Re: mac addr lookups?

[Fyodor <fyodor () dhp com>]

> With all due respect to Fyodor, I agree with him in many ways in that it
> might not be the best of scanning ideas, i just don't like the reason
for
> his disaproval of the idea.

This is not actually my reason for disapproval.  The reason I don't plan
on adding this it is that it only works in the very specific case
where:

1) You are using ethernet
2) Your target is using ethernet
3) You are on the *same* ethernet segment

I don't think it is worth the code bloat or confusion to add such a
special-case feature.  Plus you should generally be able to do an
'arp -a' after the scan and see what hardware address the target
(or several targets) are using.

As further clarification, here is the (relevant parts of) the mail
I sent to //Stany in December:

   That is a good idea.  I've considered adding that feature a while
   back, but thing is (as you mentioned) it will only work for
   machines on people's local ethernet.  And in most case people
   already know what other machines on their network are running.
   Also nowadays just because it is a SUN or Macintosh does not mean
   it runs Solaris or MacOS.  Even an HP or Amiga box could be running
   NetBSD, OpenBSD, etc.

   It is also really easy to change the MAC address on some operating
   systems.  On Linux you can do 'ifconfig eth0 hw 08:00:20:74:31:2A'
   and look like a Sun.  However this isn't a big problem;  almost
   everything nmap tests for could be spoofed.

Cheers,
Fyodor


--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community.  --Mitch Stone on Microsoft ActiveX