Identifying device vendors by MAC
By stretch | Friday, July 4, 2008 at 3:03 a.m. UTC
One resource I've found incredibly valuable in performing network reconnaissance is the IEEE's MAC OUI database. An Organizationally Unique Identifier (OUI) makes up the first 24 bits of a MAC address, and serves to identify the owner of an address range (typically the NIC manufacturer) with the goal of preserving global uniqueness.
Although the IEEE's instructions state that OUIs should be entered in
XX-XX-XX format (the first half of a hexadecimal MAC address), dashes are optional, and you can also search by text string to identify all OUIs owned by a particular company (for example, "cisco systems"). Alternatively, the full list is available for download in plain text format.
The database isn't always 100% telling, as the IEEE notes many manufacturers subcontract the production of interface circuitry, consequently delegating the assignment of burned-in addresses. However, the database has helped me numerous times to identify a rogue router emplaced by a customer or a legitimate infrastructure device which was overlooked in existing documentation and not otherwise remotely identifiable.
About the Author
Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.
Posted in Resources
July 7, 2008 at 3:41 p.m. UTC
Here is another good source for finding MAC addresses.