Re: Can Known Hardware ID Make You Discoverable?

From: Jeff Liebermann (jeffl_at_comix.santa-cruz.ca.us)
Date: 08/13/05 

Date: Sat, 13 Aug 2005 10:07:12 -0700

On Sat, 13 Aug 2005 07:51:09 GMT, David Taylor <djtaylor@bigfoot.com>
wrote:

>> No. The client MAC address is not transmitted in the TCP/IP packet
>> header. Only the ethernet packet header contains the source MAC
>> address and that ends at the switch or router.
>
>Do you remember when the MAC address was also part of Microsoft Word
>document headers?
>
>http://www.iss.net/security_center/advice/Underground/Hacking/Methods/Te
>chnical/Spoofing/MAC/default.htm
>
>So in terms of being tracked globally, from a technical point of view it
>depends on precisely what is meant although in the context of being
>pinpointed by a nice big arrow on a big screen in Big Brother Central
>Ops, No. :)
>
>David.

Well, it goes a bit deeper than that. One of the more obnoxious
problems at universities is that student install wired or wireless
routers in their dorm rooms with NAT. Nothing really wrong with that
except that it totally destroys the MAC address based authentication
mechanism. The MAC addresses just don't go through the router. Some
universities ban the use of such routers, while others concoct
different methods of authentication or try to "discover" how many
machines are hidden behind the NAT firewall. This can be done in
various devious ways. The easiest is to setup a VPN server to access
the university network. The user has to login in via a VPN client,
which will merrily disclose all kinds of useful information including
the MAC address.

See:
  http://resnet.ucsc.edu/
for the local university redisential network details. From:
  http://resnet.ucsc.edu/policy/rup/

   Ethernet devices are provided with a unique hardware address
   at the time they are manufactured. This Ethernet Address
   is separate and distinct from the IP address discussed above.
   Equipment used on ResNet must use a manufacturer assigned address.
   Equipment that either (a) uses an address of all zeros, or (b)
   changes its address from day to day is either defective or infected
   with an abusive computer program (worm or virus). In either case,
   it is a violation of our rules to knowingly operate a computer that
   does not use manufacturer assigned addresses on our network.

Most universities also run "arpwatch" on their networks. Any new MAC
addresses that appear on their DHCP server gets logged. If they fail
to authenticate, they get blocked after a few days. Works nicely to
keep the unauthorized machines out of the university network.

Digging deeper was the 1999 attempt by Comcast to bill their customers
by the number of computers that were running on their home network.
If they discovered more than one machine, some telemarketing group
would phone the customer demanding an extra $6/month per machine.
Comcast would rather forget they ever attempted such nonsense, but it
did bring up some interesting technology for detecting and identifying
machines behind a firewall or router. Most interesting was watching
the pattern of TCP/IP sequence numbers. Less interesting but more
effective were web pages that would try to identify client computers.

As for finding a users location, it's much easier than one would
suspect with the proper hardware. I've been doing some work with
RFC3825, which is a DHCP extension for location services. The
original idea was to have the AP disclose it's exact location to the
wireless client. The client then transmits the location to whomever
needs the information, such as the 911 center for a VoIP call.
  http://www.faqs.org/rfcs/rfc3825.html
  http://ietfreport.isoc.org/idref/rfc3825/
  http://www.iana.org/assignments/bootp-dhcp-parameters (Tag 123)
Not much has been done with this as the standard has not been approved
yet. It's quite easy to impliment on the server end, but a bit of a
mess at the client. However, once the location information is
resident on the client side, it's fairly easy to trick the client into
disclosing the contents. Note that the location info includes
altitude or floor number. 

-- 
Jeff Liebermann     jeffl@comix.santa-cruz.ca.us
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
                    AE6KS    831-336-2558

Relevant Pages

  • Re: Freebsd 5.1 <-> Win XP Networking problems
    ... Danny MacMillan wrote: ... >> from any ip number forming part of that network and from the netmask. ... > located external to my network it should send the packet to the router ... > (using the router's MAC address) instead of arp-ing for the MAC address ...
    (freebsd-questions)
  • Re: Ethernet network wiring ?s
    ... >>> the planned network is designed correctly and for my own education on ... Since you already have a router, ... Apple calls this protocol Bonjour. ... And because Mac 1 and Mac 2 have private network addresses, ...
    (comp.sys.mac.hardware.misc)
  • Re: Network Connections Dropping
    ... my local DNS in addition to my router as a DNS for getting to my ISP, ... defined hostname and what is their assigned hostname. ... IP address that my Mac now had and vice versa. ... the mac users seem to lose partial network connection. ...
    (comp.sys.mac.system)
  • RE: Cain & Able man in the middle attack
    ... any client port can have to 2 or less is the best way to stop APR attacks ... If you are trying to secure your client machine against APR and you don't ... own the network, your best bet is to use a static ARP entry (arp -s IP MAC) ...
    (Pen-Test)
  • 2000 Server Login Woes
    ... and several XP Pro clients which each have two mapped network drives. ... I have deployed this router in home and office environments before. ... However, whenever I set it up, every XP client will hang trying to ... Two NICs, one NVidia integrated, one 3Com. ...
    (microsoft.public.windowsxp.security_admin)