Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Using ARP to map a network

From: "Dario N. Ciccarone" <dciccaro () cisco com>
Date: Wed, 5 Feb 2003 00:38:36 -0300
yeah - it is flawed :)

MAC to IP mappings as in the ARP table only happens when both source and
destination IP hosts are on the same L2, and by definition, L3 network. so a
host ARP table on NET X should only show entries for those machines on its
same subnet the host had conversations with.

of course, knowing host X IP address and subnet mask, you could start ARPing
for all the other available IPs on the range and know what IP addresses are
in use, and what not (little issue with machines powered off when you're
doing your ARPinging ;))

for all non-local destinations, the only entry the host should have is for
the MAC/IP pair of it's default gateway.

one small digression: a host _could_ have MAC/IP pairs in its ARP table for
machines not on the same subnet, _if_ the router on the local segment is a
Cisco router with "ip proxy-arp" enabled - and even then, it would only have
mapped IPs on the non-local network to the router MAC address (as you
suggested), but only for router-connected subnets of the same major network
the ARPing host is connected to. check

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
_c/ipcprt1/1cfipadr.htm#1001233

and RFC-1027 to fully understand what problems proxy-arp solves. and btw:
Cisco's recommendation (from a security point of view) is to disable proxy
ARP if not needed - just to thwart practices as you want to implement :))




-----Original Message-----
From: Jason Lewis [mailto:jlewis () packetnexus com]
Sent: Tuesday, February 04, 2003 8:37 PM
To: pen-test () securityfocus com
Subject: Using ARP to map a network


I have searched and can't seem to find any tools to help map a network
based on ARP tables.

It seems to me, I could take ARP tables from several machines and build a
network map.  If machines were behind a router the ARP tables would show
multiple IP's with the same MAC.  With enough ARP tables, wouldn't I be
able to build a map?

Is my theory flawed?

My goal is to do passive network mapping based on any local information I
can obtain from computers or network devices.  Anyone have any ideas?

jas



------------------------------------------------------------------
----------
This list is provided by the SecurityFocus Security Intelligence
Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities
please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: