Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ethernet MAC Addresses

🗓️ 16 Oct 2015 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 210 Views

This plugin gathers MAC addresses from various sources and consolidates them into a list. It gathers MAC addresses discovered from both remote probing of the host (e.g. SNMP and Netbios) and from running local checks (e.g. ifconfig). It then consolidates the MAC addresses into a single, unique, and uniform list

Code
#TRUSTED 9f3652520ad9850e39c275ddd2fdadf0eb4778c61af290e0b670163d3c7f9ba448a27f85fc2bb2370e3197d536797508657bb560f4949b79ead5e27ea075837eeeb2db974b7959b941e2827806d2423b67a99056f282f6f7123a8a0dc14def927d6c485c61dc1a5cf1263ee5e4414b42ded8a1c0789b4a43584b24d5a33a1677d4cf987c5dc9512ca6622dc875fe05ece97c939f3ff747993f5dd4170af54165e0d2ce9d197c3fc5f6519f5144704737d879e6390d01336e9b3cc34a1470216345dc3f0a07965f12b3d5b4b95126b871234221f5d8fbcaf7de9555209f2cc1f1145ae5a9ddb851f6dc4abaedea53d457fa06db853bcc39602d1874ad4abae89eacf39b30f12ad7aa33ba2425a2330553b033e5edd1995c46d6cd1759b18c80c02cf11e9cacb703ab597c462908a38aeff2d01206eaeee1361be85db36c9f758460cc2c3bb2b7b54c60f3378a63cabe9a66c565bdec6f7ad4e5f212f63065d0fc212590ccf577ae1eccc072f8a168abab2eaa451aa1eeda0adc5b872018f9e162707f64b4762eeed43ee6aec765e86929dd950326f69dd17f794df85d36730c637ff9c0436874e527437c09b1745a081ba58f73f272ebd335f149fca6677803c117c69acfb6cc2e9eb801d39edddfe6d0523ca7a80f71677e3481275633b0d6870f8e87bb9f53542794fd5be582162093970859db1e5f5cf0d507f666d02f3045
#TRUST-RSA-SHA256 069925c306c9f4c434b0269a71d8aa783771536204f42a147aa54a16f61668360f63fa9f05a215e2139eff08e1dc04113cab0fc37d7f29e432a412237ae960b5f26ef60b3763074548d5467995445c7bdccf7a3d701ed1ca18d7a074b8dd9d05b6e4b10ef45266ed4b6324aaa3b454178bd95aa33027be790361dec37d3eced0f78125c7f7f250f2f9ddf0d5b9b6dcb35ce25f5ffd2d6e03412ec04725a6d128ba5c16f7e7d6372d5a668ff30f1cfc8b71744a4f9b93183c222df32478f302b3eb6501527eb1f45e57fb0fd43b0ca00d098358b6f4d6c89c17c14d9d491e71e8e2d36f16d4f88d27171bfcef5715183dd6581de5931c7093507cedbeec422695bd4977a4e900c31da28a8058d9de5c2406bef32b07eaea035f66fb61f2a7565e5d95ceb9e3f194f7b88484b4eacba6b6aff9ac5409ac5fbdaeb4d8e4fb2ec0637734e3e33d9a111f15bcc794df970ec84b6007197f6aa807e871d6b41f6e4910f8056d5819f445a21790d85cb8a5ac2a0dc42c0eb6aee38d99b7448fe1291e5254a9c2a8ba226889a3df94ffc517da828d4dcab9ecf98e3ef3656b7ac57948bbe19729b5374e4774c23a28bb5b8ccd08bbb38fc92c7238a6fab429a438426c45b806a78d0e1dd5f17df10f3a3e8c636cf1f305c5d89a384ded5552ec0599e612c42cae7f01885314b2fa851068ba20701c079cfcd37c11377633de15c73a44a8
##
# (C) Tenable, Inc.
##

include("compat.inc");

if(description)
{
  script_id(86420);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/10");

  script_name(english:"Ethernet MAC Addresses");

  script_set_attribute(attribute:'synopsis', value:
"This plugin gathers MAC addresses from various sources and
consolidates them into a list.");
  script_set_attribute(attribute:'description', value:
"This plugin gathers MAC addresses discovered from both remote probing
of the host (e.g. SNMP and Netbios) and from running local checks
(e.g. ifconfig). It then consolidates the MAC addresses into a single,
unique, and uniform list.");

