Table of Contents

Description

Identify IP and MAC addresses found in the ARP tables for each network interface.

Overview

This script pulls Address Resolution Protocol (ARP) entries from the ARP tables maintained for each network interface that is in the “Up” state and is not a loopback interface. Multicast and static ARP entries are also not includes as these are typically not useful or are broadcast addresses.

Dependencies

recon

Operating Systems

Windows

Example Text Output

EntryType IP            MAC               Network
--------- --            ---               -------
Dynamic   192.168.1.1   00-0C-29-3C-B5-CD 192.168.1.0/24
Dynamic   192.168.1.2   00-0C-29-24-31-7C 192.168.1.0/24
Dynamic   192.168.1.100 00-0C-29-47-AD-FD 192.168.1.0/24
Dynamic   10.0.0.1      B0-B9-8A-61-B0-E8 10.0.0.0/24
Dynamic   10.0.0.3      E6-85-ED-D7-DF-0C 10.0.0.0/24
Dynamic   10.0.0.5      A0-40-A0-6F-89-92 10.0.0.0/24
Dynamic   10.0.0.7      98-28-A6-BD-AF-9E 10.0.0.0/24
Dynamic   10.0.0.8      C8-3A-6B-1C-73-28 10.0.0.0/24

Example Json Output

[
  {
    "EntryType": "Dynamic",
    "IP": "192.168.1.1",
    "MAC": "00-0C-29-3C-B5-CD",
    "Network": "192.168.1.0/24",
    "Session": {
      "MachineId": "dfec7175a6a62757d83b93794df767d5acfadb82",
      "SessionId": "afbfc3c172a94df28fa498baa70dce77",
      "FQDN": "DESKTOP-LMCH70V",
      "IP": "::1",
      "OS": "Windows 10.0.19044",
      "Username": "DESKTOP-LMCH70V\\helpdesk",
      "PID": 1840,
      "Path": "C:\\Users\\helpdesk\\Desktop\\Workspace\\repos\\SpecterInsight\\src\\release\\implants\\1fe0b18153764e549b04928e79fc288f\\x64\\WinNativeExe.exe"
    },
    "@timestamp": "2023-08-02T12:53:19.2322849Z",
    "Specter": {
      "TaskId": "bce787c6de084d7ca91297617a624e62",
      "Command": "load recon;\r\n\r\n$interfaces = interfaces;\r\n\r\n$multicast = [common.Networking.IPNetwork]::Parse('224.0.0.0/4');\r\n\r\nforeach($interface in $interfaces) {\r\n\t#Network must be Up to scan\r\n\tif($interface.Status -ne 'Up') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\tif($interface.InterfaceType -eq 'Loopback') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\t$networks = New-Object System.Collections.ArrayList\r\n\tforeach($entry in $interface.InterfaceIPs) {\r\n\t\t$address = [System.Net.IPAddress]::Parse($entry.IP);\r\n\t\tif($address.AddressFamily -eq [System.Net.Sockets.AddressFamily]::InterNetworkV6 -or [common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t$network = $null;\r\n\t\tif(![common.Networking.IPNetwork]::TryParse($entry.IP, $entry.Netmask, [ref]$network)) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t[void]$networks.Add($network);\r\n\t}\r\n\t\r\n\tforeach($entry in $interface.Entries) {\r\n\t\t$address = [System.Net.IPAddress]::Parse($entry.Address);\r\n\t\tif([common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast -or $entry.EntryType -eq 'Static') {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\tforeach($network in $networks) {\r\n\t\t\tif($network.Contains($address)) {\r\n\t\t\t\t$entry | Add-Member -MemberType NoteProperty -Name \"Network\" -Value ($network.ToString());\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t\t\r\n\t\t$entry = New-Object PSObject -Property @{\r\n\t\t\tIP = $entry.Address;\r\n\t\t\tMAC = $entry.PhysicalAddress;\r\n\t\t\tNetwork = $entry.Network;\r\n\t\t\tEntryType = $entry.EntryType;\r\n\t\t}\r\n\t\t\r\n\t\t$entry;\r\n\t}\r\n}",
      "Type": "Task",
      "Category": "",
      "Subcategory": ""
    }
  }
]