Re: nmap VS DHCP

[Justin <jguyett () andrew cmu edu>]

On Wed, 24 May 2000, Ajay Gupta2 wrote:

> Since the network was using DHCP and not all machines had
> host names, there was little to tie the remaining data (IP address, open
> ports & OS) to the machines on the network, as the IP addresses (by
> which machines are generally identified) changed between the scans. 
> Therefore, these nmap scan results are less valuable for fingerprinting
> as the data is not tied directly to the machines.  Is it possible to
> having nmap identify MAC addresses which is less likely to change (I
> believe this was discussed some time ago on this list).  In the least,
> is it possible for nmap to inform whether or not the network is running
> DCHP?

Unless you can somehow get on the same subnet as the person you want to
find the MAC of, or you can get on the same switch and manage to trick it
into re-learning it's MAC table (and flooding to all ports in the
process), you're pretty much out of luck.

If you're on the subnet, not only could you pretty trivially change the
output of nmap to include mac addresses, but you could send out a fake
dhcp request and see if you get a reply and log that too.  Just look at
the arp.c for your architecture and modify it appropriately, or in linux
you could just look through /proc/net/arp.

MAC addresses are trivially easy to change though; anyone can download
changemac (search for it on rootshell, packetstorm) and layer-2 spoof as
anyone they want.

Of course, there are ways to piss of your resident net admins that 
are infinitely more fun... like replying to arp requests with ethernet
broadcast addresses...


Justin