Getting a MAC (physical) address...

[brokencrow]

...any way to do this remotely on a LAN when setting up a wireless router? I'm setting up an access list on a Netgear WGR614 and want to make it look easy by pulling the MAC's from my laptop. Nmap gives me some MAC's, but not all.

TIA.

[brokencrow]

Doh. Ettercap picks them up.

[kcore]

Just remember that the layer 2 (mac) address is re-written inside of a packet at every hop. Therefore you must be before the first hop to get the mac address for the actual machine.

[Nokia]

????

The source MAC will always be the MAC of the machine that created the Frame.

[kcore]

Before the first hop, yes. However, when your packet crosses a routing device (firewall/router..) the mac is rewritten every hop with the mac of the routing device. So, if you were to sniff a packet on the "inside" of a router, you mac will read "3COM" or "INTEL" or whatever the make of your nic card is... however, if you sniff a packet on the "outside" of a router, and your router is a Cisco device, the mac will read "CISCO".

[thehorse13]

I think the confusion here lies on how you're doing this. If you simply sniff packets, indeed you will see MAC frames from the last router hop as Kcore has mentioned. This is expected behavior per the RFC.

If you solicit the MAC of the remote host with a tool like NMAP, yes, you will get the MAC address but not because of any layer II function but rather via a call from the actual tool.


--TH13

[Nokia]

Sorry Kcore I must have glanced over the word 'HOP' in your first post!

If he uses NMAP to get the MAC though he will get the correct mac of the host he has probes not any router......

I think we may have our wires crossed somewhere?


^^ and what the horse said ^^

hmmm lets see if we can get rid of that grey dot!

[kcore]

Ah. I must have misread. I was talking about Sniffing.. As opposed to tool discovery.

Thanks

[organ]

Perhaps I missed something, but how does one use NMAP to get MAC addresses remotely (ie when there is a router/layer 3 device between yourself and the scanned target)? If truly possible, that could be a powerful tool for determining the hardware platform of a remote device.

In the case of the Netgear WGR614, based upon the specs the wireless and wired interfaces are bridged together, not routed. Thats why MACs are visible in this case.

[brokencrow]

You know, organ, I never paid a lot of attention to nmap results except to primarily see what is on any given LAN and what services may be running (or running a pen test across the net). Generally those are hardwired LANs as opposed to wireless.

Yes, "nmap -sV -O -P0" and "nmap -sS -P0" will give me MAC addresses of PC's on a LAN (just doublechecked on this one -- hardwired) and it picked up every MAC address save one -- this laptop (which I scanned from the server) which is running XP's built-in firewall. None of the others is running a software firewall.

Scanning w/ nmap on a wireless LAN probably yields different results because anybody running wireless is probably got a software firewall (you'd be an id10t not to).