# 第十三课：基于ARP发现内网存活主机

## ARP简介：

ARP,通过解析网路层地址来找寻数据链路层地址的一个在网络协议包中极其重要的网络传输协议。根据IP地址获取物理地址的一个TCP/IP协议。主机发送信息时将包含目标IP地址的ARP请求广播到网络上的所有主机，并接收返回消息，以此确定目标的物理地址

## 1、nmap扫描

```bash
root@John:~# nmap -sn -PR 192.168.1.1/24
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpvsug8Mc3xlzg21%2F5dfd9a546cd24575a6f3dcc700e27fdb.jpg?generation=1551060443363343\&alt=media)

## 2、msf扫描

```bash
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

Name Current Setting Required Description
---- --------------- -------- -----------
INTERFACE no The name of the interface
RHOSTS yes The target address range or CIDR identifier
SHOST no Source IP Address
SMAC no Source MAC Address
THREADS 1 yes The number of concurrent threads
TIMEOUT 5 yes The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 192.168.1.0/24
RHOSTS => 192.168.1.0/24
msf auxiliary(arp_sweep) > set THREADS 10
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpvwxuz7gBvJ7Pcc%2F185d0b136875716cb9602245c9c83dc1.jpg?generation=1551060441479860\&alt=media)\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpw0mxzOOLMkAi-I%2F61293e9ad861848052a95221f7da4b21.jpg?generation=1551060457391595\&alt=media)

## 3、netdiscover

```bash
root@John:~# netdiscover -r 192.168.1.0/24 -i wlan0
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpw38VRFRtrKp4Ni%2Fd521395b5907857c22c4e677dcfc0181.jpg?generation=1551060431936461\&alt=media)\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpw5k-srlq-E0_ts%2Fe014ab5145b99e17c902cec765d171ce.jpg?generation=1551060446068687\&alt=media)

## 4、arp-scan（linux）

(推荐)速度与快捷 项目地址：\
<https://linux.die.net/man/1/arp-scan>\
arp-scan没有内置kali，需要下载安装。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpw8PQ1aWGhG0-OX%2F1f572b4553deb15c1d8c84a16ba53142.jpg?generation=1551060444013804\&alt=media)\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpwAWLbkl1m_EoYi%2Fc3c2dffb726780a766b4ef3cd573ced0.jpg?generation=1551060440368729\&alt=media)

## 5、Powershell

```bash
c:\tmp>powershell.exe -exec bypass -Command "Import-Module .\arpscan.ps1;Invoke-ARPScan -CIDR 192.168.1.0/24"
```

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpwCqaVvYv3gasWc%2F97ef86dfca58678be449d5b8e5ed6aaf.jpg?generation=1551060429574910\&alt=media)

## 6、arp scannet

项目地址：\
[https://sourceforge.net/projects/arpscannet/files/arpscannet/arpscannet 0.4/](https://sourceforge.net/projects/arpscannet/files/arpscannet/arpscannet%200.4/)\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpwEZCqv7S5q73Ye%2F727cc7e2717a361bf93d66bdb922b5d6.jpg?generation=1551060446811051\&alt=media)

## 7、arp-scan（windows）

(推荐)速度与快捷\
`arp-scan.exe -t 192.168.1.1/24`

项目地址：\
<https://github.com/QbsuranAlang/arp-scan-windows-/tree/master/arp-scan> （非官方）

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpwIClAfhVMArI2n%2F92ce763215c297168c4514992758d91b.jpg?generation=1551060425333947\&alt=media)

## 8、arp-ping.exe

arp-ping.exe 192.168.1.100\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwpwKoUDEVRHrsAyi%2F302ee6c2b41a771ab5df7c337de15d8e.jpg?generation=1551060447903109\&alt=media)

## 9、其他

如cain的arp发现，一些开源py，pl脚本等，不一一介绍。

## 附录：

以上非内置文件网盘位置。**后门自查**。\
链接：<https://pan.baidu.com/s/1boYuraJ>\
密码：58wf

\--By Micropoor


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://micro8.gitbook.io/micro8/contents-1/11-20/13-ji-yu-arp-fa-xian-nei-wang-cun-huo-zhu-ji.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.