Nmap Announce mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ARP idea (conjecture)

From: Bart van Leeuwen <bart () ixori demon nl>
Date: Tue, 29 Jun 1999 05:30:28 +0200 (CEST)
As far as I'm aware, this can at least on some OSes be configured as
a direct timeout, and indirectly by limiting the size of the ARP table
(with the result that it may very well remove entries before they'd time
out, esp on large network segments or large switched/bridged  networks)
This is just from what I have seen after trying to resolve some arp
problems in a mixed win-nt, OS/2 environment, but may very well apply to
other OSes as well.

So.. as far as I go this would at least in some situations fail or give
unpredicatble results, but I have little doubt that there is some usefull
information to get here by just looking at arp behavior.

Bart



On Tue, 29 Jun 1999, photon wrote:


This would have limited usefulness even if it did work, but
it would evade most existing detection software...

Basically, o'er any ARP-utilising link-layer, I wonder if
it'd be possible to measure ARP timeouts and compare these
with a default-listing by OS?

Eg: ... arp stuff snipped ...
    Myhost -> Targethost [some higher-level protocol]
    Targethost -> MyHost [ARP REQ.]
    Myhost -> Targethost [ARP Response]
    ... wait predetermined period ...
    Myhost -> Targethost [some higher-level protocol]
    ... remember that this period DID/DIDN'T make targethost
ARP REQ again ...
    ... repeat with different period ...

I'm not even sure if arp timeouts are OS-specific (though
i'm pretty sure they are - steve's book states that
BSD-derived OSs noramlly have 20min timeout for completed
entries, 3min for incomplete) .. and obviously this method
would have problems with hardcoded arp table entries, and be
goddamned slow (patience is a virtue ;).  As a side note,
from memory some OSs do not handle gratituous ARP correctly
- this could be used to further-finetune such an ARP-based
OS determination. 

Or I could just be plain wrong. =)

Sorry to make such an up in the air post, but I dont really
have time to play with this stuff (evil final-year
assessment tomorrow ;) 

keep up the good work!

- pho
Previous By Date Next
Previous By Thread Next

Current thread: