1
00:00:00,830 --> 00:00:07,460
‫Before talking about using our tables for passive scanning, let's talk a little bit about AAFP protocol

2
00:00:07,460 --> 00:00:08,810
‫and mechanism first.

3
00:00:09,530 --> 00:00:17,480
‫So address resolution protocol AAFP is a network layer protocol used for mapping a network address such

4
00:00:17,480 --> 00:00:22,100
‫as an IP v4 address to a physical address such as a Mac address.

5
00:00:23,140 --> 00:00:30,760
‫To simulate how the AARP mechanism works, we have a small network in the slide, a switch on top and

6
00:00:30,760 --> 00:00:32,350
‫three computers connected to it.

7
00:00:32,920 --> 00:00:35,140
‫Computer wants to talk to computers, see?

8
00:00:36,730 --> 00:00:40,750
‫It puts an ARP request onto the wire, which happens to be broadcast.

9
00:00:41,620 --> 00:00:44,820
‫Essentially what it's saying is who has computers?

10
00:00:44,830 --> 00:00:45,910
‫His Mac address.

11
00:00:47,130 --> 00:00:51,300
‫Of course, because it's a broadcast, every system on the network hears it.

12
00:00:52,270 --> 00:00:58,810
‫Does everybody respond well, what happens is that B hears that A is looking for the Mac address of

13
00:00:58,810 --> 00:00:59,710
‫computers C.

14
00:01:01,010 --> 00:01:06,710
‫B knows that it's not computer C and therefore does not respond to the broadcast.

15
00:01:07,810 --> 00:01:15,430
‫The broadcast, the AAP request goes out to every system, but the only system that will reply is computer

16
00:01:15,430 --> 00:01:17,490
‫see with an AAP reply.

17
00:01:18,490 --> 00:01:24,700
‫In other words, Computer says, who has the Mac address of computer see and although all the workstations

18
00:01:24,700 --> 00:01:31,600
‫here, the question only she replies and says, I've got the Mac address of computer C and this is what

19
00:01:31,600 --> 00:01:32,070
‫it is.

20
00:01:32,770 --> 00:01:36,400
‫So they are purply sends back the Mac address the computer a.

21
00:01:37,270 --> 00:01:41,180
‫And each of these machines start building an ark table.

22
00:01:41,680 --> 00:01:43,120
‫So what is the Ark table?

23
00:01:44,220 --> 00:01:49,050
‫Since computers cannot send broadcast messages every time they need to connect with another network

24
00:01:49,050 --> 00:01:54,840
‫device, they store the IP addresses and the corresponding MAC addresses of systems they frequently

25
00:01:54,840 --> 00:01:58,130
‫communicate with in a table called ARP Table.

26
00:01:58,500 --> 00:02:00,810
‫All the systems in the land maintain this table.

27
00:02:01,900 --> 00:02:07,390
‫The entries in the Aakash table are generally short lived and are updated every 15 to 20 minutes.

28
00:02:08,080 --> 00:02:09,250
‫Now, let's get back to our topic.

29
00:02:09,520 --> 00:02:15,730
‫Can we say that one of the passive scan methods is just looking into the ARP table of a system which

30
00:02:15,730 --> 00:02:17,260
‫is a network that we are scanning?

31
00:02:17,650 --> 00:02:18,790
‫Wow, sure we can.

32
00:02:19,570 --> 00:02:26,380
‫Inside in our table, we see the IP addresses of some of the systems of the network and their corresponding

33
00:02:26,380 --> 00:02:27,300
‫MAC addresses.

34
00:02:28,090 --> 00:02:34,800
‫Let's see the ARP tables in three different platforms, Mac OS, Windows and Debian Linux.

35
00:02:35,740 --> 00:02:37,600
‫We are a Mac OS operating system.

36
00:02:37,600 --> 00:02:45,010
‫First, open the terminal first type terminal in the search box of the applications window, which brings

37
00:02:45,010 --> 00:02:46,270
‫you the terminal application.

38
00:02:46,720 --> 00:02:51,940
‫Typing ERP and hitting enter shows a small help for our common.

