Re: Spoofed scans

From: Will Aoki (waokiat_private)
Date: Mon Jan 07 2002 - 11:04:00 PST

Next message: Paul M. Tiedemann: "RE: Spoofed scans"

Previous message: Andrea Efstathiou: "Strange connection attempts"
In reply to: Philip Wagenaar: "RE: Spoofed scans"
Next in thread: Bojan Zdrnja: "RE: Spoofed scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 07, 2002 at 02:04:57AM +0100, Philip Wagenaar wrote:
> Do you mean get the MAC address? If so MAC addresses aren't unique
> anymore, and how could you lookup what MAC address belongs to what IP?

Assuming that you're on the same local net as the machine you're
interested in (but then, if you're not on the same local net, the MAC
is difficult to obtain in the first place and probably won't do you
much good), the arping tool from http://synscan.nss.nu/programs.php
will find whatever IP(s) are associated with a MAC.

It's quite a handy little tool - I've used it in the past to hunt down
misbehaving hosts.


Non-unique MACs? Wouldn't that break ethernet?

> Philip Wagenaar
> 
> > -----Original Message-----
> > From: James [mailto:jameshat_private] 
> > Sent: maandag 7 januari 2002 1:47
> > To: incidentsat_private
> > Subject: Re: Spoofed scans
> > 
> > 
> > Capture the data link layer and get the hardware address. 
> > Perhaps this will indicate the true IP.
> > 
> > 
> > "Ask the plants of the earth and they will teach you." Job 12:8
> > 
> > ----- Original Message -----
> > From: "Richard Arends" <richardat_private>
> > To: <incidentsat_private>
> > Sent: Sunday, January 06, 2002 4:41 AM
> > Subject: Spoofed scans
> > 
> > 
> > > Hello,
> > >
> > > Last couple of weeks i'm getting more and more spoofed scans on my 
> > > firewall. All scans are icmp or port 53 (domain). Mostly 
> > 'they' first 
> > > send a few icmp packets and then a scan for port 53 trying to do a 
> > > reverse lookup for my ip.
> > >
> > > Are there more seeing this type off scans and is there a way to 
> > > substract the real scanner (ip) from the list ip's ???
> > >
> > > Greetings,
> > >
> > > Richard.
> > >

-- 
William Aoki     waokiat_private       /"\  ASCII Ribbon Campaign
3B0A 6800 8A1A 78A7 9A26 BB92              \ /  No HTML in mail or news!
9A26 BB92 6329 2D3E 199D 8C7B               X
                                           / \

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Paul M. Tiedemann: "RE: Spoofed scans"
Previous message: Andrea Efstathiou: "Strange connection attempts"
In reply to: Philip Wagenaar: "RE: Spoofed scans"
Next in thread: Bojan Zdrnja: "RE: Spoofed scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 11:59:54 PST