yeah - it is flawed :) MAC to IP mappings as in the ARP table only happens when both source and destination IP hosts are on the same L2, and by definition, L3 network. so a host ARP table on NET X should only show entries for those machines on its same subnet the host had conversations with. of course, knowing host X IP address and subnet mask, you could start ARPing for all the other available IPs on the range and know what IP addresses are in use, and what not (little issue with machines powered off when you're doing your ARPinging ;)) for all non-local destinations, the only entry the host should have is for the MAC/IP pair of it's default gateway. one small digression: a host _could_ have MAC/IP pairs in its ARP table for machines not on the same subnet, _if_ the router on the local segment is a Cisco router with "ip proxy-arp" enabled - and even then, it would only have mapped IPs on the non-local network to the router MAC address (as you suggested), but only for router-connected subnets of the same major network the ARPing host is connected to. check http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr _c/ipcprt1/1cfipadr.htm#1001233 and RFC-1027 to fully understand what problems proxy-arp solves. and btw: Cisco's recommendation (from a security point of view) is to disable proxy ARP if not needed - just to thwart practices as you want to implement :)) > -----Original Message----- > From: Jason Lewis [mailto:jlewisat_private] > Sent: Tuesday, February 04, 2003 8:37 PM > To: pen-testat_private > Subject: Using ARP to map a network > > > I have searched and can't seem to find any tools to help map a network > based on ARP tables. > > It seems to me, I could take ARP tables from several machines and build a > network map. If machines were behind a router the ARP tables would show > multiple IP's with the same MAC. With enough ARP tables, wouldn't I be > able to build a map? > > Is my theory flawed? > > My goal is to do passive network mapping based on any local information I > can obtain from computers or network devices. Anyone have any ideas? > > jas > > > > ------------------------------------------------------------------ > ---------- > This list is provided by the SecurityFocus Security Intelligence > Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities > please see: > https://alerts.securityfocus.com/ > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Feb 05 2003 - 10:31:17 PST