IDS mailing list archives
Detecting Spoofed MACs was: Wired detection of rogue access points
From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Tue, 3 Apr 2007 00:59:42 -0500
If you want to find a spoofed MAC address... Here are a couple logical steps: 1) cross reference the IEEE's list of assigned MAC prefixes (in 2002 there was 6,278) http://standards.ieee.org/regauth/oui/oui.txt 2) look for commonality from known spoofing and BSSID/SSID brute forcing utils. Example 1: Wellenreiter 1.6 adds begins with 00 and ends with 40 and pics 4 random combinations between 0x00 and 0xFF to the end of the MAC. So finding this spoofing/SSID brute forcing utility can be done by: tetheral -r somedumpfile.dmp -n -R "wlan.fc eq 0x0040" Example 2: FakeAP, however was a bit more resourceful..... By taking advantage of HostAP Driver's Wireless LAN management frame features, and by the fact they use allocated MAC prefixes. But if you do a capture when someone is running it you will notice that the BSSID sequence is sequential and from one point not from normal 802.11 traffic. NOTE: because of the management features, etheral on windows wont work to capture.. just downloaded wireshark today and haven't tested it yet. 3) Sequence number analysis for finding man in the middle. In theory, the inter-frame sequence number gap should always be one; so whenever the inter-frame sequence number gap for frames from a wireless node is not one, there is spoofing activity. In practice, however, the inter-frames sequence number gap may be different from one, because frames are lost, retransmitted, or out of order. Simply raising an alert for spoofing whenever the inter-frame sequence number gap is different from one may generate too many false positives. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Detecting Spoofed MACs was: Wired detection of rogue access points Adam Graham (Apr 04)