RE: Using ARP to map a network

["Rob Shein" <shoten () starpower net>]

The only way to truly passively map a network, the term "passive" meaning
you initiate nothing, is to be on the network, listening.  And any machine
that does not send traffic onto your local wire (be it a VLAN, hub, your
port on the switch, or whatever) will not show up.  This is why people still
use active (and much more detectable) means to map networks.

> -----Original Message-----
> From: Jason Lewis [mailto:jlewis () packetnexus com] 
> Sent: Tuesday, February 04, 2003 7:36 PM
> To: pen-test () securityfocus com
> Subject: RE: Using ARP to map a network
>
>
> Maybe I am asking the wrong question.
>
> If my goal is to passively map a network, what is the best 
> way to do that?
>
> > I'm not quite sure how ARP harvesting (via SNMP, presumably?) is 
> > passive, but here goes:
> >
> > On the face of it, you should be able to do this.  Problems could 
> > occur if you run into firewalls, or in switched environments where 
> > there are machines that infrequently communicate outwards 
> (and rarely 
> > broadcast). Unfortunately, both of these instances are much more 
> > likely with respect to critical infrastructure (like 
> database back-end 
> > servers or the accounting department.)  What is the goal of 
> using this 
> > means as opposed to some other method?  SNMP queries to 
> routers may be 
> > just as obvious as ping sweeps or SYN scans in the eyes of 
> an IDS, and 
> > perhaps even more so if they have logging set high enough.
> >
> > > -----Original Message-----
> > > From: Jason Lewis [mailto:jlewis () packetnexus com]
> > > Sent: Tuesday, February 04, 2003 6:37 PM
> > > To: pen-test () securityfocus com
> > > Subject: Using ARP to map a network
> > >
> > >
> > > I have searched and can't seem to find any tools to help map a 
> > > network based on ARP tables.
> > >
> > > It seems to me, I could take ARP tables from several machines and 
> > > build a network map.  If machines were behind a router the 
> ARP tables 
> > > would show multiple IP's with the same MAC. With enough 
> ARP tables, 
> > > wouldn't I be able to build a map?
> > >
> > > Is my theory flawed?
> > >
> > > My goal is to do passive network mapping based on any local 
> > > information I can obtain from computers or network devices. Anyone 
> > > have any ideas?
> > >
> > > jas
> > >
> > >
> > >
> > > --------------------------------------------------------------
> > > --------------
> > > This list is provided by the SecurityFocus Security Intelligence 
> > > Alert (SIA) Service. For more information on SecurityFocus' SIA 
> > > service which automatically alerts you to the latest security 
> > > vulnerabilities please see:
> > https://alerts.securityfocus.com/
>
>
>
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security 
> Intelligence Alert (SIA) Service. For more information on 
> SecurityFocus' SIA service which automatically alerts you to 
> the latest security vulnerabilities please see: 
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/