Penetration Testing mailing list archives
RE: Using ARP to map a network
From: "Rob Shein" <shoten () starpower net>
Date: Wed, 5 Feb 2003 13:48:55 -0500
The only way to truly passively map a network, the term "passive" meaning you initiate nothing, is to be on the network, listening. And any machine that does not send traffic onto your local wire (be it a VLAN, hub, your port on the switch, or whatever) will not show up. This is why people still use active (and much more detectable) means to map networks.
-----Original Message----- From: Jason Lewis [mailto:jlewis () packetnexus com] Sent: Tuesday, February 04, 2003 7:36 PM To: pen-test () securityfocus com Subject: RE: Using ARP to map a network Maybe I am asking the wrong question. If my goal is to passively map a network, what is the best way to do that?I'm not quite sure how ARP harvesting (via SNMP, presumably?) is passive, but here goes: On the face of it, you should be able to do this. Problems could occur if you run into firewalls, or in switched environments where there are machines that infrequently communicate outwards(and rarelybroadcast). Unfortunately, both of these instances are much more likely with respect to critical infrastructure (likedatabase back-endservers or the accounting department.) What is the goal ofusing thismeans as opposed to some other method? SNMP queries torouters may bejust as obvious as ping sweeps or SYN scans in the eyes ofan IDS, andperhaps even more so if they have logging set high enough.-----Original Message----- From: Jason Lewis [mailto:jlewis () packetnexus com] Sent: Tuesday, February 04, 2003 6:37 PM To: pen-test () securityfocus com Subject: Using ARP to map a network I have searched and can't seem to find any tools to help map a network based on ARP tables. It seems to me, I could take ARP tables from several machines and build a network map. If machines were behind a router theARP tableswould show multiple IP's with the same MAC. With enoughARP tables,wouldn't I be able to build a map? Is my theory flawed? My goal is to do passive network mapping based on any local information I can obtain from computers or network devices. Anyone have any ideas? jas -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see:https://alerts.securityfocus.com/-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Using ARP to map a network Jason Lewis (Feb 04)
- RE: Using ARP to map a network Rob Shein (Feb 05)
- RE: Using ARP to map a network Jason Lewis (Feb 05)
- RE: Using ARP to map a network Dario N. Ciccarone (Feb 06)
- RE: Using ARP to map a network Rob J Meijer (Feb 09)
- RE: Using ARP to map a network Dario Ciccarone (Feb 09)
- RE: Using ARP to map a network Jason Lewis (Feb 05)
- RE: Using ARP to map a network Rob Shein (Feb 06)
- RE: Using ARP to map a network Rob Shein (Feb 05)
- Re: Using ARP to map a network Rob J Meijer (Feb 09)
- Re: Using ARP to map a network planz (Feb 12)
- Re: Using ARP to map a network Jason Lewis (Feb 05)