RE: mac to ip address tools

From: Hazel, Scott A. (Scott.Hazel@unisys.com)
Date: Thu Oct 27 2005 - 03:10:56 EDT


To complement Dario's suggestion for sniffing, this is a nugget I picked
up while researching for my GCIA practical.

tcpdump -ennr 2002.4.31 | awk '{print $2"\t"$6"\t"$3"\t"$8}'|tr -d "," |
sed s/":$"//g > mac2ip.txt

Some modifications may be necessary but the general idea is to take
output from a tcpdump capture (-e flag captures MAC addresses, -nn
suppresses hostname and service resolution, -r is for replay of a
capture file), pipe to awk for proper formatting, a few more tweaks on
the formatting using tr and sed, then dump the results to a text file.
I'm sure there is an equivalent, if not more elegant, way to do this
with Perl if you know Perl.

The end result should be a very readable file that shows 4 columns:
source IP's, source MAC's, dest IP's, dest MAC's. This was all done on
a linux/unix system so ymmv if you're on a windows host. There plenty of
directions you can go with the information from here. Some creative file
parsing (perl, grep, etc.) allows you to look for all devices using a
specific MAC or the MAC from a particular vendor, how many IP's match to
a single MAC and the reverse, etc.

There are still some caveats with this approach. Sniffing will only
capture data during the time your sniffing so there's no guarantee
you'll see all the hosts unless you sniff for a long enough period of
time.

You still have to deal with limited network visibility due to switches,
etc. Good luck. HTH.

Scott Hazel

-----Original Message-----
From: kukulkan [mailto:ismandya@sains.com.my]
Sent: Wednesday, October 26, 2005 9:08 PM
To: Dario Ciccarone (dciccaro)
Cc: Chris Moody; Glyn Geoghegan; pen-test@securityfocus.com
Subject: Re: mac to ip address tools

Hi List,

Instead of having my questions answered, I also get new tips for further
investigations! Thanks a lot. you guys rock!

merci beaucoup
Dario Ciccarone (dciccaro) wrote:

>You didn't really frame your question - but let's give it a shot.
>
>You received a bunch of answers about how to find out MAC<->IP pairings

>in your broadcast domain (I assume you're interested in learning
>MAC-to-IP pairings on the same L2 your machine is located). Some
>suggested arping, some arpwatch, etc. The easiest way? Sniff.
>
>Say host A on your net is trying to communicate with host B. Host A
>needs to know the MAC address for host B (or the MAC address for the
>default gateway, if B not located on the same L2/L3 network). So he
>will send out an ARP request. ARP replies are no good for you - those
>are unicast to the host asking. But hey, a host ARPing for a other host

>sends a broadcast - including *his* IP address. And the MAC is
>obviously his MAC. And you do get broadcast. So, listen to ARP
>requests, and sooner or later (when a host tries to communicate with
>other and doesn't know his MAC, or when its refreshing its ARP cache),
>you will learn all MAC-to-IP pairs. Even if the host never tries to
>contact hosts on his same L2/L3 network, it has to ARP for the default
>gw MAC. This is the answer to your original question.
>
>About 100 machines using the same MAC address: two possibilities, out
>of the top of my mind. Either the MAC belongs to a router on the same
>L2 network, which is doing proxy-arp for those machines (machines that
>aren't really located on your L2 network), or those machines are,
>again, in another network, and the host answering ARP requests for them

>is a firewall - which would then filter/NAT/rate-limit/do whatever he
>has to do with the packet before forwarding it to the real host.
>
>Other things to keep in mind: pairing between MAC/IP can change - while

>both HSRP and VRRP use a virtual MAC address, shared between all
>routers on the same HSRP/VRRP group (and hence, no changes on the MAC
>address if one of them takes over a failed one), GLBP (AFAIR) can reply

