Penetration Testing mailing list archives
Re: Ping a mac address
From: "Thor (Hammer of God)" <thor () hammerofgod com>
Date: Sun, 4 Dec 2005 14:07:54 -0800
Actually, I've been playing with it since we've been talking about it, and I now agree with Cedric too ;)
The stack must be specifically designed to grab the destination address from the received frame and set it as the source in the reply packet in the absence of an "already assigned" IP in the config. I had an extra camera in the closet (bad color element, but it still works). I powered it up, added the MAC to an arbitrary IP via static ARP , and captured the traffic while connecting. The reply packet did indeed come *from* the arbitrary IP address during the 3-way and all subsequent HTTP replies. When I went to config it, it already had the arbitrary IP in place. Upon saving the config, I could remove the static entry and get to the unit with normal dynamic resolution.
Interesting thing is that at that point, the only way I could get to the unit was via the now "bound" IP, even if I assigned a different arbitrary IP via ARP and deleted the other entry. Looks like I would have to reset the config in order to do it again. I guess that's a good thing ;)
So, it looks like I was a bit too quick to reference my "magic arbitrary IP via ARP" method :-p
t----- Original Message ----- From: "Dario Ciccarone (dciccaro)" <dciccaro () cisco com> To: "Cedric Blancher" <blancher () cartel-securite fr>; "Thor (Hammer of God)" <thor () hammerofgod com>
Cc: "Roni Bachar" <roni () avnet co il>; <pen-test () securityfocus com> Sent: Sunday, December 04, 2005 1:47 PM Subject: RE: Ping a mac address
> For instance, I have a few IP cameras around my infrastructure... If > I add a static ARP entry for the MAC to some arbitrary IP (that's still on > my subnet) I can use that arbitrary IP to access the unit's HTTP > configuration... works just fine. You're lucky to be facing theses non RFC compliant devices :)))
Agree with Cedric here. Which opens another issue: say your device assigned IP address is 1.2.3.4, MAC A, and the device also allows you to configure access control based on IP address - this would probably allow you to bypass those controls. But - iff the IP stack is so dumb, which source address does it use to reply? The real IP address configured on its interface? Or it just swaps SRC/DST on the original packet? That would allow 2-way communications. Guess it works on Axis cameras at least, if you're able to do the 3-way and actually configure them ;) Dario ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Ping a mac address, (continued)
- Re: Ping a mac address Joshua Shaffer (Dec 03)
- Re: Ping a mac address Maxime Ducharme (Dec 05)
- RE: Ping a mac address John Tavares (Dec 03)
- Re: Ping a mac address rob . dijkshoorn (Dec 04)
- Re: Ping a mac address James Eaton-Lee (Dec 07)
- Re: Ping a mac address mccauley () gmx net (Dec 09)
- Re: Ping a mac address Bob Foxworth (Dec 11)
- RE: Ping a mac address Dario Ciccarone (dciccaro) (Dec 04)
- RE: Ping a mac address Dario Ciccarone (dciccaro) (Dec 05)
- RE: Ping a mac address Dario Ciccarone (dciccaro) (Dec 05)
- Re: Ping a mac address Thor (Hammer of God) (Dec 05)
- Re: Ping a mac address neil (Dec 06)
- Re: Ping a mac address Chris Kuethe (Dec 06)
- Re: Ping a mac address Thor (Hammer of God) (Dec 05)