tracking down anon user

skisteven1

Senior member
Jul 15, 2003
537
0
0
Given someone's IP, what's the best way to find their MAC address? I have windows XP, and knoppix available (incl ettercap, but I don't really know how to use it). I can put myself on the same subnet, but likely not behind the same switch. Host does not respond to ping and/or portscan (once it responded with port 80 open, so i'd imagine it's up, just firewalled).

Suggestions?

background:> Someone sent an anonymous email on my "behalf" from my building. I've got the IP it came from, and I'd like to track them down so I know who I should stop talking to.

Thanks
 

Slowlearner

Senior member
Mar 20, 2000
873
0
0
First do a reverse IP lookup - google for "reverse ip". That should give you a pretty good idea where the email originated from. If you have access to the recipient's email program examining the headers for the offending email may also give some clues.

MAC addresses are unique to the NIC/modem/router and there is no publicly available database for the literally millions of such devices. With dymanic addressing the norm for individual users there is no reliable way to link a IP address to a machine without looking at ISP logs and such.
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
If you can get on the same subnet, just ping it. Doesn't matter if it responds or not. There will be an entry in your ARP table (a table mapping IP and mac addresses)

Then just run "arp -g" on your PC.
 

fuzzynavel

Senior member
Sep 10, 2004
629
0
0
Will that person still have the same IP now as when Email was sent?? DHCP usually has a lease system and expires after a certain time...be sure that you are not attacking the wrong person!
 

skisteven1

Senior member
Jul 15, 2003
537
0
0
Originally posted by: fuzzynavel
Will that person still have the same IP now as when Email was sent?? DHCP usually has a lease system and expires after a certain time...be sure that you are not attacking the wrong person!

Our building has static IP's assigned by DHCP. As long as you have the same MAC, its the same IP.

Also, he sent it through yahoo, so as far as I know, the only info I can get is the IP. I can post the headers here if you want.