Mining Live Networks for OUI Data Oddness

Published: 2019-10-10
Last Updated: 2019-10-10 12:40:24 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

My last story was a short script that takes MAC addresses in, and returns the OUI portion of that, along with the vendor who corresponds to that OUI.  (https://isc.sans.edu/diary/Mining+MAC+Address+and+OUI+Information/25360) Today we'll port that to PowerShell as a function and use that on a live network for some "hunting" to look for odd things.

A few things to note:

  • The original script has been updated so that it cleans up the download a bit better (mostly for this PowerShell implementation to use)
  • The PowerShell version doesn't download the data file, so to use this you'll need to download and run the original script.
  • So if you've already used that script, pull it down again and update the data file.
  • So far, this script handles the standard 24 bit (3 byte) OUIs.  28 and 36 bit OUIs match on the first 24 bits only (so far).

On with today's story - First, the function:

# assumes that the oui.txt file exists, and that its in c:\utils - edit this to fit your implementation
# declare this variable globally so that the OUILookup function doesn't have read the file each time it is called

$global:ouilist = import-csv -Delimiter "`t" -path "c:\utils\oui.txt"

function OUILookup {
    # limited to traditional 6 digit OUIs for now

    # take the input, replace all mac delimeters
    $MAC = $args[0] -replace "[-:\.]",""

    # grab the first 6 chars for an OUI first pass
    $OUI = $MAC.Substring(0,6).ToUpper()

    #find the OUI in the table
    foreach ($entry in $ouilist){
      if ($oui -eq $entry.OUI){
         return $entry
     }
  }
}

How can we use this?  In our first case, let's read all MAC addresses from a switch, then lookup the vendor for each unique MAC.  There are several OID (Object ID) strings that return MAC addresses, I picked the one I did because it also returns the interface number the MAC is associated with - that might be useful in a future story :-)
 
Note that I'm using SNMPv2 in this (just to keep the code simple).  I would strongly suggest that you use SNMPv3 in any production environment (SNMPv2 calls and returns are all in clear text, SNMPv3 adds encryption).  I'd also suggest that you use an ACL on your SNMP configuration so that only trusted hosts are allowed to make SNMP calls.  The CIS Benchmark for your switch will give you more detail on this, as well as a plethora of other advice on hardening your switch configuration against various attacks.

$IP = "192.168.122.6"

$OID = ".1.3.6.1.2.1.17.4.3.1.2"

$CommString = "SomeComplexString"

 

$WalkVals = invoke-snmpwalk -ip $IP -OIDStart $OID -Community $CommString -Walkmode WithinSubtree

 

$trimlength = $OID.length +1

$MACtoOUIList = @()

 

foreach($val in $walkvals) {

   # get the decimal representation of the MAC

   $macdec = ($val.oid).Substring($trimlength)

   $machex = ""

   $macdec.split(".") | foreach { $machex += '{0:x2}' -f [int32]$_ }

   $ouitemp = ouilookup $machex

   $ouitemp | add-member -membertype NoteProperty -name MAC -value $machex.toupper()

   $MACtoOUIList += $ouitemp

   }                      

Now we have the list of MACs with the OUI information for each:

$MACtoOUIList

OUI    Vendor   VendorString          MAC        
---    ------   ------------          ---        
000C29 Vmware   VMware, Inc.          000C299E2499
000C29 Vmware   VMware, Inc.          000C299F48E4
002179 Iogear   IOGEAR, Inc.          002179C4214F
005F86 Cisco    Cisco Systems, Inc    005F86D7E636
005F86 Cisco    Cisco Systems, Inc    005F86D7E64E
1002B5 IntelCor Intel Corporate       1002B53F75AF
2C4D54 AsustekC ASUSTek COMPUTER INC. 2C4D54B0CB50
305A3A AsustekC ASUSTek COMPUTER INC. 305A3AC53618
38D547 AsustekC ASUSTek COMPUTER INC. 38D547E59358
40B034 HewlettP Hewlett Packard       40B0347248E4
6C19C0 Apple    Apple, Inc.           6C19C09CF5AF
6C96CF Apple    Apple, Inc.           6C96CFAFC428
8866A5 Apple    Apple, Inc.           8866A54044E0
9061AE IntelCor Intel Corporate       9061AEF05A14
A0CEC8 CeLink   Ce Link Limited       A0CEC817F51F
D04F7E Apple    Apple, Inc.           D04F7E776F2B
DCEB94 Cisco    Cisco Systems, Inc    DCEB94742629
E4E130 TctMobil TCT mobile ltd        E4E1301676C5

Let's sort and group them now, to get a count of unique OUIs.  We'll sort them so that the "outliers" bubble up to the top - in so many situations we're looking for values that are "odd"

$MACtoOUIList | select OUI, Vendor | sort -Property OUI | Group-Object OUI,Vendor -NoElement | sort count

Count Name                  
----- ----                    
    1 002179, Iogear          
    1 1002B5, IntelCor        
    1 2C4D54, AsustekC        
    1 305A3A, AsustekC        
    1 38D547, AsustekC        
    1 40B034, HewlettP        
    1 6C19C0, Apple           
    1 6C96CF, Apple           
    1 8866A5, Apple           
    1 9061AE, IntelCor        
    1 A0CEC8, CeLink          
    1 D04F7E, Apple           
    1 DCEB94, Cisco           
    1 E4E130, TctMobil        
    2 000C29, Vmware          
    2 005F86, Cisco     

Not a lot of oddness to find on my home network - that TctMobil OUI I think is my wife's new phone, which was interesting - that's about it.

Let's cast our net a bit wider, and read the DHCP database from a windows DHCP server and return the vendor for each MAC address, with the device name and IP.
We covered how to "mine" the DHCP database in a story a while back: https://isc.sans.edu/forums/diary/DNS+and+DHCP+Recon+using+Powershell/20995/

       
First, collect the DHCP Leases, then for each MAC Address (Client-ID), get the OUI, all collected into on variable list:

$leases = foreach ($lease in $leases) { $targetouilist += OUILookup $lease.clientid }
$targetouilist = @()
foreach ($lease in $leases) { $targetouilist += OUILookup $lease.clientid }

Again, lets look for outliers, sorting by ascending count:

$MACtoOUIList | select OUI, Vendor | sort -Property OUI | Group-Object OUI,Vendor -NoElement | sort count

Count Name                    
----- ----                    
    1 0004F2, Polycom         
    1 AC88FD, Apple           
    1 A85C2C, Apple           
    1 A46CF1, SamsungE        
    1 A41F72, Dell            
    1 A0D795, Apple           
    1 A0C9A0, MurataMa        
    1 9CEBE8, BizlinkK        
    1 9C5A44, CompalIn        
    1 985FD3, Microsof        
    1 9800C6, Apple           
    1 9061AE, IntelCor        
    1 88E9FE, Apple           
    1 843A4B, IntelCor        
    1 842B2B, Dell            
    1 80C5F2, Azurewav 

In a network of a couple thousand workstations, there definitely is some stuff to dig into here.  Just for starters (and without more than a glance at the data), this client had recently completed a VOIP migration from one vendor to another - you see from our "outliers" list that there's one phone that got missed.  I'll be digging into this a bit more (and for a few more clients) over the next while - feel free to do the same! (on your own networks of course)

Please, use our comment form and let us know if you find anything "interesting"!

===============
Rob VandenBrink
rob <at> coherentsecurity.com

Keywords: hunting layer 2 oui
0 comment(s)

Comments


Diary Archives