Nmap Announce mailing list archives
ARP idea (conjecture)
From: photon <photon () linux kgs com au>
Date: Tue, 29 Jun 1999 11:06:34 +1000
This would have limited usefulness even if it did work, but it would evade most existing detection software... Basically, o'er any ARP-utilising link-layer, I wonder if it'd be possible to measure ARP timeouts and compare these with a default-listing by OS? Eg: ... arp stuff snipped ... Myhost -> Targethost [some higher-level protocol] Targethost -> MyHost [ARP REQ.] Myhost -> Targethost [ARP Response] ... wait predetermined period ... Myhost -> Targethost [some higher-level protocol] ... remember that this period DID/DIDN'T make targethost ARP REQ again ... ... repeat with different period ... I'm not even sure if arp timeouts are OS-specific (though i'm pretty sure they are - steve's book states that BSD-derived OSs noramlly have 20min timeout for completed entries, 3min for incomplete) .. and obviously this method would have problems with hardcoded arp table entries, and be goddamned slow (patience is a virtue ;). As a side note, from memory some OSs do not handle gratituous ARP correctly - this could be used to further-finetune such an ARP-based OS determination. Or I could just be plain wrong. =) Sorry to make such an up in the air post, but I dont really have time to play with this stuff (evil final-year assessment tomorrow ;) keep up the good work! - pho
Current thread:
- ARP idea (conjecture) photon (Jun 28)
- Re: ARP idea (conjecture) Bart van Leeuwen (Jun 28)
- Re: ARP idea (conjecture) Rob Quinn (Jun 29)
- Re: ARP idea (conjecture) Jordan Ritter (Jun 29)