Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: mac to ip address tools

From: "Hazel, Scott A." <Scott.Hazel () unisys com>
Date: Thu, 27 Oct 2005 03:10:56 -0400
To complement Dario's suggestion for sniffing, this is a nugget I picked
up while researching for my GCIA practical. 

tcpdump -ennr 2002.4.31 | awk '{print $2"\t"$6"\t"$3"\t"$8}'|tr -d "," |
sed s/":$"//g > mac2ip.txt

Some modifications may be necessary but the general idea is to take
output from a tcpdump capture (-e flag captures MAC addresses, -nn
suppresses hostname and service resolution, -r is for replay of a
capture file), pipe to awk for proper formatting, a few more tweaks on
the formatting using tr and sed, then dump the results to a text file.
I'm sure there is an equivalent, if not more elegant, way to do this
with Perl if you know Perl. 

The end result should be a very readable file that shows 4 columns:
source IP's, source MAC's, dest IP's, dest MAC's.  This was all done on
a linux/unix system so ymmv if you're on a windows host. There plenty of
directions you can go with the information from here. Some creative file
parsing (perl, grep, etc.) allows you to look for all devices using a
specific MAC or the MAC from a particular vendor, how many IP's match to
a single MAC and the reverse, etc.  

There are still some caveats with this approach. Sniffing will only
capture data during the time your sniffing so there's no guarantee
you'll see all the hosts unless you sniff for a long enough period of
time.  

You still have to deal with limited network visibility due to switches,
etc.  Good luck. HTH. 

Scott Hazel 

-----Original Message-----
From: kukulkan [mailto:ismandya () sains com my] 
Sent: Wednesday, October 26, 2005 9:08 PM
To: Dario Ciccarone (dciccaro)
Cc: Chris Moody; Glyn Geoghegan; pen-test () securityfocus com
Subject: Re: mac to ip address tools

Hi List,

Instead of having my questions answered, I also get new tips for further
investigations! Thanks a lot. you guys rock!

merci beaucoup
Dario Ciccarone (dciccaro) wrote:


You didn't really frame your question - but let's give it a shot.

You received a bunch of answers about how to find out MAC<->IP pairings



in your broadcast domain (I assume you're interested in learning 
MAC-to-IP pairings on the same L2 your machine is located). Some 
suggested arping, some arpwatch, etc. The easiest way? Sniff.

Say host A on your net is trying to communicate with host B. Host A 
needs to know the MAC address for host B (or the MAC address for the 
default gateway, if B not located on the same L2/L3 network). So he 
will send out an ARP request. ARP replies are no good for you - those 
are unicast to the host asking. But hey, a host ARPing for a other host



sends a broadcast - including *his* IP address. And the MAC is 
obviously his MAC. And you do get broadcast. So, listen to ARP 
requests, and sooner or later (when a host tries to communicate with 
other and doesn't know his MAC, or when its refreshing its ARP cache), 
you will learn all MAC-to-IP pairs. Even if the host never tries to 
contact hosts on his same L2/L3 network, it has to ARP for the default 
gw MAC. This is the answer to your original question.

About 100 machines using the same MAC address: two possibilities, out 
of the top of my mind. Either the MAC belongs to a router on the same 
L2 network, which is doing proxy-arp for those machines (machines that 
aren't really located on your L2 network), or those machines are, 
again, in another network, and the host answering ARP requests for them



is a firewall - which would then filter/NAT/rate-limit/do whatever he 
has to do with the packet before forwarding it to the real host.

Other things to keep in mind: pairing between MAC/IP can change - while



both HSRP and VRRP use a virtual MAC address, shared between all 
routers on the same HSRP/VRRP group (and hence, no changes on the MAC 
address if one of them takes over a failed one), GLBP (AFAIR) can reply



to different ARP requests with different MAC addresses. Also check for 
MS MNLB. CheckPoint firewalls used to use multicast MAC addresses for 
firewalls in a cluster configuration.

Good luck
Dario

 


-----Original Message-----
From: kukulkan [mailto:ismandya () sains com my]
Sent: Tuesday, October 25, 2005 8:45 PM
To: Chris Moody
Cc: Glyn Geoghegan; pen-test () securityfocus com
Subject: Re: mac to ip address tools

yeah. There are about 500-600 machines in this place, I say this 
because these are the registered machines. What about those not 
registered?
there is one thing that bother them is that when we tried to use arp 
it seems that they are about 100  machines  with the same mac address.
Wonder could this be the the machines here have been poisoned?

Chris Moody wrote:

   


The biggest problem with your question lies in topology
     


restrictions.
   


Unless you have a host system in the broadcast domain (aka
     


subnet) of
   


the host ip in question, all your arp responses will be that of the 
gateway enroute to the end host.

You'll get -very- skewed results if you're trying to map say...1000 
machines (most of which live on different subnets) and see
     


nothing but
   


the MAC of your router as the resolved address.

For something enterprise wide, you will need to look at scripting a 
arp cache harvesting mechanism.  This can report back the
     


REAL mac to
   


ip mapping for the host system.

Contact me offline for more information on how to accomplish this.

-Chris

Glyn Geoghegan wrote:

     


arp -a

--  G l y n   G e o g h e g a n


On 25 Oct 2005, at 10:48, kukulkan wrote:

       


Hi list,

Need help. Is there any open source tools linux or windows, that 
when given a MAC address, the list(s) of IP address can
         


be obtained?
   


kukulkan



         


--------------------------------------------------------------
--------
   


--------
Audit your website security with Acunetix Web
         


Vulnerability Scanner:
   


Hackers are concentrating their efforts on attacking
         


applications
   


on your website. Up to 75% of cyber attacks are launched on 
shopping carts, forms, login pages, dynamic content etc.
         


Firewalls,
   


SSL and locked-down servers are futile against web application 
hacking. Check your website for vulnerabilities to SQL
         


injection,
   


Cross site scripting and other web attacks before hackers do!  
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831

         


--------------------------------------------------------------
--------
   


---------


         



       


--------------------------------------------------------------
----------------
   


Audit your website security with Acunetix Web
       


Vulnerability Scanner:
   


Hackers are concentrating their efforts on attacking
       


applications on
   


your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application
       


hacking. Check
   


your website for vulnerabilities to SQL injection, Cross site 
scripting and other web attacks before hackers do!
       


Download Trial at:
   


http://www.securityfocus.com/sponsor/pen-test_050831

       


--------------------------------------------------------------
-----------------
   



       


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on 
your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application hacking. Check 
your website for vulnerabilities to SQL injection, Cross site 
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------

   



 




------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: