From: Dario Ciccarone (dciccaro) (dciccaro@cisco.com)
Date: Tue Oct 25 2005 - 23:58:57 EDT
You didn't really frame your question - but let's give it a shot.
You received a bunch of answers about how to find out MAC<->IP pairings
in your broadcast domain (I assume you're interested in learning
MAC-to-IP pairings on the same L2 your machine is located). Some
suggested arping, some arpwatch, etc. The easiest way? Sniff.
Say host A on your net is trying to communicate with host B. Host A
needs to know the MAC address for host B (or the MAC address for the
default gateway, if B not located on the same L2/L3 network). So he will
send out an ARP request. ARP replies are no good for you - those are
unicast to the host asking. But hey, a host ARPing for a other host
sends a broadcast - including *his* IP address. And the MAC is obviously
his MAC. And you do get broadcast. So, listen to ARP requests, and
sooner or later (when a host tries to communicate with other and doesn't
know his MAC, or when its refreshing its ARP cache), you will learn all
MAC-to-IP pairs. Even if the host never tries to contact hosts on his
same L2/L3 network, it has to ARP for the default gw MAC. This is the
answer to your original question.
About 100 machines using the same MAC address: two possibilities, out of
the top of my mind. Either the MAC belongs to a router on the same L2
network, which is doing proxy-arp for those machines (machines that
aren't really located on your L2 network), or those machines are, again,
in another network, and the host answering ARP requests for them is a
firewall - which would then filter/NAT/rate-limit/do whatever he has to
do with the packet before forwarding it to the real host.
Other things to keep in mind: pairing between MAC/IP can change - while
both HSRP and VRRP use a virtual MAC address, shared between all routers
on the same HSRP/VRRP group (and hence, no changes on the MAC address if
one of them takes over a failed one), GLBP (AFAIR) can reply to
different ARP requests with different MAC addresses. Also check for MS
MNLB. CheckPoint firewalls used to use multicast MAC addresses for
firewalls in a cluster configuration.
Good luck
Dario
> -----Original Message-----
> From: kukulkan [mailto:ismandya@sains.com.my]
> Sent: Tuesday, October 25, 2005 8:45 PM
> To: Chris Moody
> Cc: Glyn Geoghegan; pen-test@securityfocus.com
> Subject: Re: mac to ip address tools
>
> yeah. There are about 500-600 machines in this place, I say
> this because
> these are the registered machines. What about those not registered?
> there is one thing that bother them is that when we tried to
> use arp it
> seems that they are about 100 machines with the same mac address.
> Wonder could this be the the machines here have been poisoned?
>
> Chris Moody wrote:
>
> > The biggest problem with your question lies in topology
> restrictions.
> >
> > Unless you have a host system in the broadcast domain (aka
> subnet) of
> > the host ip in question, all your arp responses will be that of the
> > gateway enroute to the end host.
> >
> > You'll get -very- skewed results if you're trying to map say...1000
> > machines (most of which live on different subnets) and see
> nothing but
> > the MAC of your router as the resolved address.
> >
> > For something enterprise wide, you will need to look at scripting a
> > arp cache harvesting mechanism. This can report back the
> REAL mac to
> > ip mapping for the host system.
> >
> > Contact me offline for more information on how to accomplish this.
> >
> > -Chris
> >
> > Glyn Geoghegan wrote:
> >
> >> arp -a
> >>
> >> -- G l y n G e o g h e g a n
> >>
> >>
> >> On 25 Oct 2005, at 10:48, kukulkan wrote:
> >>
> >>> Hi list,
> >>>
> >>> Need help. Is there any open source tools linux or windows, that
> >>> when given a MAC address, the list(s) of IP address can
> be obtained?
> >>>
> >>> kukulkan
> >>>
> >>>
> >>>
> --------------------------------------------------------------
> --------
> >>> --------
> >>> Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >>> Hackers are concentrating their efforts on attacking
> applications
> >>> on your website. Up to 75% of cyber attacks are launched on
> >>> shopping carts, forms, login pages, dynamic content etc.
> Firewalls,
> >>> SSL and locked-down servers are futile against web application
> >>> hacking. Check your website for vulnerabilities to SQL
> injection,
> >>> Cross site scripting and other web attacks before hackers do!
> >>> Download Trial at:
> >>>
> >>> http://www.securityfocus.com/sponsor/pen-test_050831
> >>>
> --------------------------------------------------------------
> --------
> >>> ---------
> >>>
> >>>
> >>
> >>
> >>
> --------------------------------------------------------------
> ----------------
> >>
> >> Audit your website security with Acunetix Web
> Vulnerability Scanner:
> >> Hackers are concentrating their efforts on attacking
> applications on
> >> your website. Up to 75% of cyber attacks are launched on shopping
> >> carts, forms, login pages, dynamic content etc. Firewalls, SSL and
> >> locked-down servers are futile against web application
> hacking. Check
> >> your website for vulnerabilities to SQL injection, Cross site
> >> scripting and other web attacks before hackers do!
> Download Trial at:
> >>
> >> http://www.securityfocus.com/sponsor/pen-test_050831
> >>
> --------------------------------------------------------------
> -----------------
> >>
> >>
> >>
> >
>
>
> --------------------------------------------------------------
> ----------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking
> applications on your
> website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are
> futile against web application hacking. Check your website
> for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> --------------------------------------------------------------
> -----------------
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT