Re: NMAP and MAC Addresses

[doug () hcsw org]

On Wed, Feb 13, 2008 at 12:38:05AM +0000 or thereabouts, Brandon Enright wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Your right, of course.  I'll point out though that Nmap does have
> nbstat.nse for trying to divine MAC addresses from Windows boxes.
>
> And then outside of Nmap, there is always SNMP to query the router for a
> given VLAN.

Aha! Excellent point. That reminds me that there's also many match lines
the nmap-service-probes DB that extract MAC addresses from things like
WAPs, routers, and embedded devices that blurt it out on connect. A
couple examples:

match http m|^HTTP/1\.1 \d\d\d .*\r\nWWW-Authenticate: Basic realm=\"CANOPY ([\w-]+)\"\r\n|s p/Motorola Canopy WAP http 
config/ d/WAP/ i/MAC $1/

match telnet m|^\xff\xfe\"\xff\xfb\x01\xff\xfb\x03User : \r\n\r?SpeedTouch \(([\w-]+)\)\r\n\r?Password : Invalid 
Password\r\ n\r?Closing connection\r\n| p/Alcatel SpeedTouch DSL router/ i/MAC $1/ d/router/

match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+)  MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ 
]+)\r\n. *(Windows CE Kernel[-.+:\w ]+)\r|s p|NCD Thinster Terminal Diagnostic port| i|Serial# $1; MAC: $2; CPU: $3; $4|

Best,

Doug

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org