Penetration Testing mailing list archives
RE: Using ARP to map a network
From: "Dario N. Ciccarone" <dciccaro () cisco com>
Date: Wed, 5 Feb 2003 00:38:36 -0300
yeah - it is flawed :) MAC to IP mappings as in the ARP table only happens when both source and destination IP hosts are on the same L2, and by definition, L3 network. so a host ARP table on NET X should only show entries for those machines on its same subnet the host had conversations with. of course, knowing host X IP address and subnet mask, you could start ARPing for all the other available IPs on the range and know what IP addresses are in use, and what not (little issue with machines powered off when you're doing your ARPinging ;)) for all non-local destinations, the only entry the host should have is for the MAC/IP pair of it's default gateway. one small digression: a host _could_ have MAC/IP pairs in its ARP table for machines not on the same subnet, _if_ the router on the local segment is a Cisco router with "ip proxy-arp" enabled - and even then, it would only have mapped IPs on the non-local network to the router MAC address (as you suggested), but only for router-connected subnets of the same major network the ARPing host is connected to. check http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr _c/ipcprt1/1cfipadr.htm#1001233 and RFC-1027 to fully understand what problems proxy-arp solves. and btw: Cisco's recommendation (from a security point of view) is to disable proxy ARP if not needed - just to thwart practices as you want to implement :))
-----Original Message----- From: Jason Lewis [mailto:jlewis () packetnexus com] Sent: Tuesday, February 04, 2003 8:37 PM To: pen-test () securityfocus com Subject: Using ARP to map a network I have searched and can't seem to find any tools to help map a network based on ARP tables. It seems to me, I could take ARP tables from several machines and build a network map. If machines were behind a router the ARP tables would show multiple IP's with the same MAC. With enough ARP tables, wouldn't I be able to build a map? Is my theory flawed? My goal is to do passive network mapping based on any local information I can obtain from computers or network devices. Anyone have any ideas? jas ------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Using ARP to map a network, (continued)
- RE: Using ARP to map a network Dario Ciccarone (Feb 09)
- RE: Using ARP to map a network Rob Shein (Feb 06)
- Re: Using ARP to map a network planz (Feb 05)
- Re: Using ARP to map a network Rob J Meijer (Feb 09)
- Re: Using ARP to map a network planz (Feb 12)
- Re: Using ARP to map a network Rob J Meijer (Feb 09)
- Re: Using ARP to map a network Osvaldo J. Filho (Feb 05)
- Re: Using ARP to map a network Kevin Reynolds (Feb 05)
- Re: Using ARP to map a network Jason Lewis (Feb 05)
- Re: Using ARP to map a network Edwin van Andel (Feb 05)
- Re: Using ARP to map a network sith (Feb 05)
- RE: Using ARP to map a network Dario N. Ciccarone (Feb 05)
- RE: Using ARP to map a network Rajesh Kumar Dilli (Feb 05)
- Re: Using ARP to map a network Lambott (Feb 05)