1/6/2025 My Cybersecurity

Project Series
Network Scanner

Syed Shuaib Warisi

 Connect With Me

The Why
A network scanner is a valuable project because it provides hands-on experience with
network security, monitoring, and management. One of the key reasons I planned to build or
use a network scanner is that it allows you to see who is connected to your network. This is
crucial for both security and performance reasons.
By scanning your network, you can:
• Detect unauthorized devices – If unknown devices are connected, it could indicate a
security breach or unauthorized access.
• Enhance cybersecurity – Understanding the devices on your network can help prevent
potential threats and improve security policies.
• Learn networking fundamentals – A network scanner project provides practical
experience with network protocols, IP addressing, and cybersecurity tools.
Whether for personal use, business security, or cybersecurity research, a network scanner is a
powerful tool that gives you greater visibility and control over your network.
 Connect With Me

1. Project Title – Building A Network Scanner

2. Description - This project focuses on building and utilizing a network scanner to

identify devices on a network, detect potential security vulnerabilities, and improve
network monitoring. The scanner will provide insights into network activity and
security posture by detecting connected devices, open ports, and running services.
3. Date
- Start date and completion date of the project.
Started – January 9th, 2024
Ended - January 22rd, 2024
4. Author(s)
- Names and contact information of the individuals involved.
Cyber Security Project by Online Resource
Projects completed solely by Syed Shuaib Warisi
5. Project Overview

A network scanner is a security tool used to analyze a network, identify active hosts,
detect open ports, and gather information about connected devices. It plays a crucial
role in cybersecurity by helping administrators detect unauthorized devices,
troubleshoot network issues, and secure network infrastructure.

6. Real-Life Uses

Detect unauthorized devices – Identify unknown or rogue devices connected to the

network.
Improve cybersecurity – Gain insights into network vulnerabilities and improve security
measures.
Monitor network activity – Track IP addresses, open ports, and running services on
networked devices.
 Connect With Me

7. Tools and Technologies

Components of a Cybersecurity Home Lab:
1. Hardware:
o A dedicated computer or server
o Networking equipment like routers, switches, and firewalls
o External storage for backups and logs
2. Software & Tools:
o Virtualization Platforms: Oracle VirtualBox
o Operating Systems: Kali Linux, Ubuntu, Metasploit, Windows 10
o Cybersecurity Tools: Metasploit (exploitation), ARP scanning
3. Networking Setup:
o Virtualized test network to simulate scanning real-world networks

o Firewalls and IDS/IPS (Intrusion Detection/Prevention Systems) for security

testing
8. Conclusion
- Summary of the project and its outcomes.
Great Success! We were able to find and identify the devices connected to the
network using the ARP scanner tool. This powerful utility allowed us to map out all
active IP addresses and their corresponding MAC addresses, giving us a clear
overview of the network’s infrastructure.
9. Appendices
- Additional materials, such as diagrams, code snippets, or supporting documents.
Connect With Me
 Connect With Me

That is all.
10. Version Control
- A change log for tracking updates to the project documentation.
V.01 – Downloading Metasploit, Windows 10
V.02 – Understanding and documenting ARP Spoofing
V.03 – Testing Initial ARP Spoofing Code
V.04 – Containing the Scapy python module.
V.05 – Final Version, Project Complete
 Connect With Me

Writing a Network Scanner

• To start off we already have Kali Linux, Ubuntu. I have installed Metasploit and I am
currently downloading windows virtual machine.
• Installing windows took a while, the windows virtual machine was about 7gb
download.

• Installing Windows Virtual Machine

 Connect With Me

And Finally we have installed and running Windows Virtual Machine.

ARP Spoofing
ARP spoofing is a cyberattack where an attacker sends fake Address Resolution Protocol
(ARP) messages on a local network to associate their MAC address with the IP address of
another device, such as a gateway or server. This allows the attacker to intercept, modify, or
steal data meant for that device.
 Connect With Me

So if we go back to kali-linux, and type in (arp -a). As shown, it is linking to the router IP
address. Anytime it needs to send any request to the internet, it will direct that request to the
MAC address.

In this diagram, we have a typical network topology where all devices connected to the
network communicate through the router. When a device initiates a request, it sends the data
to the router, which then forwards the request to the internet. The router waits for a response
and subsequently routes the data back to the requesting device.
 Connect With Me

Now, if a hacker, victim, or any other machine on the network needs to send a request, it
would normally be directed to the router. However, we can exploit the Address Resolution
Protocol (ARP) to manipulate this process and position ourselves as an intermediary between
the victim and the router.

The attack involves sending falsified ARP responses—one to the gateway (router) and
another to the victim. First, we inform the router that our machine’s MAC address is
associated with the victim’s IP address. This causes the router to update its ARP table,
associating our MAC address with the victim’s IP. Simultaneously, we send another ARP
response to the victim, claiming that our MAC address belongs to the router's IP. As a result,
both the router and the victim unknowingly associate our MAC address with each other’s IP
addresses.

