Home page logo

Nmap Announce mailing list archives

Re: nmap VS DHCP
From: Justin <jguyett () andrew cmu edu>
Date: Thu, 25 May 2000 06:10:18 -0400 (EDT)

On Wed, 24 May 2000, Ajay Gupta2 wrote:

Since the network was using DHCP and not all machines had
host names, there was little to tie the remaining data (IP address, open
ports & OS) to the machines on the network, as the IP addresses (by
which machines are generally identified) changed between the scans. 
Therefore, these nmap scan results are less valuable for fingerprinting
as the data is not tied directly to the machines.  Is it possible to
having nmap identify MAC addresses which is less likely to change (I
believe this was discussed some time ago on this list).  In the least,
is it possible for nmap to inform whether or not the network is running

Unless you can somehow get on the same subnet as the person you want to
find the MAC of, or you can get on the same switch and manage to trick it
into re-learning it's MAC table (and flooding to all ports in the
process), you're pretty much out of luck.

If you're on the subnet, not only could you pretty trivially change the
output of nmap to include mac addresses, but you could send out a fake
dhcp request and see if you get a reply and log that too.  Just look at
the arp.c for your architecture and modify it appropriately, or in linux
you could just look through /proc/net/arp.

MAC addresses are trivially easy to change though; anyone can download
changemac (search for it on rootshell, packetstorm) and layer-2 spoof as
anyone they want.

Of course, there are ways to piss of your resident net admins that 
are infinitely more fun... like replying to arp requests with ethernet
broadcast addresses...


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]