How to determine if IP addresses in the network are stolen by arp Spoofing

Q: I am a network administrator of a small company. Recently, IP address conflicts have always occurred. In addition, due to frequent use of laptops to connect to the company's network, in addition, the company's IP address is a fixed IP address set manually for some reason, and the company does not have any record information on the IP address distribution. Therefore, when a new computer wants to connect to the network, you just need to set one, the selected IP addresses are also those distributed at the end of the network or a relatively large number, but over time, too many IP addresses are randomly set. It is easy to set IP addresses when new computers connect to the network. Is there a good way for IT168 experts to solve my current problems and help me scan all the IP addresses in the network before setting the IP address to determine which IP address is occupied, which is not in use. Of course, if I know how to scan the IP addresses that are already occupied in the network, I can print the scanned IP addresses for storage. In the future, new computers will not use these addresses to access the network.
A: IP address conflicts in the network are very troublesome. On the one hand, they disrupt the network management of our network administrator, and on the other hand, they affect the normal internet access of normal users. Especially for some small and medium-sized enterprises, IP addresses are often associated with the access permissions of network resources. Once the IP address is occupied by illegal users, the network resources can be illegally used. In this case, how can we find out which IP address is occupied?

As mentioned above, when the company uses manual IP Address Setting and does not effectively manage IP addresses, it is easy to set addresses at will and often conflict with each other. In this case, we also need to learn to scan the entire network and record the IP addresses already connected to the network to prevent address conflicts. We mainly have the following methods to help you scan IP addresses used in the network.

Method 1: original ping method

The first method is relatively simple and subject to environmental restrictions. As we all know, ICMP packets are allowed to pass through on computers that do not have a firewall installed or set filter rules, we can run the "ping IP Address" command to check whether the IP address is used by computers.

Enter CMD and press enter to enter the command line mode. If the company's network is 192.168.1.0/255.255.255.0, We can ping 192.168.1.1, ping 192.168.1.2 ...... ping 192.168.1.254 to test whether the IP address is occupied.

Because the original ping method is relatively simple, it is not described in detail here, but if a firewall is installed on the computer to filter the ICMP protocol, or you can filter the icmp acl Access Control List on the company switch and vro. Therefore, this method is quite limited. Generally, the test success rate is not high. It is easy to think that the IP address corresponding to the computer installed with the firewall is not used.

Method 2: scanner Scanning

In the past, when I was working on network security, I often used scanners to scan vulnerabilities on various hosts in the network. Now we can use this method to check which IP addresses are occupied by this network. Because the scanner does not only use ICMP protocol for ping, we can set up to allow the scanner to scan several more ports and several more services. In this way, even if the computer is installed with a firewall or the switch has an access control list to filter the ICMP protocol, as long as the computer opens some ports or services, there will be no leakage.

The IP address list scanned by the scanner can also be exported as an HTML or TXT file, so that we can save and collect statistics.

Of course there are a lot of scanner tools, here we recommend that you use security focus out of the X-SCAN and LANHELPER, interested readers can download and use it on their own.

The scanner scanning method can be used to check the IP addresses used by almost all computers in the network. However, for computers with extremely few complex firewall rules and most common ports and services, there will still be more or less false reports or error reports. In addition, we need to download specialized tools for scanner scanning, which makes the operation inconvenient.

Method 3: sniffer Monitoring Method

As a network administrator, we should all use sniffer, so we only need to enable sniffer in the network to monitor the packets transmitted over the network. After a while, we will find out which IP addresses have packets sent, in this way, you can confirm that the IP address is occupied.

However, the sniffer method cannot save the occupied IP address as a file and output, and it gives people the feeling that sniffer is not used to scan IP addresses.

Method 4: ARP cache Method

In fact, the author also found a way to solve the problem raised by netizens. His principle is to view the problem through ARP cache, without using any third-party tools, use the ARP-A that comes with the system.

The ARP cache method is based on the ping method described earlier. For computers that have installed a firewall or configured a filter rule to directly ping this IP address, no information is returned, however, we must note that although the IP address is not occupied from the ping return information, it can be seen from the ARP cache. Firewall and Other filtering settings Do Not Allow ICMP to return data packets to the source address, but because ARP works on Layer 2, therefore, ARP has obtained the MAC address of the online host on the network by checking the MAC address before the ICMP protocol packet is filtered.

As long as the computer on the network wants to access the Internet, it will certainly tell the MAC address of its network card to the switch connected to it, next, the switch further sends the MAC address information it knows to the host using the ping command. In this way, we can know whether the computer corresponding to the IP address is online by obtaining the MAC address on the ping host.

Enter CMD and press enter to enter the command line mode. If the company's network is 192.168.1.0/255.255.255.0, We can ping 192.168.1.1, ping 192.168.1.2 ...... ping 192.168.1.254 to test whether the IP address is occupied. Of course, no matter whether the ping is successful or not, run the arp-a command to display the ARP cache table after all the ping operations. The IP address displayed in the cache table is the occupied address.

The Network Administrator familiar with batch processing commands can also edit a BAT command to complete a series of ping operations. The content of the BAT file is as follows:

FOR/L % I IN (0,1, 255) Do ping X. % I-n 1

Arp-a> IP.txt

This batch of processing files will be listed in the Active IP address and stored in the ip.txt file with their macaddress. Of course, the X. % I in the statement can be modified. For example, if the company network is 192.168.1.0/255.255.255.0, change it

FOR/L % I IN (255,) Do ping 192.168.1.% I-n 1

Arp-a> IP.txt

Finally, let's summarize the principles of this method-we send an icmp packet to all IP addresses in the CIDR block. Maybe it shields the ICMP packet, but it doesn't matter, as long as he uses this IP address, he will certainly respond to a packet of his mac address, so that he can use arp-a to view the local arp cache to see his IP address and MAC address.

TIPS:

We can also use the nbtstat-a ip command to replace the arp-a command.

Maybe someone will ask the computer to prohibit ARP packets from passing through? In fact, the computer can prohibit ICMP packets, but it is impossible to prohibit arp packets. If arp is disabled, the switch will not be able to find the computer and the computer will not be able to connect to the network, access any resources on the network. Therefore, the ARP cache method allows us to see the essence of the phenomenon. Even if ping cannot return any useful information, it actually helps us find the MAC address corresponding to the online host, I learned more about his IP address.

Summary:

This article introduces four methods to view IP addresses that are already used in the network. Of course, there are various methods with different features. Some use third-party tools, but the address list is clearer, some do not use software to only use the built-in commands of the system, but are limited by the network environment. Some do not have any tools, but it is difficult to compile batch files. Of course, which method should be used to solve the actual problem requires our network administrators to compare and choose their own solutions. We recommend that you use the ARP cache method, which is the fourth method.