From: Dario N. Ciccarone (dciccaro@cisco.com)
Date: Tue Feb 04 2003 - 22:38:36 EST
yeah - it is flawed :)
MAC to IP mappings as in the ARP table only happens when both source and
destination IP hosts are on the same L2, and by definition, L3 network. so a
host ARP table on NET X should only show entries for those machines on its
same subnet the host had conversations with.
of course, knowing host X IP address and subnet mask, you could start ARPing
for all the other available IPs on the range and know what IP addresses are
in use, and what not (little issue with machines powered off when you're
doing your ARPinging ;))
for all non-local destinations, the only entry the host should have is for
the MAC/IP pair of it's default gateway.
one small digression: a host _could_ have MAC/IP pairs in its ARP table for
machines not on the same subnet, _if_ the router on the local segment is a
Cisco router with "ip proxy-arp" enabled - and even then, it would only have
mapped IPs on the non-local network to the router MAC address (as you
suggested), but only for router-connected subnets of the same major network
the ARPing host is connected to. check
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
_c/ipcprt1/1cfipadr.htm#1001233
and RFC-1027 to fully understand what problems proxy-arp solves. and btw:
Cisco's recommendation (from a security point of view) is to disable proxy
ARP if not needed - just to thwart practices as you want to implement :))
> -----Original Message-----
> From: Jason Lewis [mailto:jlewis@packetnexus.com]
> Sent: Tuesday, February 04, 2003 8:37 PM
> To: pen-test@securityfocus.com
> Subject: Using ARP to map a network
>
>
> I have searched and can't seem to find any tools to help map a network
> based on ARP tables.
>
> It seems to me, I could take ARP tables from several machines and build a
> network map. If machines were behind a router the ARP tables would show
> multiple IP's with the same MAC. With enough ARP tables, wouldn't I be
> able to build a map?
>
> Is my theory flawed?
>
> My goal is to do passive network mapping based on any local information I
> can obtain from computers or network devices. Anyone have any ideas?
>
> jas
>
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus Security Intelligence
> Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities
> please see:
> https://alerts.securityfocus.com/
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT