From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Mon Nov 21 2005 - 06:30:16 EST
(Note to moderators: resending since nobody acted on my previous post,
dated 2005/11/16)
Hazel, Scott A. wrote:
> To complement Dario's suggestion for sniffing, this is a nugget I picked
> up while researching for my GCIA practical.
>
> tcpdump -ennr 2002.4.31 | awk '{print $2"\t"$6"\t"$3"\t"$8}'|tr -d "," |
> sed s/":$"//g > mac2ip.txt
(...)
> I'm sure there is an equivalent, if not more elegant, way to do this
> with Perl if you know Perl.
FWIW, attached is something I've used at some point to analyse unknown
networks (when deploying an IDS, to determine which hosts are up, what
equipment is it and fine tune the IDS rules). It's similar to your
script but, as a plus, it also takes information from an ethernet code
database to print the vendor (can be useful to determine if you are
seeing traffic from switches or routers) and also identifies routers
(i.e. tells you when it's see more than one IP address associated with
the same MAC).
> There are still some caveats with this approach. Sniffing will only
> capture data during the time your sniffing so there's no guarantee
> you'll see all the hosts unless you sniff for a long enough period of
> time.
Well, you can "force" traffic by doing a ping sweep of the network so
you get both the ARP replies (if there is a host with that IP address)
and the ICMP echo-reply (if the host replies to ICMP echos).
In any case, if you capture a small but relevant subset of data for a
large enough amount of time (i.e. ARP traffic) you can get most (if
not all, see below) of the hosts are live in the network. Any host
that is connected to the network will, at least once, send an ARP
broadcast to find the ARP address of it's default gateway (or for some
host it tries to talk to) when the MAC address times out in its ARP
table (unless its ARP tables are hardcoded, of course)
If it's not sending traffic, but it is receiving traffic from the
network, you should *not* be able to see the ARP replies to ARP
broadcasts from other hosts in the network if there's a switch. You
can still get a lot of insight of how the network behaves (who talks
to whom) just by checking out ARP traffic. There's a cool tool out
there called Etherape (http://etherape.sourceforge.net/) that will do
a graphic representation of network traffic that is worth a try.
> You still have to deal with limited network visibility due to switches,
> etc. Good luck. HTH.
Yes, some swithces might separate VLANs using private-VLANs. If you
have those, you will not even see the broadcast ARP traffic that gives
away some hosts.
Regards
Javier
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:11 EDT