Penetration Testing mailing list archives
RE: mac to ip address tools
From: "Hazel, Scott A." <Scott.Hazel () unisys com>
Date: Thu, 27 Oct 2005 03:10:56 -0400
To complement Dario's suggestion for sniffing, this is a nugget I picked up while researching for my GCIA practical. tcpdump -ennr 2002.4.31 | awk '{print $2"\t"$6"\t"$3"\t"$8}'|tr -d "," | sed s/":$"//g > mac2ip.txt Some modifications may be necessary but the general idea is to take output from a tcpdump capture (-e flag captures MAC addresses, -nn suppresses hostname and service resolution, -r is for replay of a capture file), pipe to awk for proper formatting, a few more tweaks on the formatting using tr and sed, then dump the results to a text file. I'm sure there is an equivalent, if not more elegant, way to do this with Perl if you know Perl. The end result should be a very readable file that shows 4 columns: source IP's, source MAC's, dest IP's, dest MAC's. This was all done on a linux/unix system so ymmv if you're on a windows host. There plenty of directions you can go with the information from here. Some creative file parsing (perl, grep, etc.) allows you to look for all devices using a specific MAC or the MAC from a particular vendor, how many IP's match to a single MAC and the reverse, etc. There are still some caveats with this approach. Sniffing will only capture data during the time your sniffing so there's no guarantee you'll see all the hosts unless you sniff for a long enough period of time. You still have to deal with limited network visibility due to switches, etc. Good luck. HTH. Scott Hazel -----Original Message----- From: kukulkan [mailto:ismandya () sains com my] Sent: Wednesday, October 26, 2005 9:08 PM To: Dario Ciccarone (dciccaro) Cc: Chris Moody; Glyn Geoghegan; pen-test () securityfocus com Subject: Re: mac to ip address tools Hi List, Instead of having my questions answered, I also get new tips for further investigations! Thanks a lot. you guys rock! merci beaucoup Dario Ciccarone (dciccaro) wrote:
You didn't really frame your question - but let's give it a shot. You received a bunch of answers about how to find out MAC<->IP pairings
in your broadcast domain (I assume you're interested in learning MAC-to-IP pairings on the same L2 your machine is located). Some suggested arping, some arpwatch, etc. The easiest way? Sniff. Say host A on your net is trying to communicate with host B. Host A needs to know the MAC address for host B (or the MAC address for the default gateway, if B not located on the same L2/L3 network). So he will send out an ARP request. ARP replies are no good for you - those are unicast to the host asking. But hey, a host ARPing for a other host
sends a broadcast - including *his* IP address. And the MAC is obviously his MAC. And you do get broadcast. So, listen to ARP requests, and sooner or later (when a host tries to communicate with other and doesn't know his MAC, or when its refreshing its ARP cache), you will learn all MAC-to-IP pairs. Even if the host never tries to contact hosts on his same L2/L3 network, it has to ARP for the default gw MAC. This is the answer to your original question. About 100 machines using the same MAC address: two possibilities, out of the top of my mind. Either the MAC belongs to a router on the same L2 network, which is doing proxy-arp for those machines (machines that aren't really located on your L2 network), or those machines are, again, in another network, and the host answering ARP requests for them
is a firewall - which would then filter/NAT/rate-limit/do whatever he has to do with the packet before forwarding it to the real host. Other things to keep in mind: pairing between MAC/IP can change - while
both HSRP and VRRP use a virtual MAC address, shared between all routers on the same HSRP/VRRP group (and hence, no changes on the MAC address if one of them takes over a failed one), GLBP (AFAIR) can reply
to different ARP requests with different MAC addresses. Also check for MS MNLB. CheckPoint firewalls used to use multicast MAC addresses for firewalls in a cluster configuration. Good luck Dario-----Original Message----- From: kukulkan [mailto:ismandya () sains com my] Sent: Tuesday, October 25, 2005 8:45 PM To: Chris Moody Cc: Glyn Geoghegan; pen-test () securityfocus com Subject: Re: mac to ip address tools yeah. There are about 500-600 machines in this place, I say this because these are the registered machines. What about those not registered? there is one thing that bother them is that when we tried to use arp it seems that they are about 100 machines with the same mac address. Wonder could this be the the machines here have been poisoned? Chris Moody wrote:The biggest problem with your question lies in topologyrestrictions.Unless you have a host system in the broadcast domain (akasubnet) ofthe host ip in question, all your arp responses will be that of the gateway enroute to the end host. You'll get -very- skewed results if you're trying to map say...1000 machines (most of which live on different subnets) and seenothing butthe MAC of your router as the resolved address. For something enterprise wide, you will need to look at scripting a arp cache harvesting mechanism. This can report back theREAL mac toip mapping for the host system. Contact me offline for more information on how to accomplish this. -Chris Glyn Geoghegan wrote:arp -a -- G l y n G e o g h e g a n On 25 Oct 2005, at 10:48, kukulkan wrote:Hi list, Need help. Is there any open source tools linux or windows, that when given a MAC address, the list(s) of IP address canbe obtained?kukulkan-------------------------------------------------------------- ---------------- Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts on attackingapplicationson your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc.Firewalls,SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQLinjection,Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831-------------------------------------------------------------- ------------------------------------------------------------------------------- ----------------Audit your website security with Acunetix WebVulnerability Scanner:Hackers are concentrating their efforts on attackingapplications onyour website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web applicationhacking. Checkyour website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:http://www.securityfocus.com/sponsor/pen-test_050831-------------------------------------------------------------- ------------------------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- -----------------
------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: mac to ip address tools, (continued)
- Re: mac to ip address tools Martin Mačok (Oct 26)
- Re: mac to ip address tools Dave Bush (Oct 25)
- Re: mac to ip address tools ilaiy (Oct 25)
- Re: mac to ip address tools Chris Davis (Oct 25)
- Re: mac to ip address tools Matt Bellizzi (Oct 25)
- RE: mac to ip address tools Guillaume LAVOIX (Oct 25)
- RE: mac to ip address tools Dario Ciccarone (dciccaro) (Oct 26)
- Re: mac to ip address tools kukulkan (Oct 26)
- Re: mac to ip address tools arif . jatmoko (Oct 26)
- RE: mac to ip address tools Carl-Johan Bostorp (Oct 26)
- RE: mac to ip address tools Hazel, Scott A. (Oct 27)