From: Rob J Meijer (rmeijer@xs4all.nl)
Date: Sun Feb 09 2003 - 14:48:17 EST
On Wed, 5 Feb 2003, Dario N. Ciccarone wrote:
> would that mean "mapping a network without sending out any packet"? could be
> done, more or less - buy at least you need to send ARP replies . . .
On a HUB there would be absolutely no reason to send out ARP replies,
and on a switch, ARP poisining could hardly be called passive imho.
Further, even on a switch you should be able to do some passive
information gathering based purely on ARP request (and other
broadcast trafic) analysis. MAC adresses give by their verry nature
information on what vendor made the NIC or device.
If you combine this with analysis of ARP source/destination pairings, and
other broadcast trafic from the same MAC adresses, you should be able to
to a reasonable amounth analysis on only captured broadcast trafic.
> you have two scenarios:
>
> a) mapping services and hosts on the local network
> b) mapping services and hosts on remote networks
>
> for (a), you should listen for a while for ARP Requests/Replys to build a
> table of MAC/IP pairs (yeah, pinging would be a lot faster, but we're under
> the assumption you do not want to send more packets than absolutely needed,
> and no IP packets at all if possible).
So far so good.
> Once you have the table, start
> spoofing ARP Replies, sending your MAC out for every known IP, and then
> start relaying traffic for both ends of the conversation.
This is absolutely not passive, in fact this is one of the most intrusive
forms around. You do not want to use these unless you have absolutely no
other options left.
> at the same time,
> something like p0f should tell you the OS the host is running. some tcpdump
> and streams together should give you an idea of services on each host - not
> 100% accurate, but . . .
>
> for (b), process is like (a), but spoofing the default gateway on the
> network, to identify remote hosts.
>
> some caveats: not foolproof, not 100% accurate, no detection of remote hosts
> if no one on your net talks to them ;)
Some more: intrusive, known to set off IDS systems, NOT PASSIVE !!!
> check ettercap - does most of this automagically :)
>
> Dario
>
> "And you'd better have a good cover story to explain why you're sending
> giraffes back and forth."
> Bruce Schneier, "Secrets & Lies"
>
> Disclaimer: These are my own personal opinions and not necessarily those of
> Cisco Systems.
>
> Dario N. Ciccarone
>
> CCIE R&S #10395
> Cisco Systems
> Argentina, Paraguay, Uruguay y Bolivia
> Ing. Enrique Butty 240 Piso 17
> C1001ABF, Buenos Aires , Argentina
> Phone/Vmail: 54-11-4341-0203
> Fax: 54-11-4341-0149
> dciccaro@cisco.com
>
>
>
> > -----Original Message-----
> > From: Jason Lewis [mailto:jlewis@packetnexus.com]
> > Sent: Tuesday, February 04, 2003 9:36 PM
> > To: pen-test@securityfocus.com
> > Subject: RE: Using ARP to map a network
> >
> >
> > Maybe I am asking the wrong question.
> >
> > If my goal is to passively map a network, what is the best way to do that?
> >
> > > I'm not quite sure how ARP harvesting (via SNMP, presumably?) is
> > > passive, but here goes:
> > >
> > > On the face of it, you should be able to do this. Problems could occur
> > > if you run into firewalls, or in switched environments where there are
> > > machines that infrequently communicate outwards (and rarely broadcast).
> > > Unfortunately, both of these instances are much more likely with respect
> > > to critical infrastructure (like database back-end servers or the
> > > accounting department.) What is the goal of using this means as opposed
> > > to some other method? SNMP queries to routers may be just as obvious as
> > > ping sweeps or SYN scans in the eyes of an IDS, and perhaps even more so
> > > if they have logging set high enough.
> > >
> > >> -----Original Message-----
> > >> From: Jason Lewis [mailto:jlewis@packetnexus.com]
> > >> Sent: Tuesday, February 04, 2003 6:37 PM
> > >> To: pen-test@securityfocus.com
> > >> Subject: Using ARP to map a network
> > >>
> > >>
> > >> I have searched and can't seem to find any tools to help map
> > >> a network based on ARP tables.
> > >>
> > >> It seems to me, I could take ARP tables from several machines
> > >> and build a network map. If machines were behind a router
> > >> the ARP tables would show multiple IP's with the same MAC.
> > >> With enough ARP tables, wouldn't I be able to build a map?
> > >>
> > >> Is my theory flawed?
> > >>
> > >> My goal is to do passive network mapping based on any local
> > >> information I can obtain from computers or network devices.
> > >> Anyone have any ideas?
> > >>
> > >> jas
> > >>
> > >>
> > >>
> > >> --------------------------------------------------------------
> > >> --------------
> > >> This list is provided by the SecurityFocus Security
> > >> Intelligence Alert (SIA) Service. For more information on
> > >> SecurityFocus' SIA service which automatically alerts you to
> > >> the latest security vulnerabilities please see:
> > > https://alerts.securityfocus.com/
> >
> >
> >
> >
> > ------------------------------------------------------------------
> > ----------
> > This list is provided by the SecurityFocus Security Intelligence
> > Alert (SIA)
> > Service. For more information on SecurityFocus' SIA service which
> > automatically alerts you to the latest security vulnerabilities
> > please see:
> > https://alerts.securityfocus.com/
> >
> >
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT