Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: mac to ip address tools

from [Dario Ciccarone (dciccaro)] Network Security [Permanent Link]
Subject: RE: mac to ip address tools
Date: Tue, 25 Oct 2005 23:58:57 -0400 
You didn't really frame your question - but let's give it a shot.

You received a bunch of answers about how to find out MAC<->IP pairings
in your broadcast domain (I assume you're interested in learning
MAC-to-IP pairings on the same L2 your machine is located). Some
suggested arping, some arpwatch, etc. The easiest way? Sniff. 

Say host A on your net is trying to communicate with host B. Host A
needs to know the MAC address for host B (or the MAC address for the
default gateway, if B not located on the same L2/L3 network). So he will
send out an ARP request. ARP replies are no good for you - those are
unicast to the host asking. But hey, a host ARPing for a other host
sends a broadcast - including *his* IP address. And the MAC is obviously
his MAC. And you do get broadcast. So, listen to ARP requests, and
sooner or later (when a host tries to communicate with other and doesn't
know his MAC, or when its refreshing its ARP cache), you will learn all
MAC-to-IP pairs. Even if the host never tries to contact hosts on his
same L2/L3 network, it has to ARP for the default gw MAC. This is the
answer to your original question.

About 100 machines using the same MAC address: two possibilities, out of
the top of my mind. Either the MAC belongs to a router on the same L2
network, which is doing proxy-arp for those machines (machines that
aren't really located on your L2 network), or those machines are, again,
in another network, and the host answering ARP requests for them is a
firewall - which would then filter/NAT/rate-limit/do whatever he has to
do with the packet before forwarding it to the real host.

Other things to keep in mind: pairing between MAC/IP can change - while
both HSRP and VRRP use a virtual MAC address, shared between all routers
on the same HSRP/VRRP group (and hence, no changes on the MAC address if
one of them takes over a failed one), GLBP (AFAIR) can reply to
different ARP requests with different MAC addresses. Also check for MS
MNLB. CheckPoint firewalls used to use multicast MAC addresses for
firewalls in a cluster configuration.

Good luck
Dario


-----Original Message-----
From: kukulkan [mailto:ismandya@sains.com.my] 
Sent: Tuesday, October 25, 2005 8:45 PM
To: Chris Moody
Cc: Glyn Geoghegan; pen-test@securityfocus.com
Subject: Re: mac to ip address tools

yeah. There are about 500-600 machines in this place, I say 
this because 
these are the registered machines. What about those not registered? 
there is one thing that bother them is that when we tried to 
use arp it 
seems that they are about 100  machines  with the same mac address. 
Wonder could this be the the machines here have been poisoned?

Chris Moody wrote:


The biggest problem with your question lies in topology 

restrictions.


Unless you have a host system in the broadcast domain (aka 

subnet) of 

the host ip in question, all your arp responses will be that of the 
gateway enroute to the end host.

You'll get -very- skewed results if you're trying to map say...1000 
machines (most of which live on different subnets) and see 

nothing but 

the MAC of your router as the resolved address.

For something enterprise wide, you will need to look at scripting a 
arp cache harvesting mechanism.  This can report back the 

REAL mac to 

ip mapping for the host system.

Contact me offline for more information on how to accomplish this.

-Chris

Glyn Geoghegan wrote:


arp -a

--  G l y n   G e o g h e g a n


On 25 Oct 2005, at 10:48, kukulkan wrote:


Hi list,

Need help. Is there any open source tools linux or windows, that  
when given a MAC address, the list(s) of IP address can 

be obtained?


kukulkan




--------------------------------------------------------------
-------- 

--------
Audit your website security with Acunetix Web 

Vulnerability Scanner:

Hackers are concentrating their efforts on attacking 

applications  

on your website. Up to 75% of cyber attacks are launched on  
shopping carts, forms, login pages, dynamic content etc. 

Firewalls,  

SSL and locked-down servers are futile against web application  
hacking. Check your website for vulnerabilities to SQL 

injection,  

Cross site scripting and other web attacks before hackers do!  
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831


--------------------------------------------------------------
-------- 

---------







--------------------------------------------------------------
---------------- 


Audit your website security with Acunetix Web 

Vulnerability Scanner:

Hackers are concentrating their efforts on attacking 

applications on 

your website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are futile against web application 

hacking. Check 

your website for vulnerabilities to SQL injection, Cross site 
scripting and other web attacks before hackers do! 

Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831


--------------------------------------------------------------
----------------- 









--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking 
applications on your 
website. Up to 75% of cyber attacks are launched on shopping 
carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and 
locked-down servers are 
futile against web application hacking. Check your website 
for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks 
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: mac to ip address tools, kukulkan
Next by Date:  Re: mac to ip address tools, arif . jatmoko
Previous by Thread:  RE: mac to ip address tools, Guillaume LAVOIX
Next by Thread:  Re: mac to ip address tools, kukulkan
Indexes:  [Date] [Thread] [Top] [All Lists]