NMAP and MAC Addresses

Discussion:

Sydie, Colin

2008-02-13 00:10:37 UTC

Hello,

I need a little help with NMAP. I'm trying to run it on a network in
which I wish to return MAC addresses from every system. These systems
can be anything from Microsoft to Linux to Other. I want to retrieve
everything with a MAC address based on an IP address query.

I can get it to work on the same subnet however; I can't seem to
retrieve MAC addresses from systems on a different subnet. Is there a
way to retrieve MAC addresses from any subnet using NMAP?

Thanks,

Colin Sydie

Dario Ciccarone (dciccaro)

2008-02-13 00:33:07 UTC

Permalink

The question shows lack of understanding of how an IP network works.

Local network = ARP, encap L3 on L2, transmit.

Non-local = ARP for default gateway, encap on L2 frame to local gateway,
drop into the wire.

Comer and Stevens, or just Stevens. If on a budget,
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/gg243376.html

So - neither nmap nor any other tool will be able to give you the MAC
address of a device outside your L2 broadcast domain. Well, actually you
can try a "nbtstat -A <ip_address>" for Windows machines.

Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:11 PM
Subject: NMAP and MAC Addresses
Hello,
I need a little help with NMAP. I'm trying to run it on a network in
which I wish to return MAC addresses from every system. These systems
can be anything from Microsoft to Linux to Other. I want to retrieve
everything with a MAC address based on an IP address query.
I can get it to work on the same subnet however; I can't seem to
retrieve MAC addresses from systems on a different subnet. Is there a
way to retrieve MAC addresses from any subnet using NMAP?
Thanks,
Colin Sydie

Brandon Enright

2008-02-13 00:38:05 UTC

Permalink

Your right, of course. I'll point out though that Nmap does have
nbstat.nse for trying to divine MAC addresses from Windows boxes.

And then outside of Nmap, there is always SNMP to query the router for a
given VLAN.

Brandon

On Tue, 12 Feb 2008 19:33:07 -0500

Post by Dario Ciccarone (dciccaro)
The question shows lack of understanding of how an IP network works.
Local network = ARP, encap L3 on L2, transmit.
Non-local = ARP for default gateway, encap on L2 frame to local
gateway, drop into the wire.
Comer and Stevens, or just Stevens. If on a budget,
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/gg243376.html
So - neither nmap nor any other tool will be able to give you the MAC
address of a device outside your L2 broadcast domain. Well, actually
you can try a "nbtstat -A <ip_address>" for Windows machines.
Dario

Dario Ciccarone (dciccaro)

2008-02-13 00:42:26 UTC

Permalink

I won't comment on nbtstat.se as I'm still using the same options on
nmap that I've been using since about v2.x - never ask me what I think
about the new features ;)

About the second comment - hm. I do work for Cisco, yeah, but I don't do
network management. With that caveat: I have no clue if we have any MIB
that can be queried in order to get something akin to the output of a
"show mac add dyn".

Not to mention: for that to work, you would need for the remote device
to (a) be configured for SNMP, (b) to allow queries from your IP
address, (b) for you to know, depending of access required to said
counters, either the read or write community string.

Other than that - I agree :)

Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:38 PM
To: Dario Ciccarone (dciccaro)
Subject: Re: NMAP and MAC Addresses
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Your right, of course. I'll point out though that Nmap does have
nbstat.nse for trying to divine MAC addresses from Windows boxes.
And then outside of Nmap, there is always SNMP to query the
router for a
given VLAN.
Brandon
On Tue, 12 Feb 2008 19:33:07 -0500

http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/gg24
3376.html

Post by Dario Ciccarone (dciccaro)
So - neither nmap nor any other tool will be able to give

you the MAC

Post by Dario Ciccarone (dciccaro)
address of a device outside your L2 broadcast domain. Well, actually
you can try a "nbtstat -A <ip_address>" for Windows machines.
Dario

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)
iD8DBQFHsjvzqaGPzAsl94IRAv05AJ9GNmPF/I38P45EmttpnnS7k5H/FwCgkR3N
HVsbZMnVM1dNZAwTnXD5+t8=
=eX02
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

d***@hcsw.org

2008-02-13 01:05:55 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Your right, of course. I'll point out though that Nmap does have
nbstat.nse for trying to divine MAC addresses from Windows boxes.
And then outside of Nmap, there is always SNMP to query the router for a
given VLAN.

