Security Basics mailing list archives

RE: Comparing hosts on a network to text file

From: "Simon Thornton" <simon () thornton info>
Date: Fri, 10 Aug 2012 00:35:07 +0200

Hi Andi, 

AM> I'm looking to create a script, or use something already in existence 
AM> to scan a network for hosts, returning the mac addresses active on the 
AM> network. The script should then compare the mac addresses discovered 
AM> to a prepopulated text file and somehow notify me of any discrepancy. 

Getting a list of active addresses can be had using nmap: 

# sSRC=any form of address accepted by nmap 

sHOSTS="`nmap -n -sP -oG - ${sSRC} | grep \": Up\" | cut -d' ' -f2`" 


Finding the MAC is easy enough if the system is located on the same segment
as your system, the challenge is if the system is located on the other side
of a router or firewall - ARP is not passed through and any MAC references
seen on your system will be the router interface on your segment.

I usually try a number of methods to try and get a MAC, some only work on
the local segment, others are more universal: 

        arping -> nmap -> nbtscan -> snmpwalk -> wmic 

(probably other utils as well that will return MAC info) 


The script fragments for each method are shown below. 


#If "sIP" is the address or hostname: 
# e.g. sIP=10.11.12.13 

# 
# Local subnet only 
arping -c 1 $sIP | tr -d \[\] | grep Unicast | awk '{printf
"%s\t%s\n",$4,$5}' 

# Local subnet only 
printf "$sIP"; nmap -sP ${sIP} 2>/dev/null | grep MAC | \ 
        awk '{if (NF>2) printf "\t%s\n",$3}' 

# Any subnet on a system which runs Windows or Samba and port 139 is open 
# Note: Samba sometimes returns 00:00:00:00:00:00, have to catch this 
printf "$sIP"; nbtscan -m $sIP 2>/dev/null | \ 
        awk '{if (NF==4) printf("\t%s\n",$3)}' 

# If $sSNMPcomm is the SNMP community string: 
# e.g. set sSNMPcomm=public 
# 
# Any subnet provided SNMP is active on the system 
printf "$sIP";snmpwalk -v1 -c ${sSNMPcomm} $sIP IF-MIB::ifPhysAddress
2>/dev/null \ 
        | grep "^I[FP]" | awk '{if (NF==4) printf("\t%s\n",$4);}' 


# Using the windows WMI interface and the zenoss wmic util: 
# where sIP = host, sUSER=account, sPASSWD=password 

wmic -U ${sHOST}/${sUSER}%${sPASSWD} //${sHOST}  "select
IPAddress,MACAddress from Win32_networkadapterconfiguration" | awk -F'|'
'{if (length($2)>6) printf \"%s\t%s\n\",substr($2,2,length($2)-2),$3}' |
grep -v "0.0.0.0" | grep ":" | sort | uniq


#-- EOF 

If you test the outcome of each method till you get a MAC then this can be
output to a file (a script implementing the above exists if anyone is
interested).

Next you need a dump of either the DHCP leases: 

        netsh dhcp server scope 10.0.0.0 show clients >dhcpdump.txt 

The result can then be processed into a similar form as above (IP MAC) and
then use diff to compare. 

You might also want to compare against a WINS dump, some rogue systems
choosing a static address might use the WINS server for lookups, these
queries would show up in the WINS dump.


Rgds, 


Simon 

-----Original Message----- 
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Morris, Andi 
Sent: Tuesday, August 07, 2012 16:38 PM 
To: security-basics () securityfocus com 
Subject: Comparing hosts on a network to text file 

Hi all, 
I'm looking to create a script, or use something already in existence to
scan a network for hosts, returning the mac addresses active on the network.
The script should then compare the mac addresses discovered to a
prepopulated text file and somehow notify me of any discrepancy.

I'd imagine nmap would be the tool I'm after. 

The scenario is: 
I have a network that has a filled DHCP scope. 
When a user registers a device with us we assign them an IP address on the
Windows DHCP server. 
We are trying to avoid users manually giving themselves an IP address from
this range and gaining access. 
My plan was to have a script poll the network every 'n' minutes to compare
the mac addresses on the network to those that we have reserved IPs for and
to email the details of any rogue clients to a designated mailbox .

Does this sound feasible and does anyone know of a tool that would already
exist for this before I spend hours learning and configuring nmap (not time
badly spent I admit).

Cheers, 
Andi 



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Current thread:

Comparing hosts on a network to text file Morris, Andi (Aug 07)
- Message not available
  - RE: Comparing hosts on a network to text file Morris, Andi (Aug 07)
    - Re: Comparing hosts on a network to text file !s3grim (Aug 07)
- Re: Comparing hosts on a network to text file Johannes Truschnigg (Aug 07)
- RE: Comparing hosts on a network to text file Dave Kleiman (Aug 07)
- RE: Comparing hosts on a network to text file Demetris Papapetrou (Aug 09)
  - RE: Comparing hosts on a network to text file Steve Steiner (Aug 10)
- RE: Comparing hosts on a network to text file Simon Thornton (Aug 10)
  - RE: Comparing hosts on a network to text file Mike Saldivar (Aug 10)