So often when we're working an incident on the network side, we quickly end up at Layer 2, working with MAC Addresses.
MAC addresses are commonly split, with the leading bits being the OUI (Organizationally Unique Identifier). These OUI's (also called MAC Address Prefixes) are purchased from the IEEE (at https://standards.ieee.org/products-services/regauth/oui/index.html). The most commonly seen OUI's are 24 bits wide, so the first 3 bytes of the MAC. So in our example above, the corresponding 24 bit OUI would be: aabbcc, and the host "bits" would be ddeeff. However, that "OUI boundary" can move to a 28 or 36 byte boundary, for instance if the vendor wants a smaller allocation of addresss. In that case, OUIs of aabbccd00000/28 or aabbccdde000/36 would both also be valid identifiers. Note that if the boundary isn't at the mid-point, that the trailing zero's and the bit-wise mask are normally written out.
All interesting you say, but what does this have to do with security? All too often when looking at MAC address tables, we see something "odd", and it struck me that it'd be handy to have a quick lookup tool. Wireshark maintains a very most complete online tool (https://www.wireshark.org/tools/oui-lookup.html ), and is usually my go-to. However, it means that I need internet access, it's not easy to script using a webpage, and on most of my hardware I need to scroll up and down to use that page. Luckily they maintain their OUI Table in text format at https://standards.ieee.org/products-services/regauth/oui/index.html
So with a text file in hand, I wrote a quick-and-dirty shell script to download the file it if it isn't there, and grep it for OUI's, partial OUI's or vendor names:
For instance, what OUI's does VMware use for it's VMs?
root@kali:~# ./oui.sh vmware
Alternatively, if we were looking up an OUI that we got from a switch "show mac address-table" command:
root@kali:~# ./oui.sh 0050:56
Or, if you want a list of all vendors that have smaller allocations, let's list the folks with /28's:
root@kali:~# ./oui.sh /28 | more
The Windows version uses c:\utils for the downloaded text file. I usually keep the script in the same place, but it can really reside anyplace in the path.
Edit the script you are using if these directories are not desirable in your situation.
OUI NN:NN:NN Request information on a specific OUI
If you've worked an incident where MAC / OUI information was crucial in getting to a solution, please, share using our comment form! (please stay within your NDA of course).
Stay tuned, in my next story we'll use this approach to find "odd" stations in your network.
Sep 26th 2019
3 weeks ago