From: kukulkan (ismandya@sains.com.my)
Date: Wed Oct 26 2005 - 21:07:43 EDT
Hi List,
Instead of having my questions answered, I also get new tips for further
investigations! Thanks a lot. you guys rock!
merci beaucoup
Dario Ciccarone (dciccaro) wrote:
>You didn't really frame your question - but let's give it a shot.
>
>You received a bunch of answers about how to find out MAC<->IP pairings
>in your broadcast domain (I assume you're interested in learning
>MAC-to-IP pairings on the same L2 your machine is located). Some
>suggested arping, some arpwatch, etc. The easiest way? Sniff.
>
>Say host A on your net is trying to communicate with host B. Host A
>needs to know the MAC address for host B (or the MAC address for the
>default gateway, if B not located on the same L2/L3 network). So he will
>send out an ARP request. ARP replies are no good for you - those are
>unicast to the host asking. But hey, a host ARPing for a other host
>sends a broadcast - including *his* IP address. And the MAC is obviously
>his MAC. And you do get broadcast. So, listen to ARP requests, and
>sooner or later (when a host tries to communicate with other and doesn't
>know his MAC, or when its refreshing its ARP cache), you will learn all
>MAC-to-IP pairs. Even if the host never tries to contact hosts on his
>same L2/L3 network, it has to ARP for the default gw MAC. This is the
>answer to your original question.
>
>About 100 machines using the same MAC address: two possibilities, out of
>the top of my mind. Either the MAC belongs to a router on the same L2
>network, which is doing proxy-arp for those machines (machines that
>aren't really located on your L2 network), or those machines are, again,
>in another network, and the host answering ARP requests for them is a
>firewall - which would then filter/NAT/rate-limit/do whatever he has to
>do with the packet before forwarding it to the real host.
>
>Other things to keep in mind: pairing between MAC/IP can change - while
>both HSRP and VRRP use a virtual MAC address, shared between all routers
>on the same HSRP/VRRP group (and hence, no changes on the MAC address if
>one of them takes over a failed one), GLBP (AFAIR) can reply to
>different ARP requests with different MAC addresses. Also check for MS
>MNLB. CheckPoint firewalls used to use multicast MAC addresses for
>firewalls in a cluster configuration.
>
>Good luck
>Dario
>
>
>
>>-----Original Message-----
>>From: kukulkan [mailto:ismandya@sains.com.my]
>>Sent: Tuesday, October 25, 2005 8:45 PM
>>To: Chris Moody
>>Cc: Glyn Geoghegan; pen-test@securityfocus.com
>>Subject: Re: mac to ip address tools
>>
>>yeah. There are about 500-600 machines in this place, I say
>>this because
>>these are the registered machines. What about those not registered?
>>there is one thing that bother them is that when we tried to
>>use arp it
>>seems that they are about 100 machines with the same mac address.
>>Wonder could this be the the machines here have been poisoned?
>>
>>Chris Moody wrote:
>>
>>
>>
>>>The biggest problem with your question lies in topology
>>>
>>>
>>restrictions.
>>
>>
>>>Unless you have a host system in the broadcast domain (aka
>>>
>>>
>>subnet) of
>>
>>
>>>the host ip in question, all your arp responses will be that of the
>>>gateway enroute to the end host.
>>>
>>>You'll get -very- skewed results if you're trying to map say...1000
>>>machines (most of which live on different subnets) and see
>>>
>>>
>>nothing but
>>
>>
>>>the MAC of your router as the resolved address.
>>>
>>>For something enterprise wide, you will need to look at scripting a
>>>arp cache harvesting mechanism. This can report back the
>>>
>>>
>>REAL mac to
>>
>>
>>>ip mapping for the host system.
>>>
>>>Contact me offline for more information on how to accomplish this.
>>>
>>>-Chris
>>>
>>>Glyn Geoghegan wrote:
>>>
>>>
>>>
>>>>arp -a
>>>>
>>>>-- G l y n G e o g h e g a n
>>>>
>>>>
>>>>On 25 Oct 2005, at 10:48, kukulkan wrote:
>>>>
>>>>
>>>>
>>>>>Hi list,
>>>>>
>>>>>Need help. Is there any open source tools linux or windows, that
>>>>>when given a MAC address, the list(s) of IP address can
>>>>>
>>>>>
>>be obtained?
>>
>>
>>>>>kukulkan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>--------------------------------------------------------------
>>--------
>>
>>
>>>>>--------
>>>>>Audit your website security with Acunetix Web
>>>>>
>>>>>
>>Vulnerability Scanner:
>>
>>
>>>>>Hackers are concentrating their efforts on attacking
>>>>>
>>>>>
>>applications
>>
>>
>>>>>on your website. Up to 75% of cyber attacks are launched on
>>>>>shopping carts, forms, login pages, dynamic content etc.
>>>>>
>>>>>
>>Firewalls,
>>
>>
>>>>>SSL and locked-down servers are futile against web application
>>>>>hacking. Check your website for vulnerabilities to SQL
>>>>>
>>>>>
>>injection,
>>
>>
>>>>>Cross site scripting and other web attacks before hackers do!
>>>>>Download Trial at:
>>>>>
>>>>>http://www.securityfocus.com/sponsor/pen-test_050831
>>>>>
>>>>>
>>>>>
>>--------------------------------------------------------------
>>--------
>>
>>
>>>>>---------
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>--------------------------------------------------------------
>>----------------
>>
>>
>>>>Audit your website security with Acunetix Web
>>>>
>>>>
>>Vulnerability Scanner:
>>
>>
>>>>Hackers are concentrating their efforts on attacking
>>>>
>>>>
>>applications on
>>
>>
>>>>your website. Up to 75% of cyber attacks are launched on shopping
>>>>carts, forms, login pages, dynamic content etc. Firewalls, SSL and
>>>>locked-down servers are futile against web application
>>>>
>>>>
>>hacking. Check
>>
>>
>>>>your website for vulnerabilities to SQL injection, Cross site
>>>>scripting and other web attacks before hackers do!
>>>>
>>>>
>>Download Trial at:
>>
>>
>>>>http://www.securityfocus.com/sponsor/pen-test_050831
>>>>
>>>>
>>>>
>>--------------------------------------------------------------
>>-----------------
>>
>>
>>>>
>>>>
>>>>
>>--------------------------------------------------------------
>>----------------
>>Audit your website security with Acunetix Web Vulnerability Scanner:
>>
>>Hackers are concentrating their efforts on attacking
>>applications on your
>>website. Up to 75% of cyber attacks are launched on shopping
>>carts, forms,
>>login pages, dynamic content etc. Firewalls, SSL and
>>locked-down servers are
>>futile against web application hacking. Check your website
>>for vulnerabilities
>>to SQL injection, Cross site scripting and other web attacks
>>before hackers do!
>>Download Trial at:
>>
>>http://www.securityfocus.com/sponsor/pen-test_050831
>>--------------------------------------------------------------
>>-----------------
>>
>>
>>
>
>
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT