Re: Ethernet ( MAC ) Address Reliability

[Steve Ryan <sirsteve () internetcds com>]

Burton M. Strauss III wrote:

> Trivial to spoof in some OSes... RH8:
>
> $ cat /etc/sysconfig/network-scripts/ifcfg-eth0
> # Please read /usr/share/doc/initscripts-*/sysconfig.txt
> # for the documentation of these parameters.
> DEVICE="eth0"
> MACADDR="02:00:00:00:00:05"
> ...
>
>
> Ideally, values without that xxxxxx1x bit (LLA) set should be globally
> unique.  In practice, there's no testing on the address you set for MACADDR
> (and there are legit reasons for assigning other values - say you want to
> spoof a NIC for your Cable Modem).
>
> -----Burton
>
> -----Original Message-----
> From: William N. Zanatta [mailto:william () veritel com br]
> Sent: Monday, September 08, 2003 9:17 AM
> To: vuln-dev () securityfocus com
> Subject: Ethernet ( MAC ) Address Reliability
>
>
>
>   Hey guys,
>
>
>     I'm currently studying 'sadoor' ( see links at the foot ), a tool
> built over a proof-of-concept on monitoring interfaces instead of opening
> ports. The concept behind the tool consists ( roughly ) on monitoring the
> interface, waiting for a sequence of ip/tcp/udp key packets ( configurable
> ) and a command packet which runs a command at the host.
>
>     The first article ( below ) introduces the tool and the hopotesis of
> using it as a remote system administration tool. Of course there are many
> security risks involved when doing it but I believe that a well planned
> system may work with a fine security level ( just focusing on this tool ).
>
>     But there's one thing which worries me, the ethernet addresses. This
> is the point where I want to hear from you, and the question is, how much
> reliable are these addresses? I know they're spoofable and thus it may
> bring problems with this kind of software.
>
>     Anyway I'm still making some research on this ( I'm not a network
> authority ;] ) but I would really like to hear from you.
>
>     Thank you all,
>
>     --
>
>     References:
>
>       1. A Practical Approach of Stealthy Remote Administration
>       http://www.linuxsecurity.com/feature_stories/feature_story-149.html
>
>       2. SAdoor's Home Page
>       http://cmn.listprojects.darklab.org
>
>     --
>
>    William
>
> PS: Sorry for my messy english.
In Windows (9x/ME/NT/XP/2k), under the configuration tab for your NIC, 
if the driver supports it (my netgear fa311+ does) you can spoof it 
right there with no hassle either.