Re: Using ARP to map a network

From: Kevin Reynolds (reynolds25at_private)
Date: Tue Feb 04 2003 - 16:19:03 PST

Next message: Razvan Teslaru: "Interception of modem data transmission"

Previous message: Lambottat_private: "Re: Using ARP to map a network"
In reply to: Jason Lewis: "Using ARP to map a network"
Next in thread: Jason Lewis: "Re: Using ARP to map a network"
Next in thread: Edwin van Andel: "Re: Using ARP to map a network"
Reply: Jason Lewis: "Re: Using ARP to map a network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jason,

If the machines were behind a router you would not see anything for ARP.  At
that point you are routing and not switching.  True, you would see an MAC
address for the router but remember, the MAC address is part of the frame
and the IP address is part of the packet.  Therefore the only time that the
two are tied together is on the local subnet.

Any tool to map networks based on arp tables would have to have access to
the arp tables for each individual subnet.

"If machines were behind a router the ARP tables would show multiple IP's
with the same MAC."  No, the arp tables would only show the routers IP
address and the mac address of the router.  A routing table would show IP
addresses "behind" the routers IP address (maybe, default routes would throw
this off).  Routing tables are global while arp tables are local to the
subnet.

Hope this helps.

Kevin
----- Original Message -----
From: "Jason Lewis" <jlewisat_private>
To: <pen-testat_private>
Sent: Tuesday, February 04, 2003 6:36 PM
Subject: Using ARP to map a network


> I have searched and can't seem to find any tools to help map a network
> based on ARP tables.
>
> It seems to me, I could take ARP tables from several machines and build a
> network map.  If machines were behind a router the ARP tables would show
> multiple IP's with the same MAC.  With enough ARP tables, wouldn't I be
> able to build a map?
>
> Is my theory flawed?
>
> My goal is to do passive network mapping based on any local information I
> can obtain from computers or network devices.  Anyone have any ideas?
>
> jas
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/
>
>



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Razvan Teslaru: "Interception of modem data transmission"
Previous message: Lambottat_private: "Re: Using ARP to map a network"
In reply to: Jason Lewis: "Using ARP to map a network"
Next in thread: Jason Lewis: "Re: Using ARP to map a network"
Next in thread: Edwin van Andel: "Re: Using ARP to map a network"
Reply: Jason Lewis: "Re: Using ARP to map a network"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 10:23:24 PST