Security Basics mailing list archives
RE: Comparing hosts on a network to text file
From: "Simon Thornton" <simon () thornton info>
Date: Fri, 10 Aug 2012 00:35:07 +0200
Hi Andi, AM> I'm looking to create a script, or use something already in existence AM> to scan a network for hosts, returning the mac addresses active on the AM> network. The script should then compare the mac addresses discovered AM> to a prepopulated text file and somehow notify me of any discrepancy. Getting a list of active addresses can be had using nmap: # sSRC=any form of address accepted by nmap sHOSTS="`nmap -n -sP -oG - ${sSRC} | grep \": Up\" | cut -d' ' -f2`" Finding the MAC is easy enough if the system is located on the same segment as your system, the challenge is if the system is located on the other side of a router or firewall - ARP is not passed through and any MAC references seen on your system will be the router interface on your segment. I usually try a number of methods to try and get a MAC, some only work on the local segment, others are more universal: arping -> nmap -> nbtscan -> snmpwalk -> wmic (probably other utils as well that will return MAC info) The script fragments for each method are shown below. #If "sIP" is the address or hostname: # e.g. sIP=10.11.12.13 # # Local subnet only arping -c 1 $sIP | tr -d \[\] | grep Unicast | awk '{printf "%s\t%s\n",$4,$5}' # Local subnet only printf "$sIP"; nmap -sP ${sIP} 2>/dev/null | grep MAC | \ awk '{if (NF>2) printf "\t%s\n",$3}' # Any subnet on a system which runs Windows or Samba and port 139 is open # Note: Samba sometimes returns 00:00:00:00:00:00, have to catch this printf "$sIP"; nbtscan -m $sIP 2>/dev/null | \ awk '{if (NF==4) printf("\t%s\n",$3)}' # If $sSNMPcomm is the SNMP community string: # e.g. set sSNMPcomm=public # # Any subnet provided SNMP is active on the system printf "$sIP";snmpwalk -v1 -c ${sSNMPcomm} $sIP IF-MIB::ifPhysAddress 2>/dev/null \ | grep "^I[FP]" | awk '{if (NF==4) printf("\t%s\n",$4);}' # Using the windows WMI interface and the zenoss wmic util: # where sIP = host, sUSER=account, sPASSWD=password wmic -U ${sHOST}/${sUSER}%${sPASSWD} //${sHOST} "select IPAddress,MACAddress from Win32_networkadapterconfiguration" | awk -F'|' '{if (length($2)>6) printf \"%s\t%s\n\",substr($2,2,length($2)-2),$3}' | grep -v "0.0.0.0" | grep ":" | sort | uniq #-- EOF If you test the outcome of each method till you get a MAC then this can be output to a file (a script implementing the above exists if anyone is interested). Next you need a dump of either the DHCP leases: netsh dhcp server scope 10.0.0.0 show clients >dhcpdump.txt The result can then be processed into a similar form as above (IP MAC) and then use diff to compare. You might also want to compare against a WINS dump, some rogue systems choosing a static address might use the WINS server for lookups, these queries would show up in the WINS dump. Rgds, Simon -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Morris, Andi Sent: Tuesday, August 07, 2012 16:38 PM To: security-basics () securityfocus com Subject: Comparing hosts on a network to text file Hi all, I'm looking to create a script, or use something already in existence to scan a network for hosts, returning the mac addresses active on the network. The script should then compare the mac addresses discovered to a prepopulated text file and somehow notify me of any discrepancy. I'd imagine nmap would be the tool I'm after. The scenario is: I have a network that has a filled DHCP scope. When a user registers a device with us we assign them an IP address on the Windows DHCP server. We are trying to avoid users manually giving themselves an IP address from this range and gaining access. My plan was to have a script poll the network every 'n' minutes to compare the mac addresses on the network to those that we have reserved IPs for and to email the details of any rogue clients to a designated mailbox . Does this sound feasible and does anyone know of a tool that would already exist for this before I spend hours learning and configuring nmap (not time badly spent I admit). Cheers, Andi ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Comparing hosts on a network to text file Morris, Andi (Aug 07)
- Message not available
- RE: Comparing hosts on a network to text file Morris, Andi (Aug 07)
- Re: Comparing hosts on a network to text file !s3grim (Aug 07)
- RE: Comparing hosts on a network to text file Morris, Andi (Aug 07)
- Message not available
- Re: Comparing hosts on a network to text file Johannes Truschnigg (Aug 07)
- RE: Comparing hosts on a network to text file Dave Kleiman (Aug 07)
- RE: Comparing hosts on a network to text file Demetris Papapetrou (Aug 09)
- RE: Comparing hosts on a network to text file Steve Steiner (Aug 10)
- RE: Comparing hosts on a network to text file Simon Thornton (Aug 10)
- RE: Comparing hosts on a network to text file Mike Saldivar (Aug 10)