Re: Hijack IP Address using cable modem

[David Laganière <spanska () SECURINET QC CA>]

On our cable modem network here, it is easy to setup another client's IP address
to kill him from the network. A fried of mine already did so with Win2k and
could easily kill people off only by using their IP addresses as aliases. (He
didn't even have to reboot his machine! ). He was able to take any IP owned by
our cable provider. This is kinda interesting. Not sure what it would be useful
for if the "victims" dies. We wouldn't be able to spoof him. Tell me if I'm
wrong here.

Just another thought...
Sorry for my bad English.

David

Nick Summy wrote:

> This is a good theory, but there are a couple of flaws (i think)  I beleive
> that each cable modem has a MAC address,  so the network would look for the
> cable modems mac address, not the NIC's.  Just as it is with any network,  I
> dont beleive 2 of the same MAC addresses can be on the network, nor can 2 of
> the same ip be on the network.  I think if this were to work at all, the
> attacker would get the ip address, the server would think the victim got the
> ip, and the victim would be without service.
>
> Another thought:  If it is possible to change the MAC address of your cable
> modem wouldnt it just be easier to make up a MAC address to change it to?
> that way the sever would have no idea who actually recieved the ip address
>
> -----Original Message-----
> From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
> Patrick Patterson
> Sent: Wednesday, March 28, 2001 10:31 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Hijack IP Address using cable modem
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> I think I see where Patrick was coming from with this:
>
> Victim turns on his computer, and gets an IP address
> Cracker, while sniffing the Cable segment notices that IP adress foo is
> assigned to MAC bar
> Cracker changes his own MAC address to bar, and brings up IP address foo on
> this new MAC address (some Ethernet cards have overwritable MAC addresses)
> Since both Cracker and Victim have the same MAC, Cracker get's all packets
> for Victims computer, and is able to impersonate victim.
>
> This is just a slightly more sophisticated IP Address Spoofing attack....
> and
> I don't think it will work...
>
> > From what I know of Cablemodem networks, there are actually several parts.
>
> 1: The cable network - the 'Modem' talks to the Cable Company terminal
> equipment and ensures that you are a valid subscriber.
> 2: The IP Network - the routers keep track of which IP and MAC, is on which
> Cable Modem - thus making this attack unlikely to succeed....
>
> I haven't tested this, and might be horribly wrong, but I don't think so -
> this is one of those things that looks better in theory than in practice -
> Is
> anyone from @HOME or ATT around to confirm/deