Re: Req: info on IP range popup ad software supposedly called "Extreme Marketing"

From: Todd Knarr (tknarr@silverglass.org)
Date: 12/31/02 

From: Todd Knarr <tknarr@silverglass.org>
Date: Tue, 31 Dec 2002 06:57:18 GMT

In comp.security.misc <pan.2002.12.31.03.58.25.860870@forme.com> Joe Schmoe <nomail@forme.com> wrote:
> Ok, this one you may have me on...... But if you can figure out which IPs
> are associated with which ports, there is a program called winject which
> forges packets for wndows dialup connections. Not sure if this would do
> the trick...

It won't. It'll inject forged packets at the PC end, but they'll get
dropped by the router part of the modem rack.

> Now, not only do I have your IP, but I also have your MAC address. I can
> now forge perfectly acceptable packets that will pass through the router
> unmolested and cannot be traced back to me, they will all point back to
> you or whatever target I selected.

Doesn't matter. If you forge the IP address, regardless of the MAC
address, the switch will drop the packet because it's not from the
IP address associated with the port. You could forge the MAC address
fine (assuming the MAC/port binding wasn't also hardwired), but you'd
have to use your IP address or the switch wouldn't pass your packets.
It's the same kind of filtering done in the previous dial-up example,
just applied to Ethernet ports on a switch instead of modem lines.

Hardwiring the MAC-address/port binding works on a similar principle:
"I know NIC X should be on the other end of this wire, which connects
to port Y on the switch, so any frames coming in to port Y on the
switch which don't have NIC X's MAC address should be discarded
because That Can't Happen and those frames must be figments of the
switch's nonexistent imagination." All of these options work on this
principle, it's just a question of what the association is.

> Yeah, it depends on the cable co. where I live now this is how they do it.
> But in my old town, they bound it to the PC's NIC instead, I'm sure they
> still do it this way as it's been less than a year since I moved.

If it's DOCSIS they can do it both ways. There's a potential hole if the
cable system is handing out IPs based on the NIC MAC address, you forge
the MAC address of a victim and get the DHCP server to hand you the
victim's IP address. The way the DHCP servers work, though, that won't
happen as long as the victim's on-line and responding. In fact the
way Cox has theirs configured, it won't even happen if the victim is
turned off unless there are no free IP addresses available. 

-- 
If you are going to kill me then do so. Otherwise, I have considerable
work to do.
                                -- Lennier

Relevant Pages

  • RE: Exploit code for IP Smart Spoofing
    ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ...
    (Bugtraq)
  • Re: Catalyst 4000 - Ciscos Response
    ... on a variety of factors such as Switch load and traffic patterns. ... Flooding packets ... database on the switch containing switch ports and the MAC addresses sourced ... Sniffer is on a different port than the workstation and servers. ...
    (Bugtraq)
  • RE: mac duplication
    ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ...
    (Vuln-Dev)
  • Re: Ethernet switch flooding packets?
    ... course) so will have it's own MAC address. ... other VLANs there are are or how many hosts each has. ... was merely using the Ethernet switching terminology - if a switch ... doesn't know which individual port to push a frame out to, ...
    (comp.dcom.lans.ethernet)
  • Re: Network scanning
    ... that works with a radius server to auth mac address at port ... level before the switch will enable that port... ... new MAC and disable the port. ...
    (Security-Basics)