Re: Strange pings from 127.0.0.1

[Kelly John Rose <mllists () ptbcanadian net>]

And thus my partial agreement with what you originally said. It looks 
like we are all not giving enough information lately.  :-)

.....Kelly John Rose.....

Andrew Aris wrote:

> Yeah sorry... this was sort of what I meant - the original post was written
> in a hurry and I didnt go into great details. When I said that with the
> address being the same all the time it can at least be partially traced. As
> long as the environment is a) switched and b) controlled by the investgator
> MAC spoofing is only really effective where they get rotated.
>
> regards,
>
> Andrew
>
>
>
>  
>
> > -----Original Message-----
> > From: David Gillett [mailto:gillettdavid () fhda edu] 
> > Sent: 24 June 2004 16:35
> > To: 'Kelly John Rose'; 'Andrew Aris'
> > Cc: security-basics () securityfocus com
> > Subject: RE: Strange pings from 127.0.0.1
> >
> >  If it's an internal machine (a big if, granted!), then you 
> > may be able to query your switch infrastructure to find the 
> > physical port where that MAC address was learned as a source. 
> > Even if they spoof the same MAC address as an existing legit 
> > user, that should narrow it down to 2 possibilities (and if 
> > one of those ports has been seeing multiple sources...).
> >  If they spoof a broadcast/multicast source MAC address, 
> > this should not be learned by the switch, and so they will be 
> > harder to track, but those cases are somewhat more specific 
> > than just "they are spoofing".
> >
> > David Gillett
> >
> >
> >    
> >
> > > -----Original Message-----
> > > From: Kelly John Rose [mailto:mllists () ptbcanadian net]
> > >
> > > Nope, that's completely useless. You can for one spoof mac 
> > >      
> > addresses, 
> >    
> >
> > > so having any mac address is more or less meaningless. But, also, 
> > > there is no reliable way to use the mac address to find the 
> > >      
> > machine, 
> >    
> >
> > > unless it's an internal machine, you having the mac 
> > >      
> > addresses of all 
> >    
> >
> > > internal machines written down, and the person is not spoofing.
> > >
> > > Eitherway, having the mac address doesn't help you at all tracking 
> > > down the culprit really.
> > >
> > >
> > > Andrew Aris wrote:
> > >
> > >      
> > >
> > > > I'm coming into this thread partway through so sorry if this is a 
> > > > dumb reply but if the mAC address is always the same then surely 
> > > > this could be used to trace the culprit host?
> > > >        
> >
> >    
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------
>
>
>  


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------