Re: MAC Spoofing Prevention in Wireless

[Enis Sahin <enis.c.sahin () gmail com>]

Well I can confidently say that it somehow understands a cloned MAC
address and disallowes you. I tried it with my two laptops.

The scenario was this. I had an authenticated Windows box and an
unauthenticated Linux box. I've statically assigned the IP address of
the Winbox to the Linux box. Also cloned the MAC address. Then joined
the Wireless with the Linux box while Windows was already logged in an
immediately dropped the Windows box from the network. The Linux box
was unable to reach the network resources.

I also tried dropping the authenticated Windows box and immediately
joining the network with the Linux box using the cloned addresses,
again it was no good.

I did some reading on it and I guess it has something to do with the
sequence numbers of the packets each station is sending..



On 12 July 2011 02:54, Jeffrey Walton <noloader () gmail com> wrote:
> On Sat, Jul 9, 2011 at 6:16 AM, Erik <security () vanwesten net> wrote:
> > Op 8-7-2011 21:30, bjesmer () platformsolutions com schreef:
> > > The concept is fairly straight forward. The AP looks to see if there are 2
> > > MACs of the same on the network and disallows the second one on the network.
> > > Not having worked with the Aruba yet, i would try a deauth attack against
> > > the mac you are going to spoof and then try to get on. If you can deauth
> > > that client and get on before it, you might be able to get in.
> >
> > Your answer indicates a lack of knowledge. A layer 2 MAC address is the only
> > differentiating thing on a wireless network (with the exception of
> > certificates, which, no doubt, are being used in the Aruba network) for
> > different stations. You cannot tell the difference between MAC and MACclone,
> > hence you cannot if there is more than one MAC address active and thus not
> > 'disallow the second one'.
> Suppose the 'real' host is sensed to the left via the diversity
> antennae, and an attacker is spoofing on the 'right' side antennae?
> Suppose the AP sees a signal gain )or loss) when the attacker
> transmits with a spoofed MAC. I'm not claiming its easy, just that
> somethings could be different and measured at layer 2.
>
> Jeff
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------



--
http://www.enissahin.com | http://twitter.com/enis_sahin

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------