Finding MAC address and determining ARP table of device.

First we need to see if we can find the device by listing the arp table.  This can be done several ways;

On Windows arp -a will list all addresses available however it’s much more efficient to do it from your networking device.

Windows 7, 8, 10 / Server 2008, 2012

c:\Windows\system32\arp -a

This will list all the existing arp entries
You can also remove all the entries simply via

c:\Windows\system32\arp -a -d

Sophos / Astaro UTM Firewall

In this case a Sophos UTM logging in via shell (enable under the web gui, management, system) and logging in.

Enable SSH on Sophos UTM
Enable SSH on Sophos UTM

With the Sophos you need to use ssh [email protected] and then elevate to root via sudo su.

ssh [email protected]
sudo su

Once you have logged in simply run the arp command to list existing entries, however I prefer to use the apr -n command as to not wait for the hostname. If you know the type of device or it’s MAC address you can use grep to filter the results. In this case I know the MAC address from the printers web interface, however if you know the particular manufacturer you can enter the first few bytes and you can find all devices made by HP, Brother, etc.

# arp -n | grep 10.0.2.90
10.0.2.90 ether b0:e8:92:f9:c7:13 C eth0

You can the use one of the many available online converters to find the manufacture of the device.  http://www.coffer.com/mac_find/ On the above we know that a starting MAC of  B0:E8:92  – is SEIKO EPSON CORPORATION, so for example if we wanted to search for all devices in our ARP cache we code run the same command above but grep the MAC address instead of the IP like so

#arp -n | grep b0:e8:92

This would return all the Epson devices in our network. Try various vendors in your network to test it out.

If we don’t know the ip address or starting MAC address of the manufacture we can also use nmap or nmap -O to try and determine the operating system or manufacture of the device(s) in the address block.

Nmap:

nmap -v -sO 10.0.2.0/24

https://nmap.org/

Another option is to look for all the arp calls via tcpdump, another cross platform tool but is native to the *nix serious of O/S and devices. Keep in mind you will need to know one of the following, the IP address of the device, an IP address of a system you can control to ping or send requests to the device or the MAC address (or part of it) of the device or it’s manufacture. Once again here it’s best to use grep to filter the results.

Tcpdump

This command can also be modified depending on the information you have, before starting this process I recommend clearing your arp cache or arp table as above so when you ping or start the device it will send out an arp request to the firewall asking who has it. You can also do this by rebooting the device and clearing the arp on the firewall before powering it back on.
If you know the IP address of the device or system you are pinging or tracert from specify that in the grep here:

# tcpdump -v arp | grep 10.0.2.90
14:38:46.872897 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has example-epson (b0:e8:92:f9:c7:13 (oui Unknown)) tell 10.0.2.1, length 46
14:38:46.872905 ARP, Ethernet (len 6), IPv4 (len 4), Reply example-epson is-at b0:e8:92:f9:c7:13 (oui Unknown), length 28

If you only know the manufacture use grep here to filter all requests (if on firewall or switch)

# tcpdump -v arp | grep b0:e8:92

It’s also possible to use promiscuous mode on your NIC on a security distro if you have the correct equipment and setup, but we won’t get into that for today on this article.

basic netstat usage
basic netstat usage

Windows other tools

If you’re trying to find a particular process causing issues or communicating with you’re above device I think you will find the following two commands helpful as well. While there are many third party tools you can use, I prefer using built in system commands as much as possible.

For Example if you needed to find a process that was communicating with your device you can use netstat to list all the processes, simply note their process ID and via tasklist you can then find the process ID of the offending service.

> netstat -anon | more
> tasklist | more

I’m using the | more option above but if you wanted to write it into a text document (for searching or reference) simply send the output to the file by using the following:

> netstat -anon > c:\temp\myfile.txt
> tasklist >> c:\temp\myfile.txt

Screenshot 2015-08-04 at 20.13.33

If you would like to make the above process more graphical, the only tool (free) I can recommend for Windows is System Internals Process Explorer.

 

Good Luck and feel free to leave me a comment.

Article by Bizanator

I'm a security researcher, pentester and general IT guru professionally since 2003. While IT and security has been a habit of mine, literally learning my ABCs on an Apple IIe I have worked on virtually every operating system in the past 25 years. Learning about memory manipulation starting in the early Blizzard days I found an affinity in security and exploit development. My career has allowed me to work in a variety of industries and have been a strong supporter of open source and virtualization. My goal here is to provide a forum of information where when you're brain dead hopefully myself or one of our members can work together in the spirit of open source and resolving those brain dead moments. You can request a consultation with me on Maven.

Leave a Reply