Tuesday, April 27, 2010

Update MAC Address<-->Manufacturer Tables

If you've ever used nmap or arpwatch, you've probably experienced the forensic benefit of correlating a MAC broadcast address to the manufacturer of the broadcasting NIC. If you've even encountered a manufacturer labeled "Unknown" with either of the above sniffers, this post is for you.

We installed arpwatch on our network late last week and discovered that the MAC<->Manufacturer table was a few years out of date. We were able to convert nmap's table to arpwatch's format, but still ended up with a slightly-out-of-date table.

The following script gets the current data from IEEE and formats it for nmap and arpwatch:

#!/bin/bash
# update_mac_addresses.sh
# This script downloads the currect mac address data from the IEEE and parses it for nmap and arpwatch.
# nmap-mac-prefixes is for nmap.
# ethercodes.dat is arpwatch.

# Download the current data

wget http://standards.ieee.org/regauth/oui/oui.txt

# Divide the data into Manufacturer and Address files
cat oui.txt | grep '(base 16)' | cut -f3 > mac.manufacturer
cat oui.txt | grep '(base 16)' | cut -f1 -d' ' > mac.address


# Paste them back together for nmap data

paste mac.address mac.manufacturer > nmap-mac-prefixes


# Parse the address data for arpwatch
cat mac.address | perl -pe 's/^(([^0].)|0(.))(([^0].)|0(.))(([^0].)|0(.))/\2\3:\5\6:\8\9/' > tmp.address
cat tmp.address | tr [A-Z] [a-z] > mac.address


# Paste the parsed data into the arpwatch file
paste mac.address mac.manufacturer > ethercodes.dat

# Clean up intermediary files
rm tmp.address
rm mac.address
rm mac.manufacturer
rm oui.txt

Credit to Jonathan C. for the perl regex.

UPDATE!!!

If the resulting nmap file (nmap-mac-prefixes) is installed, nmap will not run successfully. If you've already copied the nmap data file, you'll have to roll back to the data file installed with nmap.