yurisk.info » Linux

MAC finder script

Yuri — Fri, 02 Jul 2010 05:35:37 +0000

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
Here:
mac-database.txt – file containing MAC-vendor translation in format , I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
http://yurisk.info/scripts/mac-finder.py
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#!/usr/bin/python
#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx 
macs=open('mac-database.txt','r')
macs_lines=macs.readlines()
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       popa=re.search('.*([a-f0-9]{4}\.[a-f0-9]{4}\.[a-f0-9]{4}).*',ppp,re.IGNORECASE)
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             newpopa_re=re.compile(newpopa,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopa_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             newpopalinux=re.sub(':',dotreplace,popalinux.group(1))[0:6]
             newpopalinux_re=re.compile(newpopalinux,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopalinux_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             newpopadash=re.sub('-',dotreplace,popadash.group(1))[0:6]
             newpopadash_re=re.compile(newpopadash,re.IGNORECASE)
             for mac_db in macs_lines:
                 vendor=re.search(newpopadash_re,mac_db)
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py

$ arp -a
(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet]
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet]

(10.99.99.150) at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
(10.99.99.254) at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Autologin Expect scripts for telnet/ssh

Yuri — Sun, 21 Sep 2008 17:28:02 +0000

Tired of typing over and over your username/password when using
telnet/ssh ? Here are Expect http://expect.nist.gov/ scripts to autologin by Telnet and ssh
Notes:
- Yes, it is not secure to keep you username/password saved somewhere, so know
what you do . In my opinion as long as this
is a dedicated for remote logins server, that has no access from outside, and hardened accordingly
(pertinent to the scripts – only owner/root can read user’s home folder, etc.,) the risk is acceptable.

Note 2: password is saved in a file named “sword”

cat tel
#!/usr/local/bin/expect Change to the location of your Expect package

proc Usage {} {
puts “\n tel \n”
return
}

set argnumber [llength $argv]

if {$argnumber==0} {
      puts “You need to specify at least one piece of equipment to log into\n”
      Usage
      exit

   } elseif {$argnumber>1} {
       puts “You specified too many arguments, only one please\n”

      Usage
       exit
                  }

set hostName [lindex $argv 0]

puts “Entering $hostName”
set username “myusername”
set HANDL [open "sword"]
set password [gets $HANDL]
close $HANDL
spawn telnet $hostName
expect {[Uu]sername*} {
send “$username\r”
}

expect {[Pp]assword:} {
send “$password\r”
}

#Cisco specific block – to enter enable level, you may remove this block if not needed
expect {*#} {
send “enable\r” }

expect {[Pp]assword:} {
send “$password\r”
}
#End of Cisco specific block

interact

Now SSH login script
> cat essh
#!/usr/local/bin/expect Change to the location of your Expect package

proc Usage {} {
puts “\n essh \n”
return
}

set argnumber [llength $argv]

if {$argnumber==0} {
      puts “You need to specify at least one piece of equipment to log into\n”
      Usage
      exit

   } elseif {$argnumber>1} {
       puts “You specified too many arguments, only one please\n”

      Usage
       exit
                  }

set hostName [lindex $argv 0]

puts “Entering $hostName”
set username “myusername”
set HANDL [open "sword"]
set password [gets $HANDL]
spawn ssh $hostName

expect {[Pp]assword:} {
send “$password\r”
}

#Again goes Cisco – specific block , remove if not needed
expect {*#} {
send “enable\r” }

expect {[Pp]assword:} {
send “$password\r”
}
#End of Cisco – specific block

interact

find quicky

Yuri — Sat, 06 Sep 2008 07:55:17 +0000

The few find templates I find useful in a day to day job.

The ones below were of great help when I had to clean Esafe that had more
than 100,000 files in the spool ! So usual shell wild-card expansion didn’t work
(try to do ls in a folder with 130000 files So I removed files
by date – files created last 24 hours per remove.
find . -mtime 0 -exec rm -f {} \; find . -mtime 0 # find files created/modified within the past 24 hours find . -mtime -1 # find files created/modified within the past 0 - 24 hours find . -mtime 1 # find files modified between 24 and 48 hours ago find . -mtime +1 # find files modified more than 48 hours ago find . -mmin +3 -mmin -10 # find files modifed between 4 and 9 minutes
Default is logical AND between clauses
NB the -regexp switch to the find looks for a complete match !
Finding by permission pattern and then removing:
- FInd files that have at LEAST following permissions set
find . -type f -perm -0750 -exec rm -f {} \;
Find files with ANy of the permissions set:
find . -type f -perm +0750 -exec rm -f {} \;
and finally find files with pattern EXACTLY matching :
find . -type f -perm 0750 -exec rm -f {} \;
Find by UID filetype and size:
find . -type f -uid 0 -size +2k -exec ls -l {} \;
modifiers to size switch: b w k c