Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hijack IP Address using cable modem (fwd)

From: lists () BETA EVOLUTIONH COM
Date: Wed, 28 Mar 2001 23:26:00 -1000
I used to be an @home customer using some CyberSurf cable modem and I
looked into the idea of hijacking or spying then.  I found some white
pages on the modem and the modem turned out to have TONS of security
crap to prevent any such MAC address spoofing or even spying as suggested.
It appeared to me then that the engineers had completely thought out these
issues and solved them.  So I gave up on the idea.




---------- Forwarded message ----------
Date: Wed, 28 Mar 2001 13:33:34 -0500
From: "Williamson, Glenn" <Glenn.Williamson () XWAVE COM>
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Hijack IP Address using cable modem


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whether Patrick was coming from this point of view is beyond me.

 You would still have an apparent problem with 2 host machines with
the same IP address(mac)

 2 exact IP addresses cause a big problem for routers anyways. Who
ever gets the packet first responds with a syn, if 2 syn's came back
the the original packet would not understand.

 It falls under the handshake that is expected to establish
communications between 2 different entities, first syn, syn ack, then
syn, doesn't work if it goes syn, syn ack - syn ack, syn.

 If I'm wrong well that was my 2 cents worth.

 And yes was a @home customer for 2 years


 Glenn


- -----Original Message-----
From: Patrick Patterson [mailto:ppatterson () carillonis com]
Sent: March 28, 2001 11:31 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Hijack IP Address using cable modem


- -----BEGIN PGP SIGNED MESSAGE-----

I think I see where Patrick was coming from with this:

Victim turns on his computer, and gets an IP address
Cracker, while sniffing the Cable segment notices that IP adress foo
is
assigned to MAC bar
Cracker changes his own MAC address to bar, and brings up IP address
foo on
this new MAC address (some Ethernet cards have overwritable MAC
addresses)
Since both Cracker and Victim have the same MAC, Cracker get's all
packets
for Victims computer, and is able to impersonate victim.


This is just a slightly more sophisticated IP Address Spoofing
attack.... and
I don't think it will work...

- From what I know of Cablemodem networks, there are actually several
parts.

1: The cable network - the 'Modem' talks to the Cable Company
terminal
equipment and ensures that you are a valid subscriber.
2: The IP Network - the routers keep track of which IP and MAC, is on
which
Cable Modem - thus making this attack unlikely to succeed....

I haven't tested this, and might be horribly wrong, but I don't think
so -
this is one of those things that looks better in theory than in
practice - Is
anyone from @HOME or ATT around to confirm/deny what's I've written?

On Wednesday 28 March 2001 09:09, Nick Summy wrote:

Now I hardly know anything about this subject, so correct me If im
wrong, but I have a few questions.


<SNIP>

- - --

Patrick Patterson                       Tel: +1 514 485-0789
President, Chief Security Architect     Fax: +1 514 485-4737
Carillon Information Security Inc.      E-Mail: ppatterson () carillonis com

- - ----------------- The New Sound of Network Security
- -----------------
                  <<  http://www.carillonis.com  >>
Previous By Date Next
Previous By Thread Next

Current thread: