Vulnerability Development mailing list archives

Re: spoofing the ethernet address

From: BGrubin () SCIENT COM (Ben Grubin)
Date: Thu, 2 Mar 2000 21:02:40 -0600


I seem to recall sometime in my past seeing "secure" cards, which would
stamp an absolute MAC address on every frame no matter WHAT you tried to do
in the networking stack.  Though now that I'm thinking this might have been
token ring...  too many years.. it all starts to blend together.. *sigh*

-----Original Message-----
From: Jim Duncan [mailto:jnduncan () CISCO COM]
Sent: Thursday, March 02, 2000 3:18 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: spoofing the ethernet address


Ben Grubin writes:

Trivial, actually.  Most cards allow programmable MAC addressing, so
changing them around is usually easy.  Of course, since the

source MAC is

only visible on the directly attached segment, this is only

useful if you

are doing "bad things" on the segment your machine

physically resides on.

Once you hit a routing device, it's IP only.


_All_ cards allow it, or things like DECnet break horribly.
That's why DEC
networking gear had port security functions that always
allowed _two_ MAC
addresses to be defined per port, just in case DECnet was in
use.  The host
would possibly come up first with its "real" MAC address, and
then promptly
switch to a DECnet MAC address once the DECnet stack was loaded.

For those that don't know, DECnet addresses are encoded in
the MAC address.

Since the MAC address is programmable, and typically not

tracked, it can't

be used as a reliable forensic data source.


Tools like arpwatch and arpsnmp that have been around for
years can track
the use of MAC addresses reasonably reliably, and MAC
addresses _can_ be
used as forensic evidence as long as the reliability is addressed
truthfully.  Your mileage may vary, and I'm not a lawyer.

The important point here that the poster has emphasized is that (1)
contrary to popular belief, MAC addresses are not "carved in
stone" and can
be changed at the whim of the user.  Therefore, (2) unless
proper steps are
taken, the veracity of MAC address logging is questionable at best.

      Jim


--
Jim Duncan, Product Security Incident Manager, Cisco Systems, Inc.
<http://www.cisco.com/warp/public/707/sec_incident_response.shtml>
E-mail: <jnduncan () cisco com>  Phone(Direct/FAX): +1 919 392 6209

Current thread:

Re: spoofing the ethernet address, (continued)
- Re: spoofing the ethernet address Ben Grubin (Mar 01)
- Re: spoofing the ethernet address -DAL- (Mar 01)
- Re: spoofing the ethernet address Iván Arce (Mar 01)
- Re: spoofing the ethernet address hypoclear - lUSt - (Linux Users Strike Today) (Mar 01)
- Re: spoofing the ethernet address The I (Mar 01)
  - [Fwd: spoofing the ethernet address] Fredrik Widlund (Mar 02)
  - spoofing the ethernet address (PPPoE) mike (Mar 02)
- Re: spoofing the ethernet address John Hall (Mar 01)
- Re: spoofing the ethernet address Jim Duncan (Mar 02)
- Re: spoofing the ethernet address Bluefish (Mar 02)
- Re: spoofing the ethernet address Ben Grubin (Mar 02)
  - Re: spoofing the ethernet address Trevor Schroeder (Mar 02)
  - TCP John Flux (Mar 03)
    - Re: TCP antirez (Mar 05)
    - Re: TCP Ranieri Argentini (Mar 06)
    - [Fwd: Single SignOn] Blue Boar (Mar 06)
    - Re: TCP CyberPsychotic (Mar 06)
  - callbook in services ? Maurycy Prodeus (Mar 04)
- Re: spoofing the ethernet address Pauli Ojanpera (Mar 02)
  - Re: spoofing the ethernet address Seth R Arnold (Mar 05)
  - Re: spoofing the ethernet address H D Moore (Mar 05)

(Thread continues...)