Penetration Testing mailing list archives
RE: Using ARP to map a network
From: "Dario Ciccarone" <dciccaro () cisco com>
Date: Sun, 9 Feb 2003 18:53:51 -0300
would that mean "mapping a network without sending out any packet"? could be done, more or less - buy at least you need to send ARP replies . . .On a HUB there would be absolutely no reason to send out ARP replies, and on a switch, ARP poisining could hardly be called passive imho. Further, even on a switch you should be able to do some passive information gathering based purely on ARP request (and other broadcast trafic) analysis. MAC adresses give by their verry nature information on what vendor made the NIC or device. If you combine this with analysis of ARP source/destination pairings, and other broadcast trafic from the same MAC adresses, you should be able to to a reasonable amounth analysis on only captured broadcast trafic.
Agreed - I was supposing that there were switches, not hubs. I tend to forget people does still use hubs ;)
Once you have the table, start spoofing ARP Replies, sending your MAC out for every known IP, and then start relaying traffic for both ends of the conversation.This is absolutely not passive, in fact this is one of the most intrusive forms around. You do not want to use these unless you have absolutely no other options left.
I took "passive" as "no port scan, no ping sweep. No sending of IP packets. Make as little noise as possible". If we take "passive" as "no sending packets at all, just listening" I agree with you: lots of information to get on a hub, little on a switch, even less in some scenarios (on a very well configured net, you could see no L2 broadcasts at all, no ARP requests, no ARP replies - just traffic from/to your port)
at the same time, something like p0f should tell you the OS the host is running. some tcpdump and streams together should give you an idea of services on each host - not 100% accurate, but . . . for (b), process is like (a), but spoofing the defaultgateway on thenetwork, to identify remote hosts. some caveats: not foolproof, not 100% accurate, nodetection of remotehosts if no one on your net talks to them ;)Some more: intrusive, known to set off IDS systems, NOT PASSIVE !!!
Some :) - not all IDS systems checks for L2 attacks like ARP spoofing :) The only real passive way would be to only listen - but as I said, on some scenarios, only listening is going to get you nowhere . . . ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Using ARP to map a network Jason Lewis (Feb 04)
- RE: Using ARP to map a network Rob Shein (Feb 05)
- RE: Using ARP to map a network Jason Lewis (Feb 05)
- RE: Using ARP to map a network Dario N. Ciccarone (Feb 06)
- RE: Using ARP to map a network Rob J Meijer (Feb 09)
- RE: Using ARP to map a network Dario Ciccarone (Feb 09)
- RE: Using ARP to map a network Jason Lewis (Feb 05)
- RE: Using ARP to map a network Rob Shein (Feb 06)
- RE: Using ARP to map a network Rob Shein (Feb 05)
- Re: Using ARP to map a network Rob J Meijer (Feb 09)
- Re: Using ARP to map a network planz (Feb 12)
- Re: Using ARP to map a network Jason Lewis (Feb 05)