Nmap Announce mailing list archives
Re: nmap VS DHCP
From: Justin <jguyett () andrew cmu edu>
Date: Thu, 25 May 2000 06:10:18 -0400 (EDT)
On Wed, 24 May 2000, Ajay Gupta2 wrote:
Since the network was using DHCP and not all machines had host names, there was little to tie the remaining data (IP address, open ports & OS) to the machines on the network, as the IP addresses (by which machines are generally identified) changed between the scans. Therefore, these nmap scan results are less valuable for fingerprinting as the data is not tied directly to the machines. Is it possible to having nmap identify MAC addresses which is less likely to change (I believe this was discussed some time ago on this list). In the least, is it possible for nmap to inform whether or not the network is running DCHP?
Unless you can somehow get on the same subnet as the person you want to find the MAC of, or you can get on the same switch and manage to trick it into re-learning it's MAC table (and flooding to all ports in the process), you're pretty much out of luck. If you're on the subnet, not only could you pretty trivially change the output of nmap to include mac addresses, but you could send out a fake dhcp request and see if you get a reply and log that too. Just look at the arp.c for your architecture and modify it appropriately, or in linux you could just look through /proc/net/arp. MAC addresses are trivially easy to change though; anyone can download changemac (search for it on rootshell, packetstorm) and layer-2 spoof as anyone they want. Of course, there are ways to piss of your resident net admins that are infinitely more fun... like replying to arp requests with ethernet broadcast addresses... Justin
Current thread:
- nmap VS DHCP Ajay Gupta2 (May 24)
- Re: nmap VS DHCP Justin (May 25)
- Re: nmap VS DHCP H D Moore (May 25)