Getting a MAC (physical) address...
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Getting a MAC (physical) address...

  1. #1
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242

    Getting a MAC (physical) address...

    ...any way to do this remotely on a LAN when setting up a wireless router? I'm setting up an access list on a Netgear WGR614 and want to make it look easy by pulling the MAC's from my laptop. Nmap gives me some MAC's, but not all.

    TIA.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Doh. Ettercap picks them up.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Member
    Join Date
    Jun 2004
    Posts
    37
    Just remember that the layer 2 (mac) address is re-written inside of a packet at every hop. Therefore you must be before the first hop to get the mac address for the actual machine.

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    ????

    The source MAC will always be the MAC of the machine that created the Frame.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  5. #5
    Member
    Join Date
    Jun 2004
    Posts
    37
    Before the first hop, yes. However, when your packet crosses a routing device (firewall/router..) the mac is rewritten every hop with the mac of the routing device. So, if you were to sniff a packet on the "inside" of a router, you mac will read "3COM" or "INTEL" or whatever the make of your nic card is... however, if you sniff a packet on the "outside" of a router, and your router is a Cisco device, the mac will read "CISCO".

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I think the confusion here lies on how you're doing this. If you simply sniff packets, indeed you will see MAC frames from the last router hop as Kcore has mentioned. This is expected behavior per the RFC.

    If you solicit the MAC of the remote host with a tool like NMAP, yes, you will get the MAC address but not because of any layer II function but rather via a call from the actual tool.


    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    Sorry Kcore I must have glanced over the word 'HOP' in your first post!

    If he uses NMAP to get the MAC though he will get the correct mac of the host he has probes not any router......

    I think we may have our wires crossed somewhere?


    ^^ and what the horse said ^^

    hmmm lets see if we can get rid of that grey dot!
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  8. #8
    Member
    Join Date
    Jun 2004
    Posts
    37
    Ah. I must have misread. I was talking about Sniffing.. As opposed to tool discovery.

    Thanks

  9. #9
    Junior Member
    Join Date
    Jun 2006
    Posts
    10

    nmap MAC discovery?

    Perhaps I missed something, but how does one use NMAP to get MAC addresses remotely (ie when there is a router/layer 3 device between yourself and the scanned target)? If truly possible, that could be a powerful tool for determining the hardware platform of a remote device.

    In the case of the Netgear WGR614, based upon the specs the wireless and wired interfaces are bridged together, not routed. Thats why MACs are visible in this case.

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    You know, organ, I never paid a lot of attention to nmap results except to primarily see what is on any given LAN and what services may be running (or running a pen test across the net). Generally those are hardwired LANs as opposed to wireless.

    Yes, "nmap -sV -O -P0" and "nmap -sS -P0" will give me MAC addresses of PC's on a LAN (just doublechecked on this one -- hardwired) and it picked up every MAC address save one -- this laptop (which I scanned from the server) which is running XP's built-in firewall. None of the others is running a software firewall.

    Scanning w/ nmap on a wireless LAN probably yields different results because anybody running wireless is probably got a software firewall (you'd be an id10t not to).
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides