Re: mac addr lookups?

[//Stany <stany () pet notbsd org>]

On Mon, 15 Feb 1999, Terje Elde wrote:



> Just an idea for nmap...
>
> A lot of admins and other fun ppl use nmap to scan their own networks
> looking for security issues and other stuff. When you're scanning at your
> own physical network layer you can see MAC addr's. So why not add a option
> to allow nmap to look these up?
 
> It's great fun to do so, as you can often get a lot of info. First of all,
> you're sure to get the type of network card in use (well, almost anyway),
> and often you can get a few pointers about the OS too.

Hi, Delta.  Long time, no see.

I remember suggesting exactly the same thing to Fyodor in the days of 2.0
Beta 15 or so (I am sure others suggested the same before me too). He
said that he have toyed with the idea but decided against it, as it was
too easy to mislead the scanner by changing the MAC address.

In fact it /is/ rather trivial to change your MAC address on a number of
systems.  For example on Sun SPARCs (sun4m and sun4c.  Have not had a
chance to play with sun4u) MAC address is directly tied to the PROM.
According to Sun NVRAM/HOSTID FAQ, (available at
<http://www.squirrel.com/sun-nvram-hostid.faq.html>) the MAC address of a
Sun system is stored in the PROM, and as a result, every physical network
interface has the same MAC address.  Why am I bringing this up?  The catch
is that the PROM is programmable, and in theory any MAC address can be
programmed in (will the system afterwards correctly report what kind of
hardware it is is a completely different question ;-) if you bother to
read a bit.  In another life I had to recover a SS5 that has a PROM dead,
and as a result of me toying with it, the MAC address of it became
8:0:20:c0:ff:ee   Although traditionally only the first 3 values are used
to identify the manufacturer of the network device, nothing was preventing
me to change them completely.

Additionally it is rather trivial to change the MAC address on different
platforms.  Linux tulip driver for a long while had the ability to 
programm the NIC to report back whatever MAC address you want.  In fact
Corel NetWinder had this ability with older kernels (Corel people have
patched the kernel source, after I have published it, to prevent abuse, as
they could get in legal problems for using identifier not assigned to
them) and some instructions on doing this are available at
<http://www.netwinder.org/~stany/netwinder_board_rev_faq.html#changing_your_MAC>

Essentially this amounted to the following 5 commands: 
root@pooga:~[240]# ifconfig eth1 down
root@pooga:~[241]# rmmod tulip
root@pooga:~[242]# insmod tulip vnc_mac_addr=0xfee123
root@pooga:~[243]# insmod tulip
root@pooga:~[244]# ifconfig eth1 up inet <your inet here> netmask <yournetmask here> broadcast <your broadcast here>

So why am I mentioning all this?  Because potentially using MAC addresses
is not accurate, as it is trivial to change your MAC address if you want
to, so this detection will only work on the networks with highly
unsophisticated people.  Additionally adding such a database of MAC
addresses has potential to result in code bloat, which is not a good thing
either.  At most MAC detection can complement OS detection, figuring that
a computer running a NIC with MAC address starting with 0:10:57 (Corel
NetWinder) should not be runing SunOS 4.1, or a system with MAC address
starting with 8:0:20 (Sun SPARC) should not run Be OS. 

However I think that it might be worthwhile for NMAP to record the MAC
address in event of scanning a local subnet, as this will allow the
administrator to diff the logs and see if the hardware have physically
changed over time (Asset management implemented backwards, anyone? ;-).

I have to note that I never did an extensive research in the area of MAC
address changes, and the two examples above are just what I could remember
off the top of my head ;-)

//Stany, who still uses nmap 2.0.3 for his scans.  Solaris code seems to
be broken 8-(

-- 
Trouble rather the tiger in his lair, then the Sysadmin amongst his UNIX boxen.
For to you Programs and their Source Code are things mighty and enduring, 
But to him they are but toys of the moment,  
To be overturned by flicking of the power switch....  Computer Lessons: SNV '97