Re: mac addr lookups?

[Nathan Catlow <n.catlow () eris dera gov uk>]

Hi, I would just like to add my $00.02 worth into this discussion, I think 
this needs to be turned on it's head here.

Arp scanning is a very useful function (that I personally would like to see in 
nmap). It can be useful in different situations:

1. You don't need an IP presence on the network, I just generate arp packets 
and list the IP addresses that are returned (nobody knows you're there unless 
they are analysing arp traffic). This is useful for actually choosing an IP 
address on a network that you don't know what hosts are up.

2. Identifying hosts with virtual interfaces - they have the same mac address, 
this would prevent 'ghost' entries when port scanning (different IP numbers, 
same services, same physical machine).

3. Getting round filtering bridges (such as sunscreens / karlbridges) which 
filter out ICMP so you can't ping scan them but you may want to identify the 
hosts are there before whacking them with a port scan.

4. Identifying MAC addresses for true spoofing (changing your mac address to 
the same as another machine).

I know that it is only useful an a local network and I agree that it should 
not be used for host ID, I'm just saying that it is useful under *some* 
circumstanses and after all nmap is heading towards being a totally complete 
scanner, so why not arp scanning ?

regards,

Nathan.
-- 
N.Catlow () eris dera gov uk |  All opinions  | IT Security Health Check,
                          | are my own and | D.E.R.A., St Andrews Rd,
                          |   not DERA's   | Malvern, Worcs, England.
** There's someone in my head, but it's not me! - Dark Side of the Moon **