Tuesday, April 27, 2010

Update MAC Address<-->Manufacturer Tables

If you've ever used nmap or arpwatch, you've probably experienced the forensic benefit of correlating a MAC broadcast address to the manufacturer of the broadcasting NIC. If you've even encountered a manufacturer labeled "Unknown" with either of the above sniffers, this post is for you.

We installed arpwatch on our network late last week and discovered that the MAC<->Manufacturer table was a few years out of date. We were able to convert nmap's table to arpwatch's format, but still ended up with a slightly-out-of-date table.

The following script gets the current data from IEEE and formats it for nmap and arpwatch:

#!/bin/bash
# update_mac_addresses.sh
# This script downloads the currect mac address data from the IEEE and parses it for nmap and arpwatch.
# nmap-mac-prefixes is for nmap.
# ethercodes.dat is arpwatch.

# Download the current data

wget http://standards.ieee.org/regauth/oui/oui.txt

# Divide the data into Manufacturer and Address files
cat oui.txt | grep '(base 16)' | cut -f3 > mac.manufacturer
cat oui.txt | grep '(base 16)' | cut -f1 -d' ' > mac.address


# Paste them back together for nmap data

paste mac.address mac.manufacturer > nmap-mac-prefixes


# Parse the address data for arpwatch
cat mac.address | perl -pe 's/^(([^0].)|0(.))(([^0].)|0(.))(([^0].)|0(.))/\2\3:\5\6:\8\9/' > tmp.address
cat tmp.address | tr [A-Z] [a-z] > mac.address


# Paste the parsed data into the arpwatch file
paste mac.address mac.manufacturer > ethercodes.dat

# Clean up intermediary files
rm tmp.address
rm mac.address
rm mac.manufacturer
rm oui.txt

Credit to Jonathan C. for the perl regex.

UPDATE!!!

If the resulting nmap file (nmap-mac-prefixes) is installed, nmap will not run successfully. If you've already copied the nmap data file, you'll have to roll back to the data file installed with nmap.

5 comments:

Anonymous said...

Very useful. Thanks.

Anonymous said...

You sir, have saved me a good bit of time, thank you!

Unknown said...

The software's for changing MAC Address fails to update the MAC Address of the network adapter.But thank god i got this solution.Thanks for sharing.

Thanks
Silvester Norman

Change Mac Address

Anonymous said...

Thanks for this. I made a small change to make it work, possibly because the input file format has changed. I changed the second cut statement to this:

cat oui.txt | grep '(base 16)' | cut -f3 -d' ' > mac.address

Anonymous said...

With the fix from Norman - great work, thx for this. The address has permanently moved to
http://standards-oui.ieee.org/oui.txt