This leads to a classic Man-in-the-Middle (MITM) attack scenario, where:

1. The victim believes our machine is the router and directs all its traffic to us.

2. The router believes our machine is the victim and routes all its traffic through us.

Since all communication between the victim and the router now passes through our system,
we gain full control over the traffic, allowing us to inspect, modify, or redirect data as needed.

The core vulnerability being exploited here is that ARP lacks authentication and security
mechanisms. Devices on a network accept ARP responses even if they never sent an ARP
request. This weakness enables ARP spoofing, making it possible to hijack network traffic
and perform a variety of attacks, such as sniffing sensitive information, injecting malicious
content, or conducting session hijacking.

By executing this attack, we establish ourselves as the man in the middle and gain significant
control over the victim’s network activity.

The IP and the MAC address are the two weaknesses that we can leverage to allow us to
perform the ARP Spoofing.
 Connect With Me

For this project, we will be using Scapy, a powerful Python module for network packet
manipulation. The module is well-documented and provides a wide range of functions for
network analysis and security testing.

Importing Scapy

To use Scapy, we first need to import it. In Python, we typically import modules using the
import statement. Since Scapy provides multiple submodules and functions, we import the
entire library using:

import scapy.all *

This allows us to access all available functions within Scapy. Alternatively, you could import
Scapy with:

import scapy.all as scapy

By doing this, you can reference Scapy functions with scapy.<function_name>, rather than
using scapy.all.<function_name>. This improves code readability and makes function calls
more concise.
 Connect With Me

Creating a Network Scanning Function

Now, we will define a function called scan() that will perform an ARP scan to identify
devices on the local network. This function will take an IP range as a parameter and use
Scapy’s built-in ARP scanning method:

def scan(ip):
scapy.arping(ip)

Here’s how it works:

The function takes an IP address or subnet as input.

It utilizes Scapy’s arping() function, which sends ARP requests to the specified IP range and
listens for responses.

The function prints out a list of active devices on the network, displaying their IP and MAC
addresses.

This method provides a simple yet effective way to discover active clients on the same
network by leveraging the ARP protocol.

We will then give the IP address to scan.

 Connect With Me

So I have taken the code, make a .py file in Kali Linux and run the code. As you can see, We
have received one packet as expected.

This is the basic network scanner built with scapy to detect active devices in a given subnet.
The script successfully identifies multiple devices, including a router (Tp-Link at
192.168.1.1) and other connected machines.
The output confirms the script sends ARP packets and receives responses, indicating
successful network discovery.

To summarise, we imported the Scapy module and utilized the arping() function to perform
an ARP scan on a specified IP address or range. The function automatically handles the
process by broadcasting ARP requests, receiving responses, parsing the results, and
displaying them on the screen. While our direct involvement in packet crafting and parsing is
minimal, Scapy simplifies the process, allowing us to efficiently gather network information.
 Connect With Me

So far, the script we built is quite powerful. It can list all the clients on the same network,
displaying their IP addresses and associated MAC addresses. This is achieved using Scapy’s
arping() function, which simplifies the process.

We’ve learned that arping() works by sending ARP requests to identify devices on the
network. It does this by broadcasting requests for each possible IP address within a subnet
(e.g., from .0 to .254). These requests are sent to the broadcast MAC address, ensuring all
devices on the network receive them. However, devices will typically ignore ARP requests
unless they are specifically asking for their own IP address. When a device recognizes its IP
in the request, it responds with its MAC address, allowing us to map IPs to MAC addresses.

By collecting these responses, we generate a complete list of active clients on the network,
associating each IP address with its corresponding MAC address. While arping() automates
this process for us, I want to manually implement a similar function to better understand
networking concepts and Python programming.

The first step is to create an ARP request directed to the broadcast Mac address, asking for
the Mac address of a specific IP. This ensures all devices and networks either request within
single packet and wait for response.
The first key problem we need to solve in our algorithm is handling packets. the packets we
create must include several central features firstly we need to generate a ARP request asking
which device has a specific IP this request was redirected to the broadcast Mac address so all
the clients on the network receive it.
 Connect With Me

So, running the new command will print all the fields that an ARP packet in Scapy has, along
with their default values. The output will look something like the figure above.

As portrayed, when analysing the packet structure, we can see a list of all available fields that
we can modify, along with their descriptions and default values. The field we’re particularly
interested in is the IP destination field, labelled as PDST. By default, this field is set to
0.0.0.0, which matches what we’re currently observing in the packet capture. To direct the
packet to a specific destination, we need to modify the PDST field accordingly.