Aha! Excellent point. That reminds me that there's also many match lines
the nmap-service-probes DB that extract MAC addresses from things like
WAPs, routers, and embedded devices that blurt it out on connect. A
couple examples:

match http m|^HTTP/1\.1 \d\d\d .*\r\nWWW-Authenticate: Basic realm=\"CANOPY ([\w-]+)\"\r\n|s p/Motorola Canopy WAP http config/ d/WAP/ i/MAC $1/

match telnet m|^\xff\xfe\"\xff\xfb\x01\xff\xfb\x03User : \r\n\r?SpeedTouch $([\w-]+)$\r\n\r?Password : Invalid Password\r\ n\r?Closing connection\r\n| p/Alcatel SpeedTouch DSL router/ i/MAC $1/ d/router/

match ncd-diag m|^WinCE/WBT Diagnostic port\n\rSerial Number: (\w+) MAC Address: 0000(\w+)\s+.*CPU info: ([ -.+\w/ ]+)\r\n. *(Windows CE Kernel[-.+:\w ]+)\r|s p|NCD Thinster Terminal Diagnostic port| i|Serial# $1; MAC: $2; CPU: $3; $4|

Best,

Doug

Dario Ciccarone (dciccaro)

2008-02-13 00:45:47 UTC

Permalink

Here. Let me share with you how this works - not on this list but on any
list.

Someone shows up. Asks a question. People with an understanding of the
issue replies trying to help the person.

It isn't actually my responsability to locate the tool. Feel free to
send us all a link, and I will find the time to (a) read the docs, (b)
install it, and (c) get a packet capture while the tool is running to
understand how it can magically bend the rules of the protocol.

Having said that, let me share with you a link -
http://catb.org/~esr/faqs/smart-questions.html

Pay special attention to
http://catb.org/~esr/faqs/smart-questions.html#keepcool

Thanks,
Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:40 PM
Subject: RE: NMAP and MAC Addresses
The answer shows lack of knowledge of products that are available.
Locate a product called "CC Get MAC Address" and discover the utility
does provide MAC address feedback from devices on alternate subnets.
The issue with this product is that I cannot run it as a stand alone
service and provide the STD OUT result.
Not a good answer.
-----Original Message-----
Sent: Tuesday, February 12, 2008 4:33 PM
Subject: RE: NMAP and MAC Addresses
The question shows lack of understanding of how an IP network works.
Local network = ARP, encap L3 on L2, transmit.
Non-local = ARP for default gateway, encap on L2 frame to
local gateway,
drop into the wire.
Comer and Stevens, or just Stevens. If on a budget,
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/gg24
3376.html
So - neither nmap nor any other tool will be able to give you the MAC
address of a device outside your L2 broadcast domain. Well,
actually you
can try a "nbtstat -A <ip_address>" for Windows machines.
Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:11 PM
Subject: NMAP and MAC Addresses
Hello,
I need a little help with NMAP. I'm trying to run it on a

network in

which I wish to return MAC addresses from every system.

These systems

can be anything from Microsoft to Linux to Other. I want

to retrieve

everything with a MAC address based on an IP address query.
I can get it to work on the same subnet however; I can't seem to
retrieve MAC addresses from systems on a different subnet.

Is there a

way to retrieve MAC addresses from any subnet using NMAP?
Thanks,
Colin Sydie

Dario Ciccarone (dciccaro)

2008-02-13 01:30:15 UTC

Permalink

I'm sorry. Yeah, I was just flapping my gums.

Will let people who actually knows this stuff help you out.

Thanks,
Dario

Dario Ciccarone <***@cisco.com>
Incident Manager - CCIE #10395
Product Security Incident Response Team (PSIRT)
Cisco Systems, Inc.
PGP Key ID: 0xBA1AE0F0
http://www.cisco.com/go/psirt

-----Original Message-----
Sent: Tuesday, February 12, 2008 8:19 PM
Subject: RE: NMAP and MAC Addresses
Don't take it personal!
You stated, "So - neither nmap nor any other tool will be able to give
you the MAC address of a device outside your L2 broadcast domain."
That's a bold statement to make considering it can be done.
http://www.youngzsoft.net/cc-get-mac-address/cmacsetup.exe
If you don't know the answer, don't give BS responses.
-----Original Message-----
Sent: Tuesday, February 12, 2008 4:46 PM
Subject: RE: NMAP and MAC Addresses
Here. Let me share with you how this works - not on this list
but on any
list.
Someone shows up. Asks a question. People with an understanding of the
issue replies trying to help the person.
It isn't actually my responsability to locate the tool. Feel free to
send us all a link, and I will find the time to (a) read the docs, (b)
install it, and (c) get a packet capture while the tool is running to
understand how it can magically bend the rules of the protocol.
Having said that, let me share with you a link -
http://catb.org/~esr/faqs/smart-questions.html
Pay special attention to
http://catb.org/~esr/faqs/smart-questions.html#keepcool
Thanks,
Dario

