Nmap Announce mailing list archives
Re: ARP idea (conjecture)
From: Bart van Leeuwen <bart () ixori demon nl>
Date: Tue, 29 Jun 1999 05:30:28 +0200 (CEST)
As far as I'm aware, this can at least on some OSes be configured as a direct timeout, and indirectly by limiting the size of the ARP table (with the result that it may very well remove entries before they'd time out, esp on large network segments or large switched/bridged networks) This is just from what I have seen after trying to resolve some arp problems in a mixed win-nt, OS/2 environment, but may very well apply to other OSes as well. So.. as far as I go this would at least in some situations fail or give unpredicatble results, but I have little doubt that there is some usefull information to get here by just looking at arp behavior. Bart On Tue, 29 Jun 1999, photon wrote:
This would have limited usefulness even if it did work, but it would evade most existing detection software... Basically, o'er any ARP-utilising link-layer, I wonder if it'd be possible to measure ARP timeouts and compare these with a default-listing by OS? Eg: ... arp stuff snipped ... Myhost -> Targethost [some higher-level protocol] Targethost -> MyHost [ARP REQ.] Myhost -> Targethost [ARP Response] ... wait predetermined period ... Myhost -> Targethost [some higher-level protocol] ... remember that this period DID/DIDN'T make targethost ARP REQ again ... ... repeat with different period ... I'm not even sure if arp timeouts are OS-specific (though i'm pretty sure they are - steve's book states that BSD-derived OSs noramlly have 20min timeout for completed entries, 3min for incomplete) .. and obviously this method would have problems with hardcoded arp table entries, and be goddamned slow (patience is a virtue ;). As a side note, from memory some OSs do not handle gratituous ARP correctly - this could be used to further-finetune such an ARP-based OS determination. Or I could just be plain wrong. =) Sorry to make such an up in the air post, but I dont really have time to play with this stuff (evil final-year assessment tomorrow ;) keep up the good work! - pho
Current thread:
- ARP idea (conjecture) photon (Jun 28)
- Re: ARP idea (conjecture) Bart van Leeuwen (Jun 28)
- Re: ARP idea (conjecture) Rob Quinn (Jun 29)
- Re: ARP idea (conjecture) Jordan Ritter (Jun 29)