- Posts: 1700
- Thank you received: 0
RARP Ip to MAC resolution... HELP!
20 years 8 months ago #3281
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: RARP Ip to MAC resolution... HELP!
Ok, here are a couple of suggestions and answers to your questions.
First off, I really think you should use SNMP, its called the simple network management protocol because its made for stuff like this. The way you would probably use it in this case is find out the MIB for your switch (the MIB is nothing but a heirarchical set of parameters that you can query, an eg might be somethign like system.arp.cache) With SNMP you can query and write to the device if you know the right 'community string' sorta like a password. Make sure you use the newer version of SNMP not SNMPv1 because thats terribly insecure. I can't remember whether the current is 2 or 3.
Second -- the telnet session is a neat idea, but a big no-no.. telnet is totally unencrypted, you wouldn't want to take the chance of someone seeing that password floating by and snarf it up. Just to give you an example, using ettercap someone can not just sniff the password but actually hijack the telnet session and take it over without you knowing.
As far as using SNMP in your vb app goes, google for 'SNMP activex control' or 'SNMP ocx', its turned up a lot of matches, but I didnt try any of them.
Ok now to convert a MAC to an IP you use RARP (as you'd said in your first post), I don't know of any RARP util coming bundled with either Linux or Windows. However look around, there will be many (otherwise write your own with raw sockets, shouldnt be too difficult).
Now, when you need to send a packet to IP x.x.x.x, your operating system first checks whether that IP is in your subnet or not. If its not, it sends it to the default gateway (ie. router). if it is, and it doesn't know the MAC address, it sends an ARP request packet as a broadcast which says 'Which machine has the IP x.x.x.x', the switch knows this is a broadcast packet and floods it to all the ports. Whichever machine has that IP will respond with an ARP reply saying 'I have IP x.x.x.x and my MAC address is yy-yy-yy-yy-yy-yy'. As an interesting side note, this is a quick way to catch a worm on your network.. if you see one machine completely ARP flooding your subnet then you can be pretty sure that that machine is scanning for other hosts in some way.
All computers don't respond when you ping the broadcast address because it is not a requirement in the RFC. Thus this is never an accurate way of discovering hosts on the LAN but can be used to fingerprint which o/s a machine uses.
I wouldn't mind looking at the source even in its incomplete form.
As a side note to your IDS idea, I like it, but keep in mind that most decent switches can already do this.. or at least most of our beautiful Cisco hardware does this. Its called port security and lets you have various configurations of MAC addresses to various ports, preventing people from just plugging in.
Reference this earlier post to learn more about it
www.firewall.cx/modules.php?name=Forums&...=viewtopic&t=595
or the PDF from Cisco
www.cisco.com/univercd/cc/td/doc/product.../2950scg/swtrafc.pdf
You can also google for 'port security sticky', we turn up as the third link not bad eh
First off, I really think you should use SNMP, its called the simple network management protocol because its made for stuff like this. The way you would probably use it in this case is find out the MIB for your switch (the MIB is nothing but a heirarchical set of parameters that you can query, an eg might be somethign like system.arp.cache) With SNMP you can query and write to the device if you know the right 'community string' sorta like a password. Make sure you use the newer version of SNMP not SNMPv1 because thats terribly insecure. I can't remember whether the current is 2 or 3.
Second -- the telnet session is a neat idea, but a big no-no.. telnet is totally unencrypted, you wouldn't want to take the chance of someone seeing that password floating by and snarf it up. Just to give you an example, using ettercap someone can not just sniff the password but actually hijack the telnet session and take it over without you knowing.
As far as using SNMP in your vb app goes, google for 'SNMP activex control' or 'SNMP ocx', its turned up a lot of matches, but I didnt try any of them.
Ok now to convert a MAC to an IP you use RARP (as you'd said in your first post), I don't know of any RARP util coming bundled with either Linux or Windows. However look around, there will be many (otherwise write your own with raw sockets, shouldnt be too difficult).
Now, when you need to send a packet to IP x.x.x.x, your operating system first checks whether that IP is in your subnet or not. If its not, it sends it to the default gateway (ie. router). if it is, and it doesn't know the MAC address, it sends an ARP request packet as a broadcast which says 'Which machine has the IP x.x.x.x', the switch knows this is a broadcast packet and floods it to all the ports. Whichever machine has that IP will respond with an ARP reply saying 'I have IP x.x.x.x and my MAC address is yy-yy-yy-yy-yy-yy'. As an interesting side note, this is a quick way to catch a worm on your network.. if you see one machine completely ARP flooding your subnet then you can be pretty sure that that machine is scanning for other hosts in some way.
All computers don't respond when you ping the broadcast address because it is not a requirement in the RFC. Thus this is never an accurate way of discovering hosts on the LAN but can be used to fingerprint which o/s a machine uses.
I wouldn't mind looking at the source even in its incomplete form.
As a side note to your IDS idea, I like it, but keep in mind that most decent switches can already do this.. or at least most of our beautiful Cisco hardware does this. Its called port security and lets you have various configurations of MAC addresses to various ports, preventing people from just plugging in.
