RE: Strange pings from 127.0.0.1

From: David Gillett (gillettdavid_at_fhda.edu)
Date: 06/24/04

  • Next message: Tim Schwimer: "Re: Strange pings from 127.0.0.1" 
    To: "'Kelly John Rose'" <mllists@ptbcanadian.net>, "'Andrew Aris'" <andrew@dev.bigfishinternet.co.uk>
Date: Thu, 24 Jun 2004 08:34:47 -0700

      If it's an internal machine (a big if, granted!), then
    you may be able to query your switch infrastructure to find
    the physical port where that MAC address was learned as a
    source. Even if they spoof the same MAC address as an existing
    legit user, that should narrow it down to 2 possibilities (and
    if one of those ports has been seeing multiple sources...).
      If they spoof a broadcast/multicast source MAC address, this
    should not be learned by the switch, and so they will be harder
    to track, but those cases are somewhat more specific than just
    "they are spoofing".

    David Gillett

    > -----Original Message-----
    > From: Kelly John Rose [mailto:mllists@ptbcanadian.net]
    >
    > Nope, that's completely useless. You can for one spoof mac
    > addresses, so having any mac address is more or less
    > meaningless. But, also, there is no reliable way to use the
    > mac address to find the machine, unless it's an internal
    > machine, you having the mac addresses of all internal
    > machines written down, and the person is not spoofing.
    >
    > Eitherway, having the mac address doesn't help you at all
    > tracking down the culprit really.
    >
    >
    > Andrew Aris wrote:
    >
    > > I'm coming into this thread partway through so sorry if this
    > > is a dumb reply but if the mAC address is always the same
    > > then surely this could be used to trace the culprit host?

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Tim Schwimer: "Re: Strange pings from 127.0.0.1"

    Relevant Pages

    • Re: OT: Nasty O2 phishing attempt - thank Neptune I use a Mac
      ... In message, Paul Russell writes ... It /looked/ just like the usual email I get from O2 each month telling ... spoof doesn't work on a Mac - you get an error messge sayign that you can't use IE and that you need to use Opera or some such nonsense ...
      (uk.comp.sys.mac)
    • Re: OT: Nasty O2 phishing attempt - thank Neptune I use a Mac
      ... Paul Russell wrote: ... It /looked/ just like the usual email I get from O2 each month telling ... spoof doesn't work on a Mac - you get an error messge sayign that you ...
      (uk.comp.sys.mac)
    • Re: Setting specific IP address?
      ... Easy to spoof in software but hardware is ... The lazy will just "repeat" the desired MAC using a router, ... preference is the Speeddemon line with true hardware MAC programmability ... The brutal will "force" another target computer offline ...
      (alt.computer.security)
    • Mac Address Spoofing(!)
      ... I've set out to spoof my gateway's mac address so that I can get a ... new ip address from my cable ISP without having to unplug my modem for ...
      (freebsd-questions)
    • Re: Mac Address Spoofing(!)
      ... > their DHCP lease last). ... to reboot the modem. ... The modem cached the MAC address on the client side ... rather than trying to spoof MAC addresses? ...
      (freebsd-questions)