1
00:00:00,930 --> 00:00:06,689
Before we're talking about using art tables for passive scanning, let's talk a little bit about art

2
00:00:06,810 --> 00:00:08,850
protocol and mechanism first.

3
00:00:09,640 --> 00:00:12,300
So address resolution protocol.

4
00:00:12,720 --> 00:00:20,490
Art is a network layer protocol used for mapping a network address such as an IPV for address to a physical

5
00:00:20,490 --> 00:00:22,110
address such as a Mac address.

6
00:00:23,050 --> 00:00:30,700
To simulate how the ARPU mechanism works, we have a small network in the Sligh, a switch on top and

7
00:00:30,850 --> 00:00:32,320
three computers connected to it.

8
00:00:33,010 --> 00:00:35,170
Computer A wants to talk to computers, see?

9
00:00:36,880 --> 00:00:40,750
It puts an ARP request onto the wire, which happens to be broadcast.

10
00:00:41,710 --> 00:00:45,940
Essentially what it's saying is who has computer CS Mac address?

11
00:00:47,140 --> 00:00:51,270
Of course, because it's a broadcast, every system on the network hears it.

12
00:00:52,330 --> 00:00:53,470
Does everybody respond?

13
00:00:54,280 --> 00:00:59,740
Well, what happens is that B hears that A is looking for the Mac address of Computer C.

14
00:01:01,100 --> 00:01:06,710
B knows that it's not computer C and therefore does not respond to the broadcast.

15
00:01:07,910 --> 00:01:15,420
The broadcast, the AAP request goes out to every system, but the only system that will reply is computer

16
00:01:15,420 --> 00:01:17,480
see with an AAP reply.

17
00:01:18,600 --> 00:01:23,150
In other words, Computer A says who has the Mac address of computer see?

18
00:01:23,310 --> 00:01:29,340
And although all the workstations here, the question only C replies and says, I've got the Mac address

19
00:01:29,340 --> 00:01:32,130
of computers C and this is what it is.

20
00:01:32,880 --> 00:01:36,330
So the ARP reply sends back the Mac address to computer A..

21
00:01:37,410 --> 00:01:41,220
And each of these machines start building an ark table.

22
00:01:41,760 --> 00:01:43,140
So what is the ARP table?

23
00:01:44,330 --> 00:01:49,070
Since computers cannot send broadcast messages every time they need to connect with another network

24
00:01:49,070 --> 00:01:54,860
device, they store the IP addresses and the corresponding MAC addresses of systems they frequently

25
00:01:54,860 --> 00:01:58,130
communicate with in a table called ARP Table.

26
00:01:58,610 --> 00:02:00,820
All the systems in the land maintain this table.

27
00:02:01,960 --> 00:02:07,420
The entries in the AAB cash table are generally short lived and are updated every 15 to 20 minutes.

28
00:02:08,210 --> 00:02:09,250
Well, let's get back to our topic.

29
00:02:09,580 --> 00:02:15,730
Can we say that one of the passive Skåne methods is just looking into the art table of a system which

30
00:02:15,730 --> 00:02:17,260
is a network that we are scanning?

31
00:02:17,740 --> 00:02:20,890
Well, Joe, we can inside an art table.

32
00:02:21,460 --> 00:02:27,340
We see the IP addresses of some of the systems of the network and their corresponding MAC addresses.

33
00:02:28,180 --> 00:02:30,940
Let's see the arm tables in three different platforms.

34
00:02:31,600 --> 00:02:34,840
Mac OS, Windows and Debian Linux.

35
00:02:35,850 --> 00:02:42,600
We are a Mac OS operating system, first open the terminal, first type terminal in the search box of

36
00:02:42,600 --> 00:02:43,920
the applications window.

37
00:02:44,550 --> 00:02:51,960
Which brings you the terminal application typing AARP and hitting enter shows a small help for our command.

38
00:02:53,300 --> 00:03:00,440
If you want to see detailed health about the art command, you can use MRN, command type MRN, AARP

39
00:03:00,560 --> 00:03:01,190
and hit enter.

40
00:03:01,550 --> 00:03:02,620
You'll get detailed help.