Reference this earlier post to learn more about it
www.firewall.cx/modules.php?name=Forums&...=viewtopic&t=595
or the PDF from Cisco
www.cisco.com/univercd/cc/td/doc/product.../2950scg/swtrafc.pdf
You can also google for 'port security sticky', we turn up as the third link not bad eh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
20 years 8 months ago #3306
by SixFive7
SixFive7
Hey,
Thanx for all the great info! I will certainly start digging into SNMP. For now I'l just change my telnet session to a secure session to my COM interface of the router.
I still have some questions though... You where talking about the arp request broadcast package. Do I have to think of this as an arp request package with a ip network broadcast address as destination. Or do I have to think of this as a package with the MAC destination beeing any? And what does my switch remember? MAC addresses, or ip addresses, or both? And what does it uses for the "switching" process?
Also I did some research into the RARP protocol, and I found the RFC:
www.faqs.org/rfcs/rfc903.html
It says:
So... do I have to set up such a databse server? Is it not already inside my switch? And if not, does this databse programme have to interact with my SBS server 2003 dns and dhcp server? (cause that's gonna be bad)
Also I have a RIS (remote installation server) running on my win2k3 domain controller. I handles all the network booted clients. Does this mean it has this databse in it? If so, I quess RIS will only work when it is installed on a server wich has an up to date DNS and DHCP cache... right?
Sorry for all the questions, feel kinda dumb. But hey, If it doesn't work out, I can always request the MAC for every ip in my subnet, and then match it to the switch it's database.... right?
Thanx so much already!,
Jori Huisman
ps, I do not have a decent switch....
ps2, the source is coming up ASAP!
Thanx for all the great info! I will certainly start digging into SNMP. For now I'l just change my telnet session to a secure session to my COM interface of the router.
I still have some questions though... You where talking about the arp request broadcast package. Do I have to think of this as an arp request package with a ip network broadcast address as destination. Or do I have to think of this as a package with the MAC destination beeing any? And what does my switch remember? MAC addresses, or ip addresses, or both? And what does it uses for the "switching" process?
Also I did some research into the RARP protocol, and I found the RFC:
www.faqs.org/rfcs/rfc903.html
It says:
RARP requires one or more server hosts to maintain a database of mappings from hardware address to protocol address and respond to requests from client hosts.
So... do I have to set up such a databse server? Is it not already inside my switch? And if not, does this databse programme have to interact with my SBS server 2003 dns and dhcp server? (cause that's gonna be bad)
Also I have a RIS (remote installation server) running on my win2k3 domain controller. I handles all the network booted clients. Does this mean it has this databse in it? If so, I quess RIS will only work when it is installed on a server wich has an up to date DNS and DHCP cache... right?
Sorry for all the questions, feel kinda dumb. But hey, If it doesn't work out, I can always request the MAC for every ip in my subnet, and then match it to the switch it's database.... right?
Thanx so much already!,
Jori Huisman
ps, I do not have a decent switch....
ps2, the source is coming up ASAP!
SixFive7
20 years 8 months ago #3315
by DaOehT
Replied by DaOehT on topic Re: RARP Ip to MAC resolution... HELP!
For those interested, hello!
As being the friend of SixFive7, he asked me to upload the source code for StackStat, the program to retrieve statics via telnet.
The program opens a simple winsock via the tcp protocol. Raw data is sent according to the response of the stacks.
The program is written for two stacks so you can enter two ip addresses and two port numbers at the startup. (when settings.ini is not found) Passwords for the stacks are both the same, default monitor. Hopefully, nobody gets utterly confused because the program accesses one of the stacks at the time so that is why the first winsock calls the second when finished. Also, the first command is not catchable because VB doesn't standardly accept the signs. (I could try a chr$(number))
I wrote the program in dutch but the code is universal. I hope people can read it.
lots of greetings
DaOehT (or just oehTie as my friends call me
ps, the most useful info of this message, the source can be accessed via www.jokokrimpen.no-ip.com/stackstat.zip
As being the friend of SixFive7, he asked me to upload the source code for StackStat, the program to retrieve statics via telnet.
The program opens a simple winsock via the tcp protocol. Raw data is sent according to the response of the stacks.
The program is written for two stacks so you can enter two ip addresses and two port numbers at the startup. (when settings.ini is not found) Passwords for the stacks are both the same, default monitor. Hopefully, nobody gets utterly confused because the program accesses one of the stacks at the time so that is why the first winsock calls the second when finished. Also, the first command is not catchable because VB doesn't standardly accept the signs. (I could try a chr$(number))
I wrote the program in dutch but the code is universal. I hope people can read it.
lots of greetings
DaOehT (or just oehTie as my friends call me
ps, the most useful info of this message, the source can be accessed via www.jokokrimpen.no-ip.com/stackstat.zip
20 years 8 months ago #3317
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: RARP Ip to MAC resolution... HELP!
I'll give the code a look-over and maybe contribute something to it.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Time to create page: 0.146 seconds