Log 0.1 - ARP Fingerprinting

August 30th, 2006 by dk

“That was a really cool trick you did with your phone”, Michael said, slightly deepening his voice and passing a credit card to the waitress.

She looked up, “please enter your PIN number sir”, “What trick?” she inquired.

“Didn’t you send that bluetooth message to my phone?”

“Ermm.. you lost me sir?” the waitress answered with a curious look on her face.

Lost for words, Michael ignored her question and kept his eyes on the device in her hands. The transaction was certainly taking its time… the wait reminded him of those Sunday morning soap opera’s his grandmother use to insist he watch.

he head of the receipt appeared from the top of the POS Data Collector. Michael took the card and receipt and exited the restaurant without saying another word.

Emabarrassed he made his way back down the road toward the bank he had been commissioned to test for the day.

Relaxing in front of his laptop, Michael eagerly looked at his screen, trying to forget his silly restaurant experience.

“My port scans should be just about done by now,” Michael groaned, raising his arms to the air and letting out a yawn.

The test was to simply locate critical vulnerabilities in some of the banks key servers, or atleast a duplicate of the key servers built on a VMware test lab. The idea behind using a VMware test lab, was to prevent downtime or data corruption from any of Michael’s simulated attack scenarios.

nmap had almost finished its port scan…

Michael looked over his typescript file, containing the arp-scan fingerprinting results:

$ for I in `cat hosts.txt` ; do arp-fingerprint -o "-I eth0" $I ; done

10.1.9.1   01000100000     Linux 2.2, 2.4, 2.6
10.1.9.5   01000100000     Linux 2.2, 2.4, 2.6
10.1.9.9   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.10   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.11   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.12   11110110000     Solaris 2.5.1, 2.6, 7, 8, 9, 10, HP-UX 11
10.1.9.15 11110100000 FreeBSD 5.3, Win98, WinME, NT4, 2000, XP, 2003
  • http://www.nta-monitor.com/tools/arp-scan/

3 Comments so far

  1. pagvac @ September 25th, 2006

    Also worth it mentioning that arp scanning can be done with popular tools such as nmap and Cain (for those that are lazy to download a different tool :-) ).

    My favorite nmap arp scan command:

    nmap -n -T5 -sP -PR 192.168.1.0/24

    In Cain:

    Sniffer/Hosts/(Right-click) Scan MAC Addresses

  2. david.kierznowski @ September 25th, 2006

    pagvac,

    Yeh, but can they perform ARP OS Fingerprinting? :)

  3. pagvac @ November 15th, 2006

    No, they *cannot* do ARP OS fingerprinting. I was simply referring to ARP scanning (2nd-layer enumeration of live hosts in current subnet). Sorry about the confusion :-(.

    However, let’s remember that sometimes by simply getting the OID (first-half of the MAC address) you can tell a lot about the target by looking up the vendor name, but obviously it’s *not* as accurate as OS fingerprinting.

    So yes, users interested in 2nd-layer OS *fingerprinting* should then use a tool such as arp-scan, as mentioned by dwk.

Leave a reply

Recent

Sponsored links