RE: MAC address

["Weaver, Woody" <woody.weaver () spcorp com>]

Olaf Gellert <og () pre-secure de> wrote:

[true stuff about MAC being a layer 2 identifier deleted]

> So usually the MAC address is not visible outside of your local
> network...

I think that MAC addresses usually are visible outside. Consider as a
trivial case, Netbios NodeStatus requests return an identifier which is
generally the MAC address. But more importantly, MAC addresses are
contained in arp caches for varying amounts of time, and often ARP
caches are accessible via SNMP.  As a real-world example, I'm monitoring
a network where the switches and routers are protected via ACL so I
can't readily do SNMP requests (until I get moved to the 'magic'
network, but that is another story). However, we have lots and lots of
printers. Over the last nine months, I've monitored 41495 distinct
IP-aware devices. I've been able to get in contact with 7742 SNMP aware
devices, and of those, 5233 were responding to community string
'public'.  Interestingly, many devices do obfuscate the arp cache, but
many don't.  If you "help" populate the arp cache by forging ICMP echo
requests from the compliant device to all other IP's on the network, all
the other devices will obligingly echo respond to the compliant device,
and you now have a full arp cache of all devices on the network.
(Alternately, you can forge ICMP echos from all IP's on the net to the
compliant device, but that rather hammers the compliant device, and
since he is your friend, you don't want to do that.  But it is good for
picking up those firewalled devices that drop ICMP.)

So, remotely, one can determine the MAC addresses of all devices on a
network, if you assume one opening such as an open printer.

--woody

Woody Weaver                     cell: 301 524 8138 (best)
Manager, GIT Security Planning   mail: woody.weaver () spcorp com
Schering-Plough, Madison NJ      land: 908 298 4953

Attachment: smime.p7s
Description: