![]() So what’s the problem with having this file stored locally? Well, this file can get stale with time. On most Linux systems, such as Kali Linux, that will be under /usr/share/nmap/. Nmap stores information related to OUI and manufacturers in the file called nmap-mac-prefixes, which will be in the root of Nmap’s directory. ![]() Nmap does a good job decoupling information from the codebase and storing it in flat files instead. Why is that? Well, Nmap doesn’t perform a live lookup on this information, but rather depends on the information being stored locally. So the IEEE has information about this OUI from the previous example and Nmap doesn’t. While Nmap couldn’t report the OUI for this MAC address, it is registered with the IEEE, and can be found at if we search for the OUI 348518. The screenshot below shows another scan against a VirtualBox VM, but this time the MAC address has been spoofed and Nmap isn’t able to perform the lookup on this MAC address. The example above is nice, but other MAC address OUIs will not show up. ![]() This allows us to see how this function works when Nmap can perform the OUI lookup. We will scan a VirtualBox VM which NMAP will report an OUI for correctly. ![]() The ARP scan, by its nature, gets the MAC address of the remote host which Nmap will report. Let’s cover this now by having it perform a ping scan (-sn) as root so it uses ARP to detect hosts. In the previous post, I had mentioned Nmap can do this, but didn’t show an example. ![]() Today, I want to cover how Nmap does this function, and how we can update this file ourselves using a script I have released to the Secure Ideas Professionally Evil GitHub repository. In a previous blog post, I covered what an OUI is, how to extract them from a MAC address, how the IEEE maintains this information publicly, and that tools like Nmap and Wireshark can perform an OUI lookup. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |