In this short blog I want to show you a simple way find an available IP address on a LAN. Most of this is taken from the Pentestmonkey blog in the reference section.
If you are connected to a LAN that doesn't have DHCP enabled you will need to manually assign one. But how can you be sure that the IP isn't actually in use? Running Angry IP or some other ping scanning tool won't list devices that have firewalls that block ping. The last thing you want to do is pick an IP address that conflicts with a critical piece of equipment.
The first step is to figure out what the LAN IP address scheme is if you don't know that. Fire up Wirehark and set the display filter to "arp". In a few minutes you should see an arp request from a device on the network. The IP address can be found in the info column. You won't know the mask start with a /24. The arp-scan user guide has a section on determining the mask - Determining the interface netmask.
If you found this site on my Github page you should already have the python script I wrote. The script makes it easy to create the arp-scan commands. If you need to download the script click the GitHub link above. Save the arpscan.py file to a folder.
Once you run the script use the commands to find devices that didn't respond to ping. In the example below I have a Windows 10 VM with the firewall on and set to block all incoming packets. The IP address of the VM is 192.168.10.164. A ping fails and would make you think that 192.168.10.164 is available!
ping 192.168.10.164
PING 192.168.10.164 (192.168.10.164) 56(84) bytes of data.
^C
--- 192.168.10.164 ping statistics ---
116 packets transmitted, 0 received, 100% packet loss, time 115220ms
Now run arp-scan. In this case both 0.0.0.0 and 1.0.0.1 returned all the mac addresses on the network.
You can clearly see that 192.168.10.164 is in use and you can't assign it to your laptop.
sudo arp-scan -I eth0 --arpspa=1.0.0.1 192.168.10.0/24
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.10.13 64:52:99:69:fd:30 (Unknown)
192.168.10.20 c0:3f:d5:68:3c:cc (Unknown)
192.168.10.151 08:66:98:45:3f:86 (Unknown)
192.168.10.152 30:52:cb:20:3d:c1 (Unknown)
192.168.10.155 98:f1:70:7e:3f:6c (Unknown)
192.168.10.156 70:81:eb:55:23:a8 (Unknown)
192.168.10.157 84:b8:02:01:33:58 (Unknown)
192.168.10.158 04:db:56:ed:3d:58 (Unknown)
192.168.10.159 00:0c:29:99:43:b2 VMware, Inc.
192.168.10.161 00:0c:29:33:73:00 VMware, Inc.
192.168.10.164 00:0c:29:40:39:97 VMware, Inc.
192.168.10.165 00:1e:06:30:43:65 WIBRAIN
192.168.10.166 34:64:a9:03:33:f1 (Unknown)
192.168.10.167 b8:78:2e:08:23:05 (Unknown)
192.168.10.169 24:77:03:8f:f3:24 Intel Corporate
192.168.10.175 b8:8d:12:08:63:aa (Unknown)
192.168.10.221 00:0c:29:4c:a3:4e VMware, Inc.
192.168.10.239 10:1f:74:63:31:f8 (Unknown)
192.168.10.250 50:06:04:cb:83:40 (Unknown)
19 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.818 seconds (140.81 hosts/sec). 19 responded
127.0.0.1 returned three mac addresses.
sudo arp-scan -I eth0 --arpspa=127.0.0.1 192.168.10.0/24
[sudo] password for mhubbard:
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.8.1 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.10.13 64:52:99:69:fd:20 (Unknown)
192.168.10.20 c0:3f:d5:68:0c:cc (Unknown)
192.168.10.167 b8:78:2e:08:28:05 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.8.1: 256 hosts scanned in 1.680 seconds (152.38 hosts/sec). 3 responded