Mining Live Networks for OUI Data Oddness
My last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI. (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.
A few things to note:
- The original script has been updated so that it cleans up the download a bit better (mostly for this PowerShell implementation to use)
- The PowerShell version doesn't download the data file, so to use this you'll need to download and run the original script.
- So if you've already used that script, pull it down again and update the data file.
- So far, this script handles the standard 24 bit (3 byte) OUIs. 28 and 36 bit OUIs match on the first 24 bits only (so far).
On with today's story - First, the function:
# assumes that the oui.txt file exists, and that its in c:\utils - edit this to fit your implementation $global:ouilist = import-csv -Delimiter "`t" -path "c:\utils\oui.txt" function OUILookup { # grab the first 6 chars for an OUI first pass #find the OUI in the table |
How can we use this? In our first case, let's read all MAC addresses from a switch, then lookup the vendor for each unique MAC. There are several OID (Object ID) strings that return MAC addresses, I picked the one I did because it also returns the interface number the MAC is associated with - that might be useful in a future story :-)
Note that I'm using SNMPv2 in this (just to keep the code simple). I would strongly suggest that you use SNMPv3 in any production environment (SNMPv2 calls and returns are all in clear text, SNMPv3 adds encryption). I'd also suggest that you use an ACL on your SNMP configuration so that only trusted hosts are allowed to make SNMP calls. The CIS Benchmark for your switch will give you more detail on this, as well as a plethora of other advice on hardening your switch configuration against various attacks.
$IP = "192.168.122.6" $OID = ".1.3.6.1.2.1.17.4.3.1.2" $CommString = "SomeComplexString"
$WalkVals = invoke-snmpwalk -ip $IP -OIDStart $OID -Community $CommString -Walkmode WithinSubtree
$trimlength = $OID.length +1 $MACtoOUIList = @()
foreach($val in $walkvals) { # get the decimal representation of the MAC $macdec = ($val.oid).Substring($trimlength) $machex = "" $macdec.split(".") | foreach { $machex += '{0:x2}' -f [int32]$_ } $ouitemp = ouilookup $machex $ouitemp | add-member -membertype NoteProperty -name MAC -value $machex.toupper() $MACtoOUIList += $ouitemp } |
Now we have the list of MACs with the OUI information for each:
$MACtoOUIList OUI Vendor VendorString MAC |
Let's sort and group them now, to get a count of unique OUIs. We'll sort them so that the "outliers" bubble up to the top - in so many situations we're looking for values that are "odd"
$MACtoOUIList | select OUI, Vendor | sort -Property OUI | Group-Object OUI,Vendor -NoElement | sort count Count Name |
Not a lot of oddness to find on my home network - that TctMobil OUI I think is my wife's new phone, which was interesting - that's about it.
Let's cast our net a bit wider, and read the DHCP database from a windows DHCP server and return the vendor for each MAC address, with the device name and IP.
We covered how to "mine" the DHCP database in a story a while back: https://isc.sans.edu/forums/diary/DNS+and+DHCP+Recon+using+Powershell/20995/
First, collect the DHCP Leases, then for each MAC Address (Client-ID), get the OUI, all collected into on variable list:
$leases = foreach ($lease in $leases) { $targetouilist += OUILookup $lease.clientid } |
Again, lets look for outliers, sorting by ascending count:
$MACtoOUIList | select OUI, Vendor | sort -Property OUI | Group-Object OUI,Vendor -NoElement | sort count Count Name |
In a network of a couple thousand workstations, there definitely is some stuff to dig into here. Just for starters (and without more than a glance at the data), this client had recently completed a VOIP migration from one vendor to another - you see from our "outliers" list that there's one phone that got missed. I'll be digging into this a bit more (and for a few more clients) over the next while - feel free to do the same! (on your own networks of course)
Please, use our comment form and let us know if you find anything "interesting"!
===============
Rob VandenBrink
rob <at> coherentsecurity.com
Comments