the utility

does provide MAC address feedback from devices on alternate subnets.
The issue with this product is that I cannot run it as a stand alone
service and provide the STD OUT result.
Not a good answer.
-----Original Message-----
Sent: Tuesday, February 12, 2008 4:33 PM
Subject: RE: NMAP and MAC Addresses
The question shows lack of understanding of how an IP network works.
Local network = ARP, encap L3 on L2, transmit.
Non-local = ARP for default gateway, encap on L2 frame to
local gateway,
drop into the wire.
Comer and Stevens, or just Stevens. If on a budget,
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/gg24
3376.html
So - neither nmap nor any other tool will be able to give

you the MAC

address of a device outside your L2 broadcast domain. Well,
actually you
can try a "nbtstat -A <ip_address>" for Windows machines.
Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:11 PM
Subject: NMAP and MAC Addresses
Hello,
I need a little help with NMAP. I'm trying to run it on a

network in

which I wish to return MAC addresses from every system.

These systems

can be anything from Microsoft to Linux to Other. I want

to retrieve

everything with a MAC address based on an IP address query.
I can get it to work on the same subnet however; I can't seem to
retrieve MAC addresses from systems on a different subnet.

Is there a

way to retrieve MAC addresses from any subnet using NMAP?
Thanks,
Colin Sydie

Sydie, Colin

2008-02-13 01:19:12 UTC

Permalink

Don't take it personal!

You stated, "So - neither nmap nor any other tool will be able to give
you the MAC address of a device outside your L2 broadcast domain."

That's a bold statement to make considering it can be done.

Here is the tool:
http://www.youngzsoft.net/cc-get-mac-address/cmacsetup.exe

If you don't know the answer, don't give BS responses.

-----Original Message-----
From: Dario Ciccarone (dciccaro) [mailto:***@cisco.com]
Sent: Tuesday, February 12, 2008 4:46 PM
To: Sydie, Colin; nmap-***@insecure.org
Subject: RE: NMAP and MAC Addresses

Here. Let me share with you how this works - not on this list but on any
list.

Someone shows up. Asks a question. People with an understanding of the
issue replies trying to help the person.

It isn't actually my responsability to locate the tool. Feel free to
send us all a link, and I will find the time to (a) read the docs, (b)
install it, and (c) get a packet capture while the tool is running to
understand how it can magically bend the rules of the protocol.

Having said that, let me share with you a link -
http://catb.org/~esr/faqs/smart-questions.html

Pay special attention to
http://catb.org/~esr/faqs/smart-questions.html#keepcool

Thanks,
Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:11 PM
Subject: NMAP and MAC Addresses
Hello,
I need a little help with NMAP. I'm trying to run it on a

network in

which I wish to return MAC addresses from every system.

These systems

can be anything from Microsoft to Linux to Other. I want

to retrieve

everything with a MAC address based on an IP address query.
I can get it to work on the same subnet however; I can't seem to
retrieve MAC addresses from systems on a different subnet.

Is there a

way to retrieve MAC addresses from any subnet using NMAP?
Thanks,
Colin Sydie

Jay Chandler

2008-02-13 01:42:50 UTC

Permalink

Allow me to point out a few things which you are unaware of, apparently.

He is correct. The tool you linked works SPECIFICALLY by using
Microsoft's NetBIOS technology, as previous posters have stated is
possible using nmap's scripting engine. This ONLY works on hosts
running a Microsoft operating system. Deriving a MAC address from a
host outside of your subnet is not possible using TCP/IP. It's also
technically possible to remote in using VNC and pull the MAC from the
network properties, but THAT'S not going to be built into nmap or any
other tool either!

If you don't know the answer, don't give BS responses.

Two points. 1. He's a CCIE, which is often referred to as "The
doctorate of networking." 2. Given that he's emailing from a cisco.com
email address, I'm willing to bet my paycheck against an ice cream cone
that he knows more about this than you do; Cisco doesn't hire idiots.
His response was completely accurate, whereas it's becoming increasingly
apparent that you haven't got the foggiest idea what you're talking
about-- which is fine. What's not fine is your disturbing propensity to
be a raging jerk about it.

You strike me as the kind of person who walks around the emergency room
correcting the doctors on their diagnoses based on something you saw on
an episode of House...

