How to identify a remote device…

A relatively easy way to get a Mac address… On an unknown device without having physical access to the computer or device.  The only caveat is that the device must be on the local network, if it is not on the same subnet, you will not be able to get the MAC address of the device.

So, assume you have some unknown device hanging off your network. How you came to know about it irrelevant. Maybe you noticed some unusual protocols or traffic volume, maybe you suddenly lost connectivity to an entire segment. The next step is finding out what the device is. Is it a regular PC? Some sort of server? A switch, or perhaps a router?

Who made it?

One of the first – and easiest – things to find out about a device is who made it. All you need for this is the MAC address (or at least its IP address, for starters), which you can then check against the IEEE’s Organization Unique Identifier listings at http://standards.ieee.org/regauth/oui/index.shtml. If you only have the IP address, you can easily obtain its MAC address. Provided you’re currently on the same switched LAN and VLAN as your target device, all you need to do is create some traffic between yourself and your target. A simple ping will suffice. Then, retrieve the MAC address corresponding to its IP from your system’s ARP cache.

C:\> ping -n 1 192.168.10.16
Pinging 192.168.10.16 with 32 bytes of data:

Reply from 192.168.10.16: bytes=32 time=4ms TTL=64

Ping statistics for 192.168.10.16:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms

C:\> arp -a 192.168.10.16

Interface: 192.168.4.2 — 0x2
Internet Address      Physical Address      Type
192.168.10.16         00-0c-41-45-a9-d6     dynamic

For a Macintosh, the ARP command would be:     arp 192.168.10.16   (no -a flag)

Now head over to http://standards.ieee.org/regauth/oui/index.shtml. The first three segments of the mac address identify the hardware manufacturers identity…  For example, 00-30-48 is manufactured by Sun Micro Computer…  The 00-0c-41 is made by “Cisco-Linksys”.  If the Mac address starts with “00-50”, it is an IAB, otherwise it is an OUI.

What is an OUI?  It is an Organization Unique Identifier, in otherwords, it identifies what manufacturer made the product.  An IAB, is similar but has a small block for unique IDs…

Once you have the manufacturer, it should be easier to be able to identify the mysterious hardware….