Re: Ethernet ( MAC ) Address Reliability

From: Steve Ryan (sirsteve_at_internetcds.com)
Date: 09/10/03

  • Next message: wirepair: "Re: win32 call dword ptr [eax] help needed" 
    Date: Tue, 09 Sep 2003 22:43:25 -0700

    Burton M. Strauss III wrote:

    > Trivial to spoof in some OSes... RH8:
    >
    > $ cat /etc/sysconfig/network-scripts/ifcfg-eth0
    > # Please read /usr/share/doc/initscripts-*/sysconfig.txt
    > # for the documentation of these parameters.
    > DEVICE="eth0"
    > MACADDR="02:00:00:00:00:05"
    > ...
    >
    >
    > Ideally, values without that xxxxxx1x bit (LLA) set should be globally
    > unique. In practice, there's no testing on the address you set for MACADDR
    > (and there are legit reasons for assigning other values - say you want to
    > spoof a NIC for your Cable Modem).
    >
    > -----Burton
    >
    > -----Original Message-----
    > From: William N. Zanatta [mailto:william@veritel.com.br]
    > Sent: Monday, September 08, 2003 9:17 AM
    > To: vuln-dev@securityfocus.com
    > Subject: Ethernet ( MAC ) Address Reliability
    >
    >
    >
    > Hey guys,
    >
    >
    > I'm currently studying 'sadoor' ( see links at the foot ), a tool
    > built over a proof-of-concept on monitoring interfaces instead of opening
    > ports. The concept behind the tool consists ( roughly ) on monitoring the
    > interface, waiting for a sequence of ip/tcp/udp key packets ( configurable
    > ) and a command packet which runs a command at the host.
    >
    > The first article ( below ) introduces the tool and the hopotesis of
    > using it as a remote system administration tool. Of course there are many
    > security risks involved when doing it but I believe that a well planned
    > system may work with a fine security level ( just focusing on this tool ).
    >
    > But there's one thing which worries me, the ethernet addresses. This
    > is the point where I want to hear from you, and the question is, how much
    > reliable are these addresses? I know they're spoofable and thus it may
    > bring problems with this kind of software.
    >
    > Anyway I'm still making some research on this ( I'm not a network
    > authority ;] ) but I would really like to hear from you.
    >
    > Thank you all,
    >
    > --
    >
    > References:
    >
    > 1. A Practical Approach of Stealthy Remote Administration
    > http://www.linuxsecurity.com/feature_stories/feature_story-149.html
    >
    > 2. SAdoor's Home Page
    > http://cmn.listprojects.darklab.org
    >
    > --
    >
    > William
    >
    > PS: Sorry for my messy english.
    >
    >
    In Windows (9x/ME/NT/XP/2k), under the configuration tab for your NIC,
    if the driver supports it (my netgear fa311+ does) you can spoof it
    right there with no hassle either.

  • Next message: wirepair: "Re: win32 call dword ptr [eax] help needed"