Penetration Testing mailing list archives
Re: mac to ip address tools
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 21 Nov 2005 12:30:16 +0100
(Note to moderators: resending since nobody acted on my previous post, dated 2005/11/16)
Hazel, Scott A. wrote:
To complement Dario's suggestion for sniffing, this is a nugget I pickedup while researching for my GCIA practical.tcpdump -ennr 2002.4.31 | awk '{print $2"\t"$6"\t"$3"\t"$8}'|tr -d "," | sed s/":$"//g > mac2ip.txt
(...)
I'm sure there is an equivalent, if not more elegant, way to do thiswith Perl if you know Perl.
FWIW, attached is something I've used at some point to analyse unknown networks (when deploying an IDS, to determine which hosts are up, what equipment is it and fine tune the IDS rules). It's similar to your script but, as a plus, it also takes information from an ethernet code database to print the vendor (can be useful to determine if you are seeing traffic from switches or routers) and also identifies routers (i.e. tells you when it's see more than one IP address associated with the same MAC).
There are still some caveats with this approach. Sniffing will only capture data during the time your sniffing so there's no guarantee you'll see all the hosts unless you sniff for a long enough period of time.
Well, you can "force" traffic by doing a ping sweep of the network so you get both the ARP replies (if there is a host with that IP address) and the ICMP echo-reply (if the host replies to ICMP echos). In any case, if you capture a small but relevant subset of data for a large enough amount of time (i.e. ARP traffic) you can get most (if not all, see below) of the hosts are live in the network. Any host that is connected to the network will, at least once, send an ARP broadcast to find the ARP address of it's default gateway (or for some host it tries to talk to) when the MAC address times out in its ARP table (unless its ARP tables are hardcoded, of course) If it's not sending traffic, but it is receiving traffic from the network, you should *not* be able to see the ARP replies to ARP broadcasts from other hosts in the network if there's a switch. You can still get a lot of insight of how the network behaves (who talks to whom) just by checking out ARP traffic. There's a cool tool out there called Etherape (http://etherape.sourceforge.net/) that will do a graphic representation of network traffic that is worth a try.
You still have to deal with limited network visibility due to switches,etc. Good luck. HTH.
Yes, some swithces might separate VLANs using private-VLANs. If you have those, you will not even see the broadcast ARP traffic that gives away some hosts. Regards Javier
Attachment:
find-macs.pl
Description:
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: mac to ip address tools Javier Fernandez-Sanguino (Nov 21)