  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/16");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2015-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("netbios_name_get.nasl", "ssh_get_info.nasl", "snmp_ifaces.nasl", "bad_vlan.nasl", "wmi_list_interfaces.nbin", "ifconfig_mac.nasl", 'traceroute.nasl');

  exit(0);
}

include("mac_address_func.inc");
include("spad_log_func.inc");
include("oui.inc");

var oui_lines = split(oui, keep: 0);
oui = NULL;	# Free memory
oui_lines = sort(oui_lines);	# Prepare for binary search


var all_macs = get_all_macs();
if (empty_or_null(all_macs))
{
  if (!empty_or_null(mac_address::unreliable_mac_addresses))
    exit(0, 'No reliable MAC addresses were detected. These unreliable MAC addresses were detected: ' + join(mac_address::unreliable_mac_addresses, sep:', '));
  else
    exit(0, 'No MAC addresses were detected.');
}

##
#  Some network devices allow for 'provisioning' of additional
#  devices which are not yet present.  Provisioned devices
#  that are not yet present should not be reported.
#
#  In the case of Cisco, these provisioned devices/interfaces have placeholder
#  mac address(es) in the range 00:00:00:00:00:<something>, where
#  <something> starts at 01 and increments in hex:
#  01 to 0F, then 11-1F, then 21-2F, etc
##

var check_for_provisioned_macs = FALSE;
var mac_addr;

foreach mac_addr (all_macs)
{
  if ("00:00:00:00:00:" >< mac_addr)
  {
    spad_log(message:'Suspicious mac encountered.  Checking for evidence of provisioned mac addresses.');
    check_for_provisioned_macs = TRUE;
    break;
  }
}


if (check_for_provisioned_macs)
{
  var cisco_encountered = FALSE;
  var line, e;

  foreach mac_addr (all_macs)
  {
    if ("00:00:00:00:00:" >< mac_addr) continue;

    e = ereg_replace(string: mac_addr, pattern: "^(..):(..):(..):.*", replace: "\1\2\3 ");
    e = toupper(e);
    line = my_bsearch(v: oui_lines, e: e);
    if (line)
    {
      if ("Cisco Systems, Inc" >< line)
      {
        cisco_encountered = TRUE;
      }
    }
  }

  if (cisco_encountered)
  {
    spad_log(message:'Provisioning scenario encountered');
    var new_all_macs = make_list();
    foreach mac_addr (all_macs)
    {
      if ("00:00:00:00:00" >!< mac_addr)
      {
        append_element(var: new_all_macs, value:mac_addr);
      }
      else
      {
        spad_log(message:'Discarding provisioning mac ' + mac_addr + '\n');
      }      
    }
    all_macs = new_all_macs;

    if (empty_or_null(all_macs))
      exit(0, "No MAC addresses were detected.");
  }
}


var report = 'The following is a consolidated list of detected MAC addresses:\n';
foreach mac_addr (all_macs)
{
  report += "  - " + mac_addr + '\n';
}

# Report on unreliable MAC addresses
#  - Only MAC addresses from ARP responses are supported at this time.
#  - Example:
#    The following is a list of potentially unreliable MAC addresses:
#      - 00:50:43:AC:6D:10 (ARP: multi-hop traceroute)
var methods, method, sources, report_line;
var report_lines = [];

for (mac_addr in mac_address::classified_mac_addresses)
{
  # Skip MAC addresses that are classified as reliable
  if (mac_address::classified_mac_addresses[mac_addr].reliable)
    continue;

  methods = mac_address::classified_mac_addresses[mac_addr].methods;

  for (method in methods)
  {
    sources = methods[method];

    report_line = strcat('  - ', mac_addr, ' (', method, ': ', join(sources, sep:' / '), ')');
    append_element(var:report_lines, value:report_line);
  }
}

if (!empty_or_null(report_lines))
{
  report += '\n\nThe following is a list of potentially unreliable MAC addresses:\n';
  report += join(report_lines, sep:'\n');
}


security_report_v4(port:0, extra:report, severity:SECURITY_NOTE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jun 2025 00:00Current
5.4Medium risk
Vulners AI Score5.4
ethnernet mac addressessecurity pluginremote probing
210