IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Detecting Spoofed MACs was: Wired detection of rogue access points

From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Tue, 3 Apr 2007 00:59:42 -0500
If you want to find a spoofed MAC address... Here are a couple logical
steps:

1) cross reference the IEEE's list of assigned MAC prefixes (in 2002 there
was 6,278)
        http://standards.ieee.org/regauth/oui/oui.txt

2) look for commonality from known spoofing and BSSID/SSID brute forcing
utils.
        Example 1: Wellenreiter 1.6 adds begins with 00 and ends with 40 and
pics 4 random combinations between 0x00 and 0xFF  to the end of the MAC. So
finding this spoofing/SSID brute forcing utility can be done by:

tetheral -r somedumpfile.dmp -n -R "wlan.fc eq 0x0040"

        Example 2: FakeAP, however was a bit more resourceful..... By taking
advantage of HostAP Driver's Wireless LAN management frame features, and by
the fact they use allocated MAC prefixes. But if you do a capture when
someone is running it you will notice that the BSSID sequence is sequential
and from one point not from normal 802.11 traffic.
NOTE: because of the management features, etheral on windows wont work to
capture.. just downloaded wireshark today and haven't tested it yet.

3) Sequence number analysis for finding man in the middle.
        In theory, the inter-frame sequence number gap should always be one;
so whenever the inter-frame sequence number gap for frames from a wireless
node is not one, there is spoofing activity. In practice, however, the
inter-frames sequence number gap may be different from one, because frames
are lost, retransmitted, or out of order. Simply raising an alert for
spoofing whenever the inter-frame sequence number gap is different from one
may generate too many false positives. 








------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: