Unused IP Address 1. Purpose: The article discusses techniques to find an unused IP address, which is often required during penetration tests. The goal is to minimize the risk of causing a temporary IP clash. 2. Network Sniffing: If DHCP fails, the recommended course of action is to sniff on the network for a while using tools like tcpdump for wireshark. This should reveal some broadcast traffic and give an idea of the IP addresses in use. 3. Guessing a Network Range: The next step is to guess a netmask in which you’ll search for a free IP address. The article suggests starting with a Class C network, so you’re looking for free IPs in a range like 10.0.0.0/24. 4. Using ARP Queries to Identify IPs in Use: This is the main point of the post. The author suggests that a few well-chosen ARP requests can make your probing both effective and minimize the chances of causing an IP clash. The arp-fingerprint database indicates that the following would be good choices for a source IP address: 127.0.0.1, 0.0.0.0, 255.255.255.255, and 1.0.0.1 (IP network 1.0.0.0/8 is reserved by IANA). The corresponding arp-scan commands would be: arp-scan --arpspa=127.0.0.1 10.0.0.0/24, arp-scan --arpspa=0.0.0.0 10.0.0.0/24, arp-scan --arpspa=255.255.255.255 10.0.0.0/24, and arp-scan --arpspa=1.0.0.1 10.0.0.0/24. 5. Effectiveness: According to arp-fingerprint’s database, most operating systems we’re likely to encounter will respond to at least one of these probes. 6. Choosing Free Addresses: Finally, you can do a small number of ARP probes from what you think is an unused IP address in the range. In fact, you should pick two IP addresses so you can verify that they’re both really free. Choose two (apparently) free addresses between the smallest and largest IP you’ve observed.