Accessing (ping, ssh) via MAC address only

DrLove73 · 05-28-2010, 04:17 AM

Is it possible in RHEL (or Linux in general), if you do not know IP of the unit in question, to set something like arp cache entry and ping or ssh to that unit?

Idea is to plug in a wireless router brought in for repair/check/ to LAN switch and to avoid to have to look for IP that is set on that router, instead just add arp cache entry

Code:

arp -n -s <IP> <MAC>

and ping given IP.

Upper command (tested on routers already in arp cache) haven't worked.

Anybody knows a way and possible caveats?

mac.tieu · 05-29-2010, 01:58 AM

Quote:

Originally Posted by DrLove73

Is it possible in RHEL (or Linux in general), if you do not know IP of the unit in question, to set something like arp cache entry and ping or ssh to that unit?

Idea is to plug in a wireless router brought in for repair/check/ to LAN switch and to avoid to have to look for IP that is set on that router, instead just add arp cache entry

Code:

arp -n -s <IP> <MAC>

and ping given IP.

Upper command (tested on routers already in arp cache) haven't worked.

Anybody knows a way and possible caveats?

It's impossible because arp and ssh are worked at IP level of TCP/IP stack, I think. IP packets are not units destination will be dropped without notice.

MT

DrLove73 · 05-29-2010, 07:04 AM

Hmmm, I think I have done this on Windows XP long time ago. Systems should be communicating on MAC level when desired routing subnet is reached. Asking system sends "Who is 192.168.0.1" and target system answers "192.168.0.1 is on 00:23:db:34:r6", then communication begins

unSpawn · 05-29-2010, 07:29 AM

Wouldn't the easiest way be to reset it back to documented default settings and hook up a standalone machine to it? And next time please ask the moderator of the forum you posted in to move the thread for you.

mac.tieu · 05-29-2010, 07:48 AM

Quote:

Originally Posted by DrLove73

Hmmm, I think I have done this on Windows XP long time ago. Systems should be communicating on MAC level when desired routing subnet is reached. Asking system sends "Who is 192.168.0.1" and target system answers "192.168.0.1 is on 00:23:db:34:r6", then communication begins

Wow, this sound like very interesting. Could you remember how did you do? How many host in your testing environment? How host was configured? Were there anything else?

Best regards,
MT.

Robhogg · 05-29-2010, 08:57 AM

I think you may be able to use rarp (reverse arp), so long as the rarpd daemon is running on the target machine, and the machine has it's own IP address in the /etc/ethers file.

mac.tieu · 05-29-2010, 09:08 AM

Quote:

Originally Posted by Robhogg

I think you may be able to use rarp (reverse arp), so long as the rarpd daemon is running on the target machine, and the machine has it's own IP address in the /etc/ethers file.

How hard to run rarpd on wireless router?

MT

tommylovell · 05-29-2010, 10:46 AM

Quote:

Originally Posted by DrLove73

Is it possible in RHEL (or Linux in general), if you do not know IP of the unit in question, to set something like arp cache entry and ping or ssh to that unit?

Idea is to plug in a wireless router brought in for repair/check/ to LAN switch and to avoid to have to look for IP that is set on that router, instead just add arp cache entry

Code:

arp -n -s <IP> <MAC>

and ping given IP.

Upper command (tested on routers already in arp cache) haven't worked.

Anybody knows a way and possible caveats?

I can tell you why this doesn't work, and then give you two simple suggestions you can try.

Why it doesn't work--

If you add an entry to your arp cache and then ping (icmp echo), or attempt to open a tcp/ip connection (ssh, or any other app), a packet will be formed and sent out the appropriate interface that has

1) the MAC address (that you presumably read off a sticker) in the destination of the MAC header;

2) your "invented" IP address in the destination field of the IP header.

Assuming the MAC address is correct and the device is on the network of the interface the packet was sent out on, it will be delivered to that device.

The problem you run into is that packet is unicast to a specific IP address. When the packet is read in, the device looks at it and says "that IP is not one that belongs to me" and will then just drop it. Just as mac.tieu said.

I have seen devices (print servers), that before they were configured would assume the destination IP address of the first unicast packet sent to it as its own temporary IP address. You could then connect to it and configure it as you wished. Neat trick. Won't help you here. Possibly similar to what was alluding to.

For reference by others, I did the same experiment.

