Fedora Linux Support Community & Resources Center
  #1  
Old 29th January 2010, 04:42 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
windows_xp_2003firefox
Thumbs up MAC spoofing !

Hy everybody everywhere,


How to detect a wireless LAN MAC address spoofing ???

I am in an institution where we've got a wired and a wireless network, and almost every day i found a new and a strange MAC addresses in my network.

I know that because i've recorded all the MAC addresses which belongs to my network. More over, all the boxes have a fixed IP address.

So, how to detect the spoofing BOX(s) ?????

Thanks a lot.

I should say that i'm in a network that has almost 100 boxes .

Thanks again

red
__________________
IBM ThinkPad z60m
Reply With Quote
  #2  
Old 29th January 2010, 05:04 PM
pete_1967 Online
Clueless in a Cuckooland
 
Join Date: Mar 2006
Location: Here now, elsewhere tomorrow.
Posts: 4,199
linuxfedorafirefox
PDF link on that broken, this works: http://www.net-security.org/article.php?id=364
__________________
A Drink is Not Just For Christmas - SaskyCom :thumb:


“Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime” so now go and...
RTFM FIRST: http://docs.fedoraproject.org/ & http://rute.2038bug.com/index.html.gz
Reply With Quote
  #3  
Old 29th January 2010, 05:35 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
windows_xp_2003firefox
Quote:
Originally Posted by pete_1967 View Post
PDF link on that broken, this works: http://www.net-security.org/article.php?id=364
Thanks a lot, i'll go through as soon as possible

A friend of mine told me the following solution, i did not tested yet since i'm not in my office:

#yum install arpwatch
#arpwatch -i eth1
#tail -f /var/log/messages

The output of the last command should tell wether a host is spoofing or not ???

red
__________________
IBM ThinkPad z60m
Reply With Quote
  #4  
Old 29th January 2010, 06:31 PM
Iron_Mike Offline
Registered User
 
Join Date: Jul 2005
Location: Ft Huachuca, AZ
Posts: 3,772
windows_vistaie
Are you running a "open" wireless network?
Reply With Quote
  #5  
Old 29th January 2010, 08:19 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
windows_xp_2003firefox
Quote:
Originally Posted by Iron_Mike View Post
Are you running a "open" wireless network?
Yes, i do, and I'm almost sure that the problem is coming from the inside.

thanks Iron_Mike though for the reply

red
__________________
IBM ThinkPad z60m
Reply With Quote
  #6  
Old 29th January 2010, 08:55 PM
forkbomb Offline
Registered User
 
Join Date: May 2007
Location: U.S.
Posts: 4,851
linuxfirefox
Quote:
Originally Posted by hermouche View Post
The output of the last command should tell wether a host is spoofing or not ???
I'm missing something here. Are you using a MAC whitelist? You said you've recorded them, but not whether you're actually filtering AP access based on MAC address.

Without getting control of a machine that you suspect to be spoofing and comparing its factory-specified MAC to a MAC it's using, there's only one way to know if a given MAC address is spoofed: if it's outside of the assigned ranges of MAC addresses assigned to manufacturers by the IEEE (see here). Most digital miscreants are probably smart enough to spoof within assigned ranges for this reason to keep an air of legitmacy. Also google for a MAC address lookup.

Putting a MAC whitelist on a wireless AP without using encryption is minimal defense against somebody who knows what he's doing - MAC addresses can be sniffed out of the air, mind you, and then spoofed to match the suspected whitelist. Scenario may be something like this:
  1. A cracker wishes to gain access to your wireless network
  2. Your only "security" is a MAC whitelist - you know all the MACs of legitimate devices that are owned by the company
  3. Cracker attempts to connect and is rejected for not having a whitelisted MAC
  4. Cracker guesses that a MAC list is in effect. First thing he might try is to grab a MAC address via a wireless frame sniffer
  5. Cracker sets his MAC to the sniffed MAC assuming that any clients in the area have a chance of being on the whitelist

If you don't have encryption on the AP, MAC spoofing is only token security.
__________________
- Tom
"What is freedom? To have the will to be responsible for one's self." - Stirner

Last edited by forkbomb; 29th January 2010 at 08:59 PM.
Reply With Quote
  #7  
Old 30th January 2010, 10:43 AM
Iron_Mike Offline
Registered User
 
Join Date: Jul 2005
Location: Ft Huachuca, AZ
Posts: 3,772
linuxfedorafirefox
Without some form of security you're leaving yourself wide open to all sorts problems. It could be something as simple as mac address filtering, wireless encryption, or vpn to keep a casual miscreant out of the network. Do yourself a favour and add some form of wireless security.
Reply With Quote
  #8  
Old 30th January 2010, 01:11 PM
forkbomb Offline
Registered User
 
Join Date: May 2007
Location: U.S.
Posts: 4,851
windows_xp_2003firefox
@Mike
I agree that some sort of security is necessary, but for reasons I pointed out one post above yours, MAC filtering alone is not good practice. It might be a part of good security - as in one extra stumbling block thrown up for the script kiddies - but it's not good alone.

http://blogs.zdnet.com/Ou/index.php?p=43

Best practice:
1. WPA at a minimum; WPA2 preferred
2. Key length should be 20 characters + with a mix of upper, lower, numeric, and symbols. Rotate key on a weekly/bi-weekly/monthly basis as paranoia and convenience allow.
3. MAC filtering and hiding the SSID for good measure

(3) doesn't fool anybody who knows what he's doing so it's not good practice to rely on those alone. As far as I know WPA and WPA2 can't be cryptographically reversed in the way WEP can (by taking advantage of the small IV pool), so the most expeditious way now to "crack" WPA and WPA2 are bruteforcing or dictionary cracks.
__________________
- Tom
"What is freedom? To have the will to be responsible for one's self." - Stirner
Reply With Quote
  #9  
Old 4th February 2010, 01:38 PM
hermouche Offline
Registered User
 
Join Date: Apr 2006
Location: Algeria
Posts: 807
windows_xp_2003firefox
Ok, and thanks a lot Iron Mike and tjvanwyk, and i'm sorry, i could'nt respond in time.

So as you said and suggested both, i m following your ideas and actually i've made two security policies, a WPA2 and MAC filtering.

I'll see what will be the results in a few days

red
__________________
IBM ThinkPad z60m
Reply With Quote
Reply

Tags
mac, spoofing

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MAC Spoofing infernosoft Servers & Networking 4 26th October 2009 07:32 PM
F7 MAC address spoofing maykel Servers & Networking 4 25th December 2008 02:11 AM
Mac adress spoofing fireworksshow Servers & Networking 1 5th December 2008 12:02 AM
yum spoofing tighe Security and Privacy 1 20th September 2006 10:13 PM
spoofing serial pcandpc Using Fedora 1 6th June 2006 11:14 PM


Current GMT-time: 13:13 (Friday, 18-04-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat