RE: Using ARP to map a network

From: Dario Ciccarone (dciccaro@cisco.com)
Date: Sun Feb 09 2003 - 16:53:51 EST


> > would that mean "mapping a network without sending out any packet"?
> > could be done, more or less - buy at least you need to send ARP
> > replies . . .
>
> On a HUB there would be absolutely no reason to send out ARP
> replies, and on a switch, ARP poisining could hardly be
> called passive imho. Further, even on a switch you should be
> able to do some passive information gathering based purely on
> ARP request (and other broadcast trafic) analysis. MAC
> adresses give by their verry nature information on what
> vendor made the NIC or device. If you combine this with
> analysis of ARP source/destination pairings, and other
> broadcast trafic from the same MAC adresses, you should be
> able to to a reasonable amounth analysis on only captured
> broadcast trafic.

Agreed - I was supposing that there were switches, not hubs. I tend to
forget people does still use hubs ;)

>
> > Once you have the table, start
> > spoofing ARP Replies, sending your MAC out for every known IP, and
> > then start relaying traffic for both ends of the conversation.
>
> This is absolutely not passive, in fact this is one of the
> most intrusive forms around. You do not want to use these
> unless you have absolutely no other options left.

I took "passive" as "no port scan, no ping sweep. No sending of IP
packets. Make as little noise as possible". If we take "passive" as "no
sending packets at all, just listening" I agree with you: lots of
information to get on a hub, little on a switch, even less in some
scenarios (on a very well configured net, you could see no L2 broadcasts
at all, no ARP requests, no ARP replies - just traffic from/to your
port)

>
> > at the same time,
> > something like p0f should tell you the OS the host is running. some
> > tcpdump and streams together should give you an idea of services on
> > each host - not 100% accurate, but . . .
> >
> > for (b), process is like (a), but spoofing the default
> gateway on the
> > network, to identify remote hosts.
> >
> > some caveats: not foolproof, not 100% accurate, no
> detection of remote
> > hosts if no one on your net talks to them ;)
>
> Some more: intrusive, known to set off IDS systems, NOT PASSIVE !!!

Some :) - not all IDS systems checks for L2 attacks like ARP spoofing :)

The only real passive way would be to only listen - but as I said, on
some scenarios, only listening is going to get you nowhere . . .

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:27 EDT