39
00:02:53,160 --> 00:03:00,690
‫If you want to see detailed help about the art command, you can use man command type MRN, AARP and

40
00:03:00,690 --> 00:03:02,640
‫hit enter, you'll get detailed help.

41
00:03:04,190 --> 00:03:11,780
‫A parameter is used to display all current ARP table entries, but hold on, it says A is used to delete

42
00:03:11,810 --> 00:03:12,980
‫all entries as well.

43
00:03:13,220 --> 00:03:14,210
‫How can that be?

44
00:03:14,840 --> 00:03:19,540
‫Well, to delete an art table entry, you use D parameter.

45
00:03:20,300 --> 00:03:26,150
‫If you use this parameter with a parameter, you are able to delete all entries of our tables.

46
00:03:26,630 --> 00:03:31,610
‫IE parameter is used to see the entries of a single interface by default.

47
00:03:32,150 --> 00:03:36,110
‫ARP Command tries to show the display addresses symbolically.

48
00:03:37,310 --> 00:03:43,010
‫See the IP addresses instead of display names of the systems, you have to use any parameter.

49
00:03:44,080 --> 00:03:46,480
‫Which means do not resolve names.

50
00:03:47,620 --> 00:03:55,870
‫OK, press cue to quit the man page of the command now type IRP Dash A.N. to see all the entries of

51
00:03:55,870 --> 00:03:56,560
‫the ARP table.

52
00:03:57,600 --> 00:04:04,170
‫Since Mac OS is a BSD based operating system, the results of the command is displayed in VSD style.

53
00:04:05,220 --> 00:04:08,100
‫Sagger machine is a Microsoft Windows eight.

54
00:04:09,120 --> 00:04:14,550
‫Let's open a command prompt first, I have a shortcut on my status bar, so I click it to start a command

55
00:04:14,550 --> 00:04:14,970
‫prompt.

56
00:04:15,970 --> 00:04:22,690
‫Alternatively, press windows, plus are buttons, open the dialog box, run command and hit enter.

57
00:04:23,870 --> 00:04:28,400
‫If you type AARP and a window system, the help page of our command is displayed.

58
00:04:29,590 --> 00:04:37,420
‫Type IRP Dash A to see the entries of the ARP table, in my opinion, this display is more, I don't

59
00:04:37,420 --> 00:04:40,510
‫know, human readable than BSD style.

60
00:04:41,430 --> 00:04:45,570
‫Now, although we're not interested in these at the moment, I would like to talk a little about the

61
00:04:45,570 --> 00:04:50,040
‫IP addresses that start with two to four to calm your curiosity.

62
00:04:51,240 --> 00:05:00,900
‫Due to 4.0, 022 is the multicast address for Internet group management protocol two to four zero zero

63
00:05:01,170 --> 00:05:10,020
‫two five two is used by recent versions of Windows four link local multicast name resolution L.M. and

64
00:05:10,050 --> 00:05:12,940
‫are searching for local network computers.

65
00:05:13,830 --> 00:05:18,660
‫The third machine is our colleague, which is a Debian based Linux operating system.

66
00:05:19,480 --> 00:05:28,080
‫Open the terminal window if you type ERP and hit enter the ARP table entries are displayed in a human

67
00:05:28,080 --> 00:05:29,160
‫readable format.

68
00:05:29,850 --> 00:05:38,760
‫As you see, systems are listed with a known domain name such as w w w oos BW Dotcom by default.

69
00:05:39,630 --> 00:05:48,780
‫AARP dash age brings you a small help page if you want a detailed health page type man, Spatt, AAFP.

70
00:05:51,300 --> 00:05:58,440
‫In a Debian based Linux system, that's a parameter of our command is used to see the entries in BSD

71
00:05:58,440 --> 00:06:04,680
‫format, which we saw in Mac OS, Dash is again to see the entries of a single interface.

72
00:06:05,340 --> 00:06:15,090
‫OK, press cue to quit the man page AARP dash a display's art table entries in BSD format and use any

73
00:06:15,090 --> 00:06:19,290
‫parameter to see the IP addresses instead of domain names of the systems.