Last updated at Mon, 07 Mar 2022 16:53:44 GMT
Written in collaboration with Jimmy Cancilla
When scanning an asset, one key piece of data that the InsightVM Scan Engine collects is the MAC address of the network interface used during the connection. The MAC address is one of several attributes used by the Security Console to perform asset correlation. As a result of the volatile nature of IP addresses, identifying assets using the MAC address can provide increased reliability when integrating scan results. In some cases, the MAC address can be used as a rudimentary means of fingerprinting an asset. Several manufacturers will use the same first 3 bytes when assigning a MAC address to a device (for example, several CISCO SYSTEMS, INC devices use 00000C as the MAC address prefix).
When performing an authenticated scan (a scan whereby the engine has the necessary credentials to authenticate to the target), collecting the MAC address is relatively straightforward, as all operating systems provide tooling to gather this information. However, collecting the MAC address with an unauthenticated scan (a scan where no credentials are provided) is less reliable. This is due to limitations of network protocols and modern network topologies.
Breaking down IP protocols
In order to understand these limitations, it is important to first understand the fundamentals of the IP protocol suite.
The IP protocol suite can be thought of in 4 layers:
The MAC address is part of the bottom layer called the Link Layer. The MAC address is used by the hardware when communicating with other devices on the same network equipment. Any devices communicating at the Link layer do so without the use of routers.
On the other hand, IP addresses are part of the Network layer. IP addresses are used to communicate with devices across different networks, traversing through routers.
MAC address discovery with unauthenticated scans
This leads to the limitation in unauthenticated scans. When performing an unauthenticated scan against assets that are accessed via a router, the scan engine is only able to communicate with that asset via the Network layer. The implications of this are that the MAC address is not included in the network packets received by the scan engine. This is not a limitation or defect of the scan engine, but rather a reality of the IP protocol suite and modern network infrastructure.
To work around these limitations in the IP protocol suite, the InsightVM scan engine uses several alternative methods to attempt to collect the MAC address of assets being scanned. In general, these alternative methods attempt to authenticate to an asset over various protocols using known default credentials. As a result of this capability in the scan engine, asset results from unauthenticated scans may include the MAC address despite being scanned over a router. However, it is important to note that the success rate is dependent on whether assets are configured to allow authentication using default credentials.
Note: SNMPv1 and SNMPv2 are more likely than most protocols to be configured with known default credentials.
Summary
The following tables outline the different methods that the scan engine will use to collect MAC addresses from targets, and whether or not authentication is required.
Windows
| Method | Authenticated or unauthenticated scan |
|---|---|
| via SMB protocol | Authenticated |
| via WMI protocol | Authenticated |
| Scan Assistant | Authenticated |
| SNMPv1 or SNMPv2 | Authenticated or unauthenticated Note: Collecting the MAC address via SNMPv1 or SNMPv2 with an unauthenticated scan is only possible if the scan engine can authenticate using the default credentials for these protocols. However, it is not recommended that default credentials be left enabled as this poses a serious security risk. |
Linux
| Method | Authenticated or unauthenticated scan |
|---|---|
| Via SSH protocol | Authenticated |
| Via an insecure Telnet protocol | Authenticated Note: Running an insecure Telnet server on an asset is a serious security risk and is not recommended. |
| SNMPv1 or SNMPv2 | Authenticated or unauthenticated Note: Collecting the MAC address via SNMPv1 or SNMPv2 with an unauthenticated scan is only possible if the scan engine can authenticate using the default credentials for these protocols. However, it is not recommended that default credentials be left enabled as this poses a serious security risk. |
Over the years, the engineering team here at Rapid7 has partnered with dozens of security teams to identify pain points and develop solutions. The importance of collecting the MAC address for targets being scanned is well understood. As a result, the InsightVM Scan Engine has been designed to utilize a multi-pronged approach to collecting MAC addresses from assets.
Additional reading:
- What's New in InsightVM and Nexpose: Q4 2021 in Review
- Log4Shell 2 Months Later: Security Strategies for the Internet's New Normal
- Dropping Files on a Domain Controller Using CVE-2021-43893
- Distribute Reports to Email Addresses in InsightVM
