RE: Strange pings from 127.0.0.1

["Andrew Aris" <andrew () dev bigfishinternet co uk>]

Yeah sorry... this was sort of what I meant - the original post was written
in a hurry and I didnt go into great details. When I said that with the
address being the same all the time it can at least be partially traced. As
long as the environment is a) switched and b) controlled by the investgator
MAC spoofing is only really effective where they get rotated.

regards,

Andrew



> -----Original Message-----
> From: David Gillett [mailto:gillettdavid () fhda edu] 
> Sent: 24 June 2004 16:35
> To: 'Kelly John Rose'; 'Andrew Aris'
> Cc: security-basics () securityfocus com
> Subject: RE: Strange pings from 127.0.0.1
>
>   If it's an internal machine (a big if, granted!), then you 
> may be able to query your switch infrastructure to find the 
> physical port where that MAC address was learned as a source. 
>  Even if they spoof the same MAC address as an existing legit 
> user, that should narrow it down to 2 possibilities (and if 
> one of those ports has been seeing multiple sources...).
>   If they spoof a broadcast/multicast source MAC address, 
> this should not be learned by the switch, and so they will be 
> harder to track, but those cases are somewhat more specific 
> than just "they are spoofing".
>
> David Gillett
>
>
> > -----Original Message-----
> > From: Kelly John Rose [mailto:mllists () ptbcanadian net]
> >
> > Nope, that's completely useless. You can for one spoof mac 
> addresses, 
> > so having any mac address is more or less meaningless. But, also, 
> > there is no reliable way to use the mac address to find the 
> machine, 
> > unless it's an internal machine, you having the mac 
> addresses of all 
> > internal machines written down, and the person is not spoofing.
> >
> > Eitherway, having the mac address doesn't help you at all tracking 
> > down the culprit really.
> >
> >
> > Andrew Aris wrote:
> >
> > > I'm coming into this thread partway through so sorry if this is a 
> > > dumb reply but if the mAC address is always the same then surely 
> > > this could be used to trace the culprit host?




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------