP
protocol.
It sends various different types of ARP request to the target, and records which
types it responds to. From this, it constructs a fingerprint string consisting
of "1" where the target responded and "0" where it did
not. An example of a fingerprint string is
01000100000. This
fingerprint string is then used to lookup the likely target operating system.
Many of the fingerprint strings are shared by several operating systems, so
there is not always a one-to-one mapping between fingerprint strings and
operating systems. Also the fact that a system's fingerprint matches a certain
operating system (or list of operating systems) does not necessarily mean that
the system being fingerprinted is that operating system, although it is quite
likely. This is because the list of operating systems is not exhaustive; it is
just what I have discovered to date, and there are bound to be operating
systems that are not listed.
The ARP fingerprint of a system is generally a function of that system's kernel
(although it is possible for the ARP function to be implemented in user space,
it almost never is).
Sometimes, an operating system can give different fingerprints depending on the
configuration. An example is Linux, which will respond to a non-local source
IP address if that IP is routed through the interface being tested. This is
both good and bad: on one hand it makes the fingerprinting task more complex;
but on the other, it can allow some aspects of the system configuration to be
determined.
Sometimes the fact that two different operating systems share a common ARP
fingerprint string points to a re-use of networking code. One example of this
is Windows NT and FreeBSD.
arp-fingerprint uses
arp-scan to send the ARP requests and receive
the replies.
There are other methods that can be used to fingerprint a system using
arp-scan which can be used in addition to
arp-fingerprint. These
additional methods are not included in
arp-fingerprint either because
they are likely to cause disruption to the target system, or because they
require knowledge of the target's configuration that may not always be
available.
Most of the ARP requests that
arp-fingerprint sends are non-standard, so
it could disrupt systems that don't have a robust TCP/IP stack.
- -h
- Display a brief usage message and exit.
- -v
- Display verbose progress messages.
- -o <option-string>
- Pass specified options to arp-scan. You need to enclose the
options string in quotes if it contains spaces. e.g. -o "-I
eth1". The commonly used options are --interface (-I) and --numeric
(-N).
- -l
- Fingerprint all hosts on the local network. You do not need
to specify any target hosts if this option is given.
$ arp-fingerprint 192.168.0.1
192.168.0.1 01000100000 Linux 2.2, 2.4, 2.6
$ arp-fingerprint -o "-N -I eth1" 192.168.0.202
192.168.0.202 11110100000 FreeBSD 5.3, Win98, WinME, NT4, 2000, XP, 2003
arp-fingerprint is implemented in Perl, so you need to have the Perl
interpreter installed on your system to use it.
-
arp-scan(1)
http://www.royhills.co.uk/wiki/ The arp-scan wiki page.