Code:

[root@athlonz ~]# arp -n -s 192.168.1.149 00:50:43:01:cc:ce

[root@athlonz ~]# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.149            ether   00:50:43:01:cc:ce   CM                    eth0
192.168.1.1              ether   00:1d:7e:2d:6f:43   C                     eth0
192.168.1.103            ether   00:17:f2:48:1d:2f   C                     eth0

[root@athlonz ~]# ping 192.168.1.149
PING 192.168.1.149 (192.168.1.149) 56(84) bytes of data.
c^C
--- 192.168.1.149 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8188ms

[root@athlonz ~]# ping 192.168.1.104
PING 192.168.1.104 (192.168.1.104) 56(84) bytes of data.
64 bytes from 192.168.1.104: icmp_seq=1 ttl=64 time=1.35 ms
64 bytes from 192.168.1.104: icmp_seq=2 ttl=64 time=0.095 ms
64 bytes from 192.168.1.104: icmp_seq=3 ttl=64 time=0.119 ms
64 bytes from 192.168.1.104: icmp_seq=4 ttl=64 time=0.118 ms
64 bytes from 192.168.1.104: icmp_seq=5 ttl=64 time=0.112 ms
64 bytes from 192.168.1.104: icmp_seq=6 ttl=64 time=0.102 ms
^C
--- 192.168.1.104 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5839ms
rtt min/avg/max/mdev = 0.095/0.316/1.354/0.464 ms

[root@athlonz ~]# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.149            ether   00:50:43:01:cc:ce   CM                    eth0
192.168.1.1              ether   00:1d:7e:2d:6f:43   C                     eth0
192.168.1.104            ether   00:50:43:01:cc:ce   C                     eth0
192.168.1.103            ether   00:17:f2:48:1d:2f   C                     eth0
[root@athlonz ~]#

First suggestion---

It might be possible to do a broadcast ping to get the IP address of the device you connected, even if it is configured with an IP address in another subnet. You'll have to try an experiment to see if it will respond.

All devices in my network are in the same subnet.

Code:

[root@athlonz ~]# ping -b 255.255.255.255
WARNING: pinging broadcast address
PING 255.255.255.255 (255.255.255.255) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.607 ms
64 bytes from 192.168.1.105: icmp_seq=1 ttl=64 time=2.30 ms (DUP!)
64 bytes from 192.168.1.103: icmp_seq=1 ttl=64 time=3.08 ms (DUP!)
64 bytes from 192.168.1.239: icmp_seq=1 ttl=255 time=6.51 ms (DUP!)
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.535 ms
64 bytes from 192.168.1.103: icmp_seq=2 ttl=64 time=1.82 ms (DUP!)
64 bytes from 192.168.1.105: icmp_seq=2 ttl=64 time=2.27 ms (DUP!)
64 bytes from 192.168.1.239: icmp_seq=2 ttl=255 time=6.49 ms (DUP!)
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.533 ms
64 bytes from 192.168.1.103: icmp_seq=3 ttl=64 time=1.83 ms (DUP!)
64 bytes from 192.168.1.105: icmp_seq=3 ttl=64 time=2.27 ms (DUP!)
64 bytes from 192.168.1.239: icmp_seq=3 ttl=255 time=6.51 ms (DUP!)
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.509 ms
64 bytes from 192.168.1.103: icmp_seq=4 ttl=64 time=1.84 ms (DUP!)
64 bytes from 192.168.1.105: icmp_seq=4 ttl=64 time=2.02 ms (DUP!)
64 bytes from 192.168.1.239: icmp_seq=4 ttl=255 time=6.29 ms (DUP!)
^C
--- 255.255.255.255 ping statistics ---
4 packets transmitted, 4 received, +12 duplicates, 0% packet loss, time 3317ms
rtt min/avg/max/mdev = 0.509/2.840/6.514/2.208 ms

Interesting that nothing goes into your arp cache at this point. But if you attempt to establish a connection with any of those newly discovered addresses, then an arp is performed and an entry is made.

Code:

[root@athlonz ~]# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.149            ether   00:50:43:01:cc:ce   CM                    eth0
192.168.1.1              ether   00:1d:7e:2d:6f:43   C                     eth0
192.168.1.105            ether   00:14:51:78:92:a1   C                     eth0
192.168.1.103            ether   00:17:f2:48:1d:2f   C                     eth0

[root@athlonz ~]# telnet 192.168.1.239
Trying 192.168.1.239...
^C

[root@athlonz ~]# arp -n
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.1.149            ether   00:50:43:01:cc:ce   CM                    eth0
192.168.1.1              ether   00:1d:7e:2d:6f:43   C                     eth0
192.168.1.239            ether   00:18:4d:e9:ef:d8   C                     eth0
192.168.1.105            ether   00:14:51:78:92:a1   C                     eth0
192.168.1.103            ether   00:17:f2:48:1d:2f   C                     eth0
[root@athlonz ~]#

Second suggestion--

Have you thought of using 'nmap'?

nmap -v -sP 192.168.1.0/24
nmap -v -sP 192.168.0.0/16

anomie · 05-29-2010, 04:16 PM

@DrLove73: You might also want to investigate arping (which can "ping" MAC addresses directly) and arpwatch (which monitors layer 2 traffic on a subnet, and keeps an updated db of MAC/IP combinations).

DrLove73 · 05-29-2010, 04:42 PM

OK, thanks guys.

Original idea was from Winbox config utility for Mikrotik routers and some D-Link AP's. They locate and access units solely via MAC address.

If I am unable to ssh to the unit (linux kernel), all other attempts are not so important.

I am not 100% sure in my success with Windows, it must have been at least 7-8 years ago, so I might be mistaken in what I have done.