To modify the PDST field, we simply need to execute this line of code; the line
(arp_request.pdst=ip), which assigns PDST the value of the IP variable. This means that when
the function is called, it takes an IP address as an argument and sets PDST accordingly. Once
we run the code, we can observe that the packet now reflects the assigned IP destination,
confirming that the modification works as expected.
The output now displays the IP address because we assigned it to PDST. This confirms that
our modification was successful. The PDST field now holds the IP address that was passed to
the function, ensuring that the packet is correctly set up for its intended destination.
 Connect With Me

Alternatively, we can conjoin the code, to it becomes smaller, cooler and better. Don’t worry,
the code’s output hasn’t changed it works the same way.
 Connect With Me

We're still working on the previous step of our algorithm—crafting an ARP request that
targets a specific IP and extends it to the broadcast MAC Address. To break it down further,
we've already completed the first part: generating an ARP request for a specific IP. That’s
done, and we have the raw ARP request stored and ready to use.

Now, let's validate our progress by printing the packet summary to confirm it’s structured
correctly. Once verified, the next step is to set our destination to the broadcast address so that
the request reaches all clients on the same network.

To achieve this, we need to reference a different layer—Ethernet. Since data transmission on

a network relies on both MAC and IP addresses, the destination MAC address must be
specified at the Ethernet frame level. The key point here is that the destination MAC address
is embedded within the Ethernet frame of each packet, not elsewhere.

So, our next move is to create an Ethernet frame and then append our ARP request to it. But
before diving into that, let’s simplify things and focus solely on constructing the Ethernet
frame, ensuring it’s properly set up to broadcast our ARP request to all devices on the
network.

So we are going to delete lines 8 and 9 and type in a new command.

To create an Ethernet frame, we follow a process similar to constructing an ARP packet. We
use scapy.Ether(), which creates an Ethernet object. This function is part of Scapy’s built-in
class structure and allows us to instantiate an Ethernet frame. The created object is stored in a
variable called broadcast.
Just as we previously set the IP field in earlier steps, we now need to configure the MAC
address for broadcast communication. The key purpose of using Ether() here is to ensure that
 Connect With Me

our packet is sent to the broadcast MAC address rather than a single device. To achieve this,
we must set the destination MAC address (dst) to the broadcast address (ff:ff:ff:ff:ff:ff).
Since we may not know the exact field names, we can retrieve all available fields for the
Ether class or any other Scapy object using the appropriate Scapy command. This helps us
correctly define our packet structure before sending it across the network.

What we’ve done is combine the Ethernet frame and the ARP request into a single packet.
This allows us to send a broadcast ARP request efficiently. By merging both the broadcast
frame and the ARP request, we create a complete network packet that can be transmitted
effortlessly.

To send this packet, we use the srp() function in Scapy, which operates at Layer 2 (Ethernet).
This function returns a response, indicating whether the packet was successfully sent and
received. Additionally, we need to specify a timeout value—let’s set it to 1.

The timeout is crucial because, without it, the program could hang indefinitely if no response
is received. By setting a timeout, we ensure the script exits if no reply comes back.
 Connect With Me

Now, we can execute the packet transmission and observe the response.

Let's run the script to see if it works. As you can see, it executes successfully. Once
completed, we print a summary of the response we received.

In the summary, the first part shows the ARP request we sent. For example, if we queried
192.168.1.1, the response would include the MAC address associated with that IP. This
confirms that the target device has responded, verifying the IP-to-MAC mapping.

By analyzing the summary, we can confirm that our ARP request was sent and received
correctly.

On the contrary, if we change our code from ‘answered’ to ‘unanswered’…

 Connect With Me

It takes some time and gives us a long list of IP.

We have multiple entries here, and as you can see, we are repeatedly asking, "Who has this IP
address?" for each target IP. When a device is active on the network, we receive a response
containing the corresponding MAC address.

However, for some IP addresses, we get no response. This indicates that no device on the
network is currently using those IPs. If there’s no reply, it means those addresses are
unallocated or inactive at the moment.
 Connect With Me

By analyzing these responses, we can map out which IPs are in use and which ones are free
on the network.
 Connect With Me

The End

In this project, I successfully developed a network scanner using ARP scanning techniques
with the Scapy Python module. This tool efficiently identifies active devices on a network by
sending ARP requests and analyzing responses, making it a valuable resource for network
monitoring and security assessments.

The corporate world can benefit from such a scanner by using it for network management,
security audits, and threat detection. IT teams can leverage this tool to identify unauthorized
devices, detect potential vulnerabilities, and ensure that only authorized systems are
connected to the network. This helps in maintaining a secure and well-managed IT
infrastructure.

At home, this scanner can be useful for personal network security, allowing users to check for
unknown devices on their Wi-Fi network and prevent unauthorized access. It provides a simple
way for homeowners to monitor their network and enhance cybersecurity awareness.

Overall, this project not only strengthens my understanding of network protocols but also
showcases the real-world applications of ARP scanning in both professional and personal
settings, contributing to better network security and management.