Vulnerability Development mailing list archives

Re: fooling hubs [ARP Spoofing]

From: christophervincent () STMARKSSCHOOL ORG (Vincent; Christopher)
Date: Tue, 8 Feb 2000 19:40:48 -0500


Mediaone (bought by Road Runner) authenticates its users by the MAC of the
ethernet card that the cable modem is connected to.  The tech that installed
mine used a portable cable modem and his laptop to install it.  He hooked
his laptop/nic/cable modem (it is a LANCity, like mine) up to the network
and opened an app that lets you modify the database of customers.  It looked
to me like he was connected to a router of some sort (with a gui made by
Mediaone) that also programed your MAC into M1s database.  If you plug the
cable modem into another ethernet card it will not work.  I dont thing that
the actual cable modem is denying the service, but rather whatever your
cable modem is talking to.  If I programed the MAC of one of my spare NICs
to that of that one that M1 knows I have, i bet it will work.  If I program
it to the MAC of my friends, i bet that it will think that I am my friend!
Now, M1 doesnt have a download limit / cap (its has a speed cap at 1.5mbps
down and 356kbps up) so it would not serve any purpose other than discovery
on how M1 actually authenticates.  The only danger that it could pose to
spoof my friends MAC is that some M1 websites let you change your e-mail
password and some e-mail settings, and they used (last time I checked) to
authenticate by the cable modem you were on.

One more note about the tech that installed mine, he pluged his laptop in
and typed in the MAC of my network card, then he just pulled out the new
cable modem and pluged it in.  The cable modem was not programed at all, it
was just pulled out of the box and un-shrink-wraped.  The modem itself could
be considered "dumb", and has nothing to do with tracking your stats.

-Chris

-----Original Message-----
From: H D Moore [mailto:secure () SECUREAUSTIN COM]
Sent: Monday, February 07, 2000 8:12 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: fooling hubs [ARP Spoofing]

Hi,

Road Runner uses the modem serial number in conjunction with special
routing hard/software to determine your usage.  This means that you cant
just snag someone elses MAC/IP because the switch know what serial
number goes to which port.  How the switch recieves the serial number is
unknown, I think it is done during the initial setup when the modem is
being 'registered' by the tech that installs it.  Using a program like
changemac just annoys thier admins, as it looks like you have multiple
computers and are switching between them (a friend of mine works at the
cable co and told me how they track usage/etc).

If anyone knows something to the contrary or know what protocol the
Motorola Waverunner modems use to register themselves (or about the
switches used), please let me know!

-HD

Jeff Bachtel wrote:


Oddly enough, there was a post to misc () openbsd org from a guy who said
he found a way to treble his upload speed on his cable modem by proxy
arp'ing to the mac address of his cable modem.

I don't know how well that would work with different providers, but if
someone hacks together a little windows utility to sniff out the arp
of the cable modem, and set windows to start proxying it
automatically, that would seem likely to regress cable modem back into
the good ol' (or bad ol') days of near-unlimited bandwidth.

Does anyone know the likelihood of this actually working?

jeff

On Thu, Feb 03, 2000 at 10:05:34PM +0000, David aka SpanskA wrote:

Hi,
   I was looking at ARP spoofing postings for a while and I was

wondering if

it was possible to permanently fool some hubs or routers. My ISP
(Cablevision) is using some kind of system to know how much I'm

uploading

and downloading.

I succesfully did it one time with a little prog called "changemac". If

you

wanna look at it just go to packetstorm archive. Unfortunately, the last
month I checked the data report I could see that my ISP was able to know
(again!) how much I was downloading and uploading.

Is this a bug with some kind of hardware or with ARP protocol?


Sorry for my English mistakes...

Current thread:

Re: Notes Domino Server Platform for e-commerce?, (continued)
- - - Re: Notes Domino Server Platform for e-commerce? Crispin Cowan (Feb 10)
    - Re: Notes Domino Server Platform for e-commerce? Ryan PErmeh (Feb 10)
    - Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 10)
    - its: recursion Pauli Ojanpera (Feb 09)
    - Re: its: recursion Sean Burford (Feb 09)
    - Hellvisory #0001! Lucifer Mirza (Feb 09)
    - Re: its: recursion Blue Boar (Feb 09)
    - Re: its: recursion Dmitry Alyabyev (Feb 10)
    - Re: recursion Blake Frantz (Feb 09)
    - Re: Notes Domino Server Platform for e-commerce? Gerardo Richarte (Feb 10)
- Re: fooling hubs [ARP Spoofing] Vincent; Christopher (Feb 08)
  - Re: fooling hubs [ARP Spoofing] Bobb Voigt (Feb 11)
- Re: fooling hubs [ARP Spoofing] Clifford, Shawn A (Feb 09)
  - Re: fooling hubs [ARP Spoofing] David Basden (Feb 09)
- Re: fooling hubs [ARP Spoofing] Mila, Brian D (Feb 10)