Name: Tran Duc Manh

Student ID: 21080052

Class: MET3.01

Study Case: The Science of Safely Finding an

Unused IP Address
1. Purpose: The article discusses techniques to find an unused IP address, which is often
required during penetration tests. The goal is to minimize the risk of causing a temporary
IP clash.
2. Network Sniffing: If DHCP fails, the recommended course of action is to sniff on the
network for a while using tools like tcpdump for wireshark. This should reveal some
broadcast traffic and give an idea of the IP addresses in use.
3. Guessing a Network Range: The next step is to guess a netmask in which you’ll search
for a free IP address. The article suggests starting with a Class C network, so you’re
looking for free IPs in a range like 10.0.0.0/24.
4. Using ARP Queries to Identify IPs in Use: This is the main point of the post. The author
suggests that a few well-chosen ARP requests can make your probing both effective and
minimize the chances of causing an IP clash. The arp-fingerprint database indicates that
the following would be good choices for a source IP address: 127.0.0.1, 0.0.0.0,
255.255.255.255, and 1.0.0.1 (IP network 1.0.0.0/8 is reserved by IANA). The
corresponding arp-scan commands would be: arp-scan --arpspa=127.0.0.1 10.0.0.0/24,
arp-scan --arpspa=0.0.0.0 10.0.0.0/24, arp-scan --arpspa=255.255.255.255 10.0.0.0/24,
and arp-scan --arpspa=1.0.0.1 10.0.0.0/24.
5. Effectiveness: According to arp-fingerprint’s database, most operating systems we’re
likely to encounter will respond to at least one of these probes.
6. Choosing Free Addresses: Finally, you can do a small number of ARP probes from what
you think is an unused IP address in the range. In fact, you should pick two IP addresses
so you can verify that they’re both really free. Choose two (apparently) free addresses
between the smallest and largest IP you’ve observed.