Nmap Announce mailing list archives
Re: mac addr lookups?
From: //Stany <stany () pet notbsd org>
Date: Tue, 16 Feb 1999 02:33:07 -0500 (EST)
On Mon, 15 Feb 1999, Terje Elde wrote:
Just an idea for nmap... A lot of admins and other fun ppl use nmap to scan their own networks looking for security issues and other stuff. When you're scanning at your own physical network layer you can see MAC addr's. So why not add a option to allow nmap to look these up?
It's great fun to do so, as you can often get a lot of info. First of all, you're sure to get the type of network card in use (well, almost anyway), and often you can get a few pointers about the OS too.
Hi, Delta. Long time, no see. I remember suggesting exactly the same thing to Fyodor in the days of 2.0 Beta 15 or so (I am sure others suggested the same before me too). He said that he have toyed with the idea but decided against it, as it was too easy to mislead the scanner by changing the MAC address. In fact it /is/ rather trivial to change your MAC address on a number of systems. For example on Sun SPARCs (sun4m and sun4c. Have not had a chance to play with sun4u) MAC address is directly tied to the PROM. According to Sun NVRAM/HOSTID FAQ, (available at <http://www.squirrel.com/sun-nvram-hostid.faq.html>) the MAC address of a Sun system is stored in the PROM, and as a result, every physical network interface has the same MAC address. Why am I bringing this up? The catch is that the PROM is programmable, and in theory any MAC address can be programmed in (will the system afterwards correctly report what kind of hardware it is is a completely different question ;-) if you bother to read a bit. In another life I had to recover a SS5 that has a PROM dead, and as a result of me toying with it, the MAC address of it became 8:0:20:c0:ff:ee Although traditionally only the first 3 values are used to identify the manufacturer of the network device, nothing was preventing me to change them completely. Additionally it is rather trivial to change the MAC address on different platforms. Linux tulip driver for a long while had the ability to programm the NIC to report back whatever MAC address you want. In fact Corel NetWinder had this ability with older kernels (Corel people have patched the kernel source, after I have published it, to prevent abuse, as they could get in legal problems for using identifier not assigned to them) and some instructions on doing this are available at <http://www.netwinder.org/~stany/netwinder_board_rev_faq.html#changing_your_MAC> Essentially this amounted to the following 5 commands: root@pooga:~[240]# ifconfig eth1 down root@pooga:~[241]# rmmod tulip root@pooga:~[242]# insmod tulip vnc_mac_addr=0xfee123 root@pooga:~[243]# insmod tulip root@pooga:~[244]# ifconfig eth1 up inet <your inet here> netmask <yournetmask here> broadcast <your broadcast here> So why am I mentioning all this? Because potentially using MAC addresses is not accurate, as it is trivial to change your MAC address if you want to, so this detection will only work on the networks with highly unsophisticated people. Additionally adding such a database of MAC addresses has potential to result in code bloat, which is not a good thing either. At most MAC detection can complement OS detection, figuring that a computer running a NIC with MAC address starting with 0:10:57 (Corel NetWinder) should not be runing SunOS 4.1, or a system with MAC address starting with 8:0:20 (Sun SPARC) should not run Be OS. However I think that it might be worthwhile for NMAP to record the MAC address in event of scanning a local subnet, as this will allow the administrator to diff the logs and see if the hardware have physically changed over time (Asset management implemented backwards, anyone? ;-). I have to note that I never did an extensive research in the area of MAC address changes, and the two examples above are just what I could remember off the top of my head ;-) //Stany, who still uses nmap 2.0.3 for his scans. Solaris code seems to be broken 8-( -- Trouble rather the tiger in his lair, then the Sysadmin amongst his UNIX boxen. For to you Programs and their Source Code are things mighty and enduring, But to him they are but toys of the moment, To be overturned by flicking of the power switch.... Computer Lessons: SNV '97
Current thread:
- mac addr lookups? Terje Elde (Feb 15)
- Re: mac addr lookups? Dug Song (Feb 15)
- Re: mac addr lookups? Matthew Franz (Feb 15)
- Re: mac addr lookups? //Stany (Feb 15)
- Re: mac addr lookups? Terje Elde (Feb 15)
- <Possible follow-ups>
- Re: mac addr lookups? Fyodor (Feb 16)
- Re: mac addr lookups? White Cap (Feb 16)
- Re: mac addr lookups? ajax (Feb 16)
- Re: mac addr lookups? Nathan Catlow (Feb 16)
- Re: mac addr lookups? Terje Elde (Feb 17)
- Re: mac addr lookups? White Cap (Feb 16)
- RE: mac addr lookups? Escobar, Henry J. (Feb 17)
- RE: mac addr lookups? White Cap (Feb 17)
- RE: mac addr lookups? Fyodor (Feb 17)
- RE: mac addr lookups? White Cap (Feb 17)
- RE: mac addr lookups? wanb0y (Feb 17)