>to different ARP requests with different MAC addresses. Also check for
>MS MNLB. CheckPoint firewalls used to use multicast MAC addresses for
>firewalls in a cluster configuration.
>
>Good luck
>Dario
>
>
>
>>-----Original Message-----
>>From: kukulkan [mailto:ismandya@sains.com.my]
>>Sent: Tuesday, October 25, 2005 8:45 PM
>>To: Chris Moody
>>Cc: Glyn Geoghegan; pen-test@securityfocus.com
>>Subject: Re: mac to ip address tools
>>
>>yeah. There are about 500-600 machines in this place, I say this
>>because these are the registered machines. What about those not
>>registered?
>>there is one thing that bother them is that when we tried to use arp
>>it seems that they are about 100 machines with the same mac address.
>>Wonder could this be the the machines here have been poisoned?
>>
>>Chris Moody wrote:
>>
>>
>>
>>>The biggest problem with your question lies in topology
>>>
>>>
>>restrictions.
>>
>>
>>>Unless you have a host system in the broadcast domain (aka
>>>
>>>
>>subnet) of
>>
>>
>>>the host ip in question, all your arp responses will be that of the
>>>gateway enroute to the end host.
>>>
>>>You'll get -very- skewed results if you're trying to map say...1000
>>>machines (most of which live on different subnets) and see
>>>
>>>
>>nothing but
>>
>>
>>>the MAC of your router as the resolved address.
>>>
>>>For something enterprise wide, you will need to look at scripting a
>>>arp cache harvesting mechanism. This can report back the
>>>
>>>
>>REAL mac to
>>
>>
>>>ip mapping for the host system.
>>>
>>>Contact me offline for more information on how to accomplish this.
>>>
>>>-Chris
>>>
>>>Glyn Geoghegan wrote:
>>>
>>>
>>>
>>>>arp -a
>>>>
>>>>-- G l y n G e o g h e g a n
>>>>
>>>>
>>>>On 25 Oct 2005, at 10:48, kukulkan wrote:
>>>>
>>>>
>>>>
>>>>>Hi list,
>>>>>
>>>>>Need help. Is there any open source tools linux or windows, that
>>>>>when given a MAC address, the list(s) of IP address can
>>>>>
>>>>>
>>be obtained?
>>
>>
>>>>>kukulkan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>--------------------------------------------------------------
>>--------
>>
>>
>>>>>--------
>>>>>Audit your website security with Acunetix Web
>>>>>
>>>>>
>>Vulnerability Scanner:
>>
>>
>>>>>Hackers are concentrating their efforts on attacking
>>>>>
>>>>>
>>applications
>>
>>
>>>>>on your website. Up to 75% of cyber attacks are launched on
>>>>>shopping carts, forms, login pages, dynamic content etc.
>>>>>
>>>>>
>>Firewalls,
>>
>>
>>>>>SSL and locked-down servers are futile against web application
>>>>>hacking. Check your website for vulnerabilities to SQL
>>>>>
>>>>>
>>injection,
>>
>>
>>>>>Cross site scripting and other web attacks before hackers do!
>>>>>Download Trial at:
>>>>>
>>>>>http://www.securityfocus.com/sponsor/pen-test_050831
>>>>>
>>>>>
>>>>>
>>--------------------------------------------------------------
>>--------
>>
>>
>>>>>---------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>--------------------------------------------------------------
>>----------------
>>
>>
>>>>Audit your website security with Acunetix Web
>>>>
>>>>
>>Vulnerability Scanner:
>>
>>
>>>>Hackers are concentrating their efforts on attacking
>>>>
>>>>
>>applications on
>>
>>
>>>>your website. Up to 75% of cyber attacks are launched on shopping
>>>>carts, forms, login pages, dynamic content etc. Firewalls, SSL and
>>>>locked-down servers are futile against web application
>>>>
>>>>
>>hacking. Check
>>
>>
>>>>your website for vulnerabilities to SQL injection, Cross site
>>>>scripting and other web attacks before hackers do!
>>>>
>>>>
>>Download Trial at:
>>
>>
>>>>http://www.securityfocus.com/sponsor/pen-test_050831
>>>>
>>>>
>>>>
>>--------------------------------------------------------------
>>-----------------
>>
>>
>>>>
>>>>
>>>>
>>--------------------------------------------------------------
>>----------------
>>Audit your website security with Acunetix Web Vulnerability Scanner:
>>
>>Hackers are concentrating their efforts on attacking applications on
>>your website. Up to 75% of cyber attacks are launched on shopping
>>carts, forms, login pages, dynamic content etc. Firewalls, SSL and
>>locked-down servers are futile against web application hacking. Check
>>your website for vulnerabilities to SQL injection, Cross site
>>scripting and other web attacks before hackers do!
>>Download Trial at:
>>
>>http://www.securityfocus.com/sponsor/pen-test_050831
>>--------------------------------------------------------------
>>-----------------
>>
>>
>>
>
>
>

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT