Re: mac to ip address tools

[kukulkan <ismandya () sains com my>]

Hi List,

Instead of having my questions answered, I also get new tips for further 
investigations! Thanks a lot. you guys rock!

merci beaucoup
Dario Ciccarone (dciccaro) wrote:

> You didn't really frame your question - but let's give it a shot.
>
> You received a bunch of answers about how to find out MAC<->IP pairings
> in your broadcast domain (I assume you're interested in learning
> MAC-to-IP pairings on the same L2 your machine is located). Some
> suggested arping, some arpwatch, etc. The easiest way? Sniff. 
>
> Say host A on your net is trying to communicate with host B. Host A
> needs to know the MAC address for host B (or the MAC address for the
> default gateway, if B not located on the same L2/L3 network). So he will
> send out an ARP request. ARP replies are no good for you - those are
> unicast to the host asking. But hey, a host ARPing for a other host
> sends a broadcast - including *his* IP address. And the MAC is obviously
> his MAC. And you do get broadcast. So, listen to ARP requests, and
> sooner or later (when a host tries to communicate with other and doesn't
> know his MAC, or when its refreshing its ARP cache), you will learn all
> MAC-to-IP pairs. Even if the host never tries to contact hosts on his
> same L2/L3 network, it has to ARP for the default gw MAC. This is the
> answer to your original question.
>
> About 100 machines using the same MAC address: two possibilities, out of
> the top of my mind. Either the MAC belongs to a router on the same L2
> network, which is doing proxy-arp for those machines (machines that
> aren't really located on your L2 network), or those machines are, again,
> in another network, and the host answering ARP requests for them is a
> firewall - which would then filter/NAT/rate-limit/do whatever he has to
> do with the packet before forwarding it to the real host.
>
> Other things to keep in mind: pairing between MAC/IP can change - while
> both HSRP and VRRP use a virtual MAC address, shared between all routers
> on the same HSRP/VRRP group (and hence, no changes on the MAC address if
> one of them takes over a failed one), GLBP (AFAIR) can reply to
> different ARP requests with different MAC addresses. Also check for MS
> MNLB. CheckPoint firewalls used to use multicast MAC addresses for
> firewalls in a cluster configuration.
>
> Good luck
> Dario
>
>  
>
> > -----Original Message-----
> > From: kukulkan [mailto:ismandya () sains com my] 
> > Sent: Tuesday, October 25, 2005 8:45 PM
> > To: Chris Moody
> > Cc: Glyn Geoghegan; pen-test () securityfocus com
> > Subject: Re: mac to ip address tools
> >
> > yeah. There are about 500-600 machines in this place, I say 
> > this because 
> > these are the registered machines. What about those not registered? 
> > there is one thing that bother them is that when we tried to 
> > use arp it 
> > seems that they are about 100  machines  with the same mac address. 
> > Wonder could this be the the machines here have been poisoned?
> >
> > Chris Moody wrote:
> >
> >    
> >
> > > The biggest problem with your question lies in topology 
> > >      
> > restrictions.
> >    
> >
> > > Unless you have a host system in the broadcast domain (aka 
> > >      
> > subnet) of 
> >    
> >
> > > the host ip in question, all your arp responses will be that of the 
> > > gateway enroute to the end host.
> > >
> > > You'll get -very- skewed results if you're trying to map say...1000 
> > > machines (most of which live on different subnets) and see 
> > >      
> > nothing but 
> >    
> >
> > > the MAC of your router as the resolved address.
> > >
> > > For something enterprise wide, you will need to look at scripting a 
> > > arp cache harvesting mechanism.  This can report back the 
> > >      
> > REAL mac to 
> >    
> >
> > > ip mapping for the host system.
> > >
> > > Contact me offline for more information on how to accomplish this.
> > >
> > > -Chris
> > >
> > > Glyn Geoghegan wrote:
> > >
> > >      
> > >
> > > > arp -a
> > > >
> > > > --  G l y n   G e o g h e g a n
> > > >
> > > >
> > > > On 25 Oct 2005, at 10:48, kukulkan wrote:
> > > >
> > > >        
> > > >
> > > > > Hi list,
> > > > >
> > > > > Need help. Is there any open source tools linux or windows, that  
> > > > > when given a MAC address, the list(s) of IP address can 
> > > > >          
> > be obtained?
> >    
> >
> > > > > kukulkan
> > > > >
> > > > >
> > > > >
> > > > >          
> > --------------------------------------------------------------
> > -------- 
> >    
> >
> > > > > --------
> > > > > Audit your website security with Acunetix Web 
> > > > >          
> > Vulnerability Scanner:
> >    
> >
> > > > > Hackers are concentrating their efforts on attacking 
> > > > >          
> > applications  
> >    
> >
> > > > > on your website. Up to 75% of cyber attacks are launched on  
> > > > > shopping carts, forms, login pages, dynamic content etc. 
> > > > >          
> > Firewalls,  
> >    
> >
> > > > > SSL and locked-down servers are futile against web application  
> > > > > hacking. Check your website for vulnerabilities to SQL 
> > > > >          
> > injection,  
> >    
> >
> > > > > Cross site scripting and other web attacks before hackers do!  
> > > > > Download Trial at:
> > > > >
> > > > > http://www.securityfocus.com/sponsor/pen-test_050831
> > > > >
> > > > >          
> > --------------------------------------------------------------
> > -------- 
> >    
> >
> > > > > ---------
> > > > >
> > > > >
> > > > >          
> > > >
> > > >        
> > --------------------------------------------------------------
> > ---------------- 
> >    
> >
> > > > Audit your website security with Acunetix Web 
> > > >        
> > Vulnerability Scanner:
> >    
> >
> > > > Hackers are concentrating their efforts on attacking 
> > > >        
> > applications on 
> >    
> >
> > > > your website. Up to 75% of cyber attacks are launched on shopping 
> > > > carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
> > > > locked-down servers are futile against web application 
> > > >        
> > hacking. Check 
> >    
> >
> > > > your website for vulnerabilities to SQL injection, Cross site 
> > > > scripting and other web attacks before hackers do! 
> > > >        
> > Download Trial at:
> >    
> >
> > > > http://www.securityfocus.com/sponsor/pen-test_050831
> > > >
> > > >        
> > --------------------------------------------------------------
> > ----------------- 
> >    
> >
> > > >        
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner: 
> >
> > Hackers are concentrating their efforts on attacking 
> > applications on your 
> > website. Up to 75% of cyber attacks are launched on shopping 
> > carts, forms, 
> > login pages, dynamic content etc. Firewalls, SSL and 
> > locked-down servers are 
> > futile against web application hacking. Check your website 
> > for vulnerabilities 
> > to SQL injection, Cross site scripting and other web attacks 
> > before hackers do! 
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> >
> >    
>
>  


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------