41
00:03:04,260 --> 00:03:08,400
A parameter is used to display all current ARP table entries.

42
00:03:08,880 --> 00:03:09,360
But hold on.

43
00:03:09,690 --> 00:03:13,020
It says A is used to delete all entries as well.

44
00:03:13,300 --> 00:03:14,220
How can that be?

45
00:03:14,940 --> 00:03:19,530
Well, to delete an art table entry, you use D parameter.

46
00:03:20,200 --> 00:03:27,460
If you use this parameter with a parameter, you are able to delete all entries of ARP tables ie parameter

47
00:03:27,460 --> 00:03:31,590
is used to see the entries of a single interface by default.

48
00:03:32,280 --> 00:03:36,120
ARP Command tries to show the display addresses symbolically.

49
00:03:37,230 --> 00:03:43,010
To see the IP addresses instead of display names of the systems you have to use and parameter.

50
00:03:44,160 --> 00:03:46,500
Which means do not resolve names.

51
00:03:47,760 --> 00:03:50,630
OK, press cue to quit the man page of the AAFP command.

52
00:03:51,240 --> 00:03:56,580
Now type AARP dash A.N. to see all the entries of the ARP table.

53
00:03:57,690 --> 00:04:04,200
Since Mac OS is a BSD based operating system, the results of the ARPC command is displayed in BSD style.

54
00:04:05,330 --> 00:04:08,180
Sagen machine is a Microsoft Windows eight.

55
00:04:09,210 --> 00:04:10,980
Let's open a command prompt first.

56
00:04:11,450 --> 00:04:14,910
I've a short cut on my status bar, so I click it to start a command prompt.

57
00:04:16,079 --> 00:04:20,610
Alternatively, press windows force are buttons, open the dialog box.

58
00:04:20,880 --> 00:04:22,680
Run command and hit enter.

59
00:04:24,000 --> 00:04:28,410
If you type HRP in a Windows system, the help page of AAFP command is displayed.

60
00:04:29,640 --> 00:04:38,250
Type LRP dash A to see the entries of the art table, in my opinion, this display is more a. human

61
00:04:38,250 --> 00:04:40,500
readable than BSD style.

62
00:04:41,550 --> 00:04:45,600
Now, although we're not interested in these at the moment, I would like to talk a little about the

63
00:04:45,600 --> 00:04:50,070
IP addresses that start with two to four to calm your curiosity.

64
00:04:51,310 --> 00:04:59,290
Two two four zero zero two two is the multicast address for Internet group management protocol two to

65
00:04:59,290 --> 00:05:06,980
four dot zero zero dot two five two is used by recent versions of Windows four link local multicast

66
00:05:07,000 --> 00:05:09,040
named Resolution L.

67
00:05:09,040 --> 00:05:12,970
L m and are searching for local network computers.

68
00:05:13,930 --> 00:05:18,670
The third machine is our COLLY, which is a Debian based Linux operating system.

69
00:05:19,570 --> 00:05:20,620
Open internal terminal window.

70
00:05:21,490 --> 00:05:30,190
If you type ERP and hit enter the ARP table entries are displayed in a human readable format, as you

71
00:05:30,190 --> 00:05:30,460
see.

72
00:05:30,790 --> 00:05:38,770
Systems are listed with a known domain name such as w w w dot o wasp BW a dot com by default.

73
00:05:39,760 --> 00:05:43,240
AARP dash age brings you a small help page.

74
00:05:44,050 --> 00:05:48,760
If you want a detailed health page type man space AAFP.

75
00:05:51,440 --> 00:05:58,460
In a Debian base, Linnik system dash, a parameter of AAFP command is used to see the entries in BSD

76
00:05:58,460 --> 00:06:01,360
format, which we saw in Mac OS Dash.

77
00:06:01,450 --> 00:06:04,670
I is again to see the entries of a single interface.

78
00:06:05,450 --> 00:06:15,710
OK, press Q to quit the man page AARP dash a display's art table entries in BSD format and use N parameter

79
00:06:15,980 --> 00:06:19,310
to see the IP addresses instead of domain names of the systems.