--
Jay Chandler / KB1JWQ
Living Legend / Systems Exorcist
Today's Excuse: failed trials, system needs redesigning

Rob Nicholls

2008-02-13 01:44:26 UTC

Permalink

Wasn't the original question posed to the list:

"Is there a way to retrieve MAC addresses from any subnet using NMAP?"

Dario answered that with a detailed answer that he probably hoped would
explain to Colin why the answer is basically a "no" (because IP networks
don't work that way).

Colin said he is trying to get the MAC address of *every* device (including
"Microsoft to Linux to Other"). So how exactly does "Locate a product called
"CC Get MAC Address"" answer the question that was posed to this list? If
Colin had looked into it in a bit more detail, the CC Get MAC Address tool
clearly states "CCGMA is based on Microsoft Netbios technology" so...

a) you can do exactly the same thing (for free; CCGMA is shareware and costs
money) using Nmap with the nbstat.nse script (or through Windows' built in
nbtstat tool, which is also free)

b) you still won't get a MAC address for Linux or Other devices (or Windows
devices that are filtering NetBIOS traffic).

There is no good answer. You might be able to get some information through
NetBIOS, some through SNMP (if it's enabled and you have the right community
string), or some other kind of voodoo mechanism, but AFAIK there is no
definitive way to get the information that Colin appears to be seeking.

Regards,

Rob

-----Original Message-----
From: Sydie, Colin [mailto:***@landesk.com]
Sent: 13 February 2008 01:19
To: Dario Ciccarone (dciccaro); nmap-***@insecure.org
Subject: RE: NMAP and MAC Addresses

Don't take it personal!

You stated, "So - neither nmap nor any other tool will be able to give
you the MAC address of a device outside your L2 broadcast domain."

That's a bold statement to make considering it can be done.

Here is the tool:
http://www.youngzsoft.net/cc-get-mac-address/cmacsetup.exe

If you don't know the answer, don't give BS responses.

-----Original Message-----
From: Dario Ciccarone (dciccaro) [mailto:***@cisco.com]
Sent: Tuesday, February 12, 2008 4:46 PM
To: Sydie, Colin; nmap-***@insecure.org
Subject: RE: NMAP and MAC Addresses

Here. Let me share with you how this works - not on this list but on any
list.

Someone shows up. Asks a question. People with an understanding of the
issue replies trying to help the person.

It isn't actually my responsability to locate the tool. Feel free to
send us all a link, and I will find the time to (a) read the docs, (b)
install it, and (c) get a packet capture while the tool is running to
understand how it can magically bend the rules of the protocol.

Having said that, let me share with you a link -
http://catb.org/~esr/faqs/smart-questions.html

Pay special attention to
http://catb.org/~esr/faqs/smart-questions.html#keepcool

Thanks,
Dario

-----Original Message-----
Sent: Tuesday, February 12, 2008 7:11 PM
Subject: NMAP and MAC Addresses
Hello,
I need a little help with NMAP. I'm trying to run it on a

network in

which I wish to return MAC addresses from every system.

These systems

can be anything from Microsoft to Linux to Other. I want

to retrieve

everything with a MAC address based on an IP address query.
I can get it to work on the same subnet however; I can't seem to
retrieve MAC addresses from systems on a different subnet.

Is there a

way to retrieve MAC addresses from any subnet using NMAP?
Thanks,
Colin Sydie

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Sydie, Colin

2008-02-13 00:40:28 UTC

Permalink

The answer shows lack of knowledge of products that are available.

Locate a product called "CC Get MAC Address" and discover the utility
does provide MAC address feedback from devices on alternate subnets.
The issue with this product is that I cannot run it as a stand alone
service and provide the STD OUT result.

Not a good answer.

-----Original Message-----
From: Dario Ciccarone (dciccaro) [mailto:***@cisco.com]
Sent: Tuesday, February 12, 2008 4:33 PM
To: Sydie, Colin; nmap-***@insecure.org
Subject: RE: NMAP and MAC Addresses

The question shows lack of understanding of how an IP network works.

Local network = ARP, encap L3 on L2, transmit.

Non-local = ARP for default gateway, encap on L2 frame to local gateway,
drop into the wire.

Comer and Stevens, or just Stevens. If on a budget,
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/gg243376.html

So - neither nmap nor any other tool will be able to give you the MAC
address of a device outside your L2 broadcast domain. Well, actually you
can try a "nbtstat -A <ip_address>" for Windows machines.

Dario