Hour 136: ARP Tables and TCL Scripts Part 2

In my last post I shared a technique in which you refresh your switches ARP tables and then keep the ip-mac-port mapping in a database for future reference. I would first like to say that there are some 3rd party monitoring software tools that can do the same job for you as a TCL script but sometimes, due to licensing or security reasons you won’t be able to add SNMP read/write access to some devices. Also, sometimes you will have a network that is not routed to your monitoring servers. For these reasons, it’s important to be able to know a little bit of scripting to automate the data aggregation process.

I did not find any script that worked with 6500’s on the internet so I created my own for you guys to use if needed. It will display the IP address – Mac Address – Physical Interface – Logical Interface – Description on the port. Here it is:

proc arpThistable {} {
set ARP [split [exec “show ip arp | e Protocol| -“] “\n”]
foreach line $ARP {
set IP [lindex $line 1]
set MAC [lindex $line 3]
set LOG [lindex $line 5]
set INT [exec “show mac address-table address $MAC | i Gi|Te”]
set PHY [lindex $INT 6]
set DESC [exec “show run interface $PHY | i description”]
puts “$IP $MAC $PHY $LOG $DESC”

Hope this was useful.

Hour 133: Arp Tables and more TCL Scripts

In a large environment, tracking down hosts and servers can be quite a challenge depending on the situation. If the host/server is reachable through ICMP, the task is fairly easy as you can resolve a port/MAC relationship with the last hop device ARP table. What if the server/host has a port configuration issue or physical cabling issue and the arp-cache of its connected device has timed-out?

This is a problem that you can encounter and unfortunately there is not a lot you can do in this situation other than physically trace the cable from the server/host to the device it’s connecting to. This isn’t feasible in most large environments because the process of tracking a cable in a data-center can be strenuous and time consuming. The best solution to prevent this would be to run scheduled back-ups of the arp tables and MAC address tables every day and consolidate them. This way you will have a MAC to ip to port relationship database and history for future reference. Next time a sysadmin gives you the MAC address or ip of a server that you cannot reach, you can find its last known location through your database.

Before you start running backups of the arp-tables, you need to make sure that all the clients/servers MAC’s are actually cached in the switches you are polling backups from. To do this, simply run a TCL ping sweep script from the switch to wake the un-cached ports. Here’s a TCL ping sweep script that I use:

for {set i 1} {$i <= 254} {incr i} {
set var 10.1.1.
append var $i
ping $var rep 2 time 1}

This script sends 2 ICMP echo requests and if there is no entry in the ARP table, the echo request is unconditionally dropped and an ARP request is sent instead. After that, you can run another custom script to get the IP/MAC/Physical interface information or just run the show ip arp and show mac-address-table commands and store the output with a date and time for future use.

Hour 125: TCL scripting powerful and dangerous

Most of the new IOS versions of Cisco routers and switches have implemented IOS scripting through TCL. TCL (Tool Command Language) is a scripting language commonly used for rapid prototyping and scripting applications. We can use TCL in various situations, from running a simple ping sweep, to creating complex network port scanning tools and even creating backdoors on devices. First, I will show you how to create and run a scripted Port/Network scanner that runs on a Cisco router called IOSmap. You can download the TCL script that will do this here. This tool can be used in a multi-layer attack; using a compromised router for pivoting. Pivoting is a method that uses a compromised system to attack other systems on the same network to avoid restrictions such as firewall configurations, which may prohibit direct access to all machines. In this scenario, we will pretend the attacker compromised an edge router and is using TCL to his advantage to pivot scans and attacks in the network. I am using using TFTP32 on a Windows machine on the same network to host the IOSmap script. You can download TFTP32 here.

Note: *Make sure you extract both files IOSmap.tcl and services.list in the same directory of TFTP32 or you will get a tclsh compilation error Continue reading