Penetration Testing mailing list archives
Re: Using ARP to map a network
From: "Jason Lewis" <jlewis () packetnexus com>
Date: Tue, 4 Feb 2003 19:32:53 -0500 (EST)
This may be part of my problem. I have a list of IPs and MACs. There are multiple MACs tied to a single IP. I was under the impression this data was gathered from ARP tables from several machines across the network. I figured the reason I was seeing multiple MACs for a single IP was because the router responded for the IP behind it. Any other explanation for what I am seeing? jas
Jason, If the machines were behind a router you would not see anything for ARP. At that point you are routing and not switching. True, you would see an MAC address for the router but remember, the MAC address is part of the frame and the IP address is part of the packet. Therefore the only time that the two are tied together is on the local subnet. Any tool to map networks based on arp tables would have to have access to the arp tables for each individual subnet. "If machines were behind a router the ARP tables would show multiple IP's with the same MAC." No, the arp tables would only show the routers IP address and the mac address of the router. A routing table would show IP addresses "behind" the routers IP address (maybe, default routes would throw this off). Routing tables are global while arp tables are local to the subnet. Hope this helps. Kevin ----- Original Message ----- From: "Jason Lewis" <jlewis () packetnexus com> To: <pen-test () securityfocus com> Sent: Tuesday, February 04, 2003 6:36 PM Subject: Using ARP to map a networkI have searched and can't seem to find any tools to help map a network based on ARP tables. It seems to me, I could take ARP tables from several machines and build a network map. If machines were behind a router the ARP tables would show multiple IP's with the same MAC. With enough ARP tables, wouldn't I be able to build a map? Is my theory flawed? My goal is to do passive network mapping based on any local information I can obtain from computers or network devices. Anyone have any ideas? jas ----------------------------------------------------------------------------This list is provided by the SecurityFocus Security Intelligence Alert(SIA)Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities pleasesee:https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Using ARP to map a network, (continued)
- RE: Using ARP to map a network Jason Lewis (Feb 05)
- RE: Using ARP to map a network Dario N. Ciccarone (Feb 06)
- RE: Using ARP to map a network Rob J Meijer (Feb 09)
- RE: Using ARP to map a network Dario Ciccarone (Feb 09)
- RE: Using ARP to map a network Jason Lewis (Feb 05)
- RE: Using ARP to map a network Rob Shein (Feb 06)
- Re: Using ARP to map a network Rob J Meijer (Feb 09)
- Re: Using ARP to map a network planz (Feb 12)
- Re: Using ARP to map a network Jason Lewis (Feb 05)