2

Initial Disclosure

I am not a network engineer and my expertise in this area is low.

Background

while using nmap 7.70 with nmap -sL to look for the IP address of a known device on our local network [behind VPN and firewall], I noticed two entries that I didn't recognize.
My boss advised me to identify and report their MAC addresses so that he could monitor and ban them if deemed prudent.
I used option -sn [no port scan] to get more information including MAC addresses. However, when I ran this scan, the two unrecognized hosts did not appear.

I looked at the arp cache, and also used arp-scan; both the unknown entries appeared with MAC addresses described as [as shown below] ? (10.0.0.xxx) at <incomplete> on wlp0xxx [...] ? (10.0.0.yyy) at <incomplete> on wlp0xxx

My understanding of the incomplete-MAC-address entry [based on reading a goodly number of similar-ish entries on this family of sites] is that it means the host in question did not respond to a transmitted arp packet. Also, I'm aware that arp pertains to cached information and does not necessarily reflect current network activity. [also : I have read man nmap, but I'm pretty sure I'm failing to understand some key information about the options]

That is clear enough to me; but what I am unclear on is whether I need to worry about these unrecognized, unresponsive hosts from a security standpoint.

Question [Parts]

So, my question has two main components:

  1. Why do some hosts [in this case, unrecognized hosts with incomplete MAC addresses] show up with nmap -sL and not nmap -sn;

  2. Do these hosts represent potential attacks or attackers, and if so, how can they be banned without knowledge of their MAC addresses?

the network in question is mainly wireless; all wired Ethernet-connected devices are accounted for

Similar Questions

for reference : I've looked at the following entries plus more, but not been able to discern a complete answer to my questions:

how to find out mac addresses of all machines on network

https://unix.stackexchange.com/questions/461682/nmap-network-scan-shows-ip-addresses-and-mac-addresses-of-items-that-are-then-mi

https://unix.stackexchange.com/questions/89956/no-mac-corresponding-to-ip-in-arp-table-how-to-troubleshoot

Ross Jacobs
  • 107
  • 6

1 Answers1

2

Nmap's -sL option is the "List scan", which is not actually a network scan. It's purpose is simply to list the targets that were given as input, regardless of whether they exist or respond to any probes. This might not sound very useful, but it comes in handy when you want to discover information about DNS records.

The first phase of an Nmap scan is forward DNS lookup. If you've given a domain name as input, Nmap will look up the corresponding IP address for that name, and with the -sL option it will output that address along with the name. Next, Nmap usually checks to see if the address will respond, but -sL skips that step and moves directly to reverse-DNS lookup. In this step, Nmap issues a PTR request for the record that corresponds to the IP address in order to see if the canonical DNS name for that address can be discovered. This name will also be reported in the output of -sL. Here's an example run against "nmap.org":

nmap -sL nmap.org
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-18 21:28 CDT
Nmap scan report for nmap.org (45.33.49.119)
Other addresses for nmap.org (not scanned): 2600:3c01::f03c:91ff:fe98:ff4e
rDNS record for 45.33.49.119: ack.nmap.org
Nmap done: 1 IP address (0 hosts up) scanned in 0.00 seconds

So you can expect to see an output section for every address in your target set, even if there's nothing there. If you're seeing a name ("rDNS record") associated with an address, it means your DNS server knows a name that goes with that address. On networks where DHCP and DNS are integrated, this could mean that a machine with that name connected and got a DHCP lease for that address, even if it has since left the network. If Nmap's host discovery (nmap -sn) doesn't show the target as "up," then it is most likely not there, especially if you show an incomplete ARP record in your cache.

To directly answer the remaining question of how these machines can be banned, you can look at your DHCP logs to see if you have a record of what the MAC address was when they were last connected. If you have a rDNS record, you may be able to take action at the DHCP server to detect when they request a lease with that name again, though that is even more easily spoofed than a MAC address.

bonsaiviking
  • 4,355
  • 16
  • 26
  • Wonderfully clear explanation! Thanks much for taking the time to answer so thoroughly. I'll be sure to upvote you as soon as I have sufficient 'reputation' points. – Mister October Oct 21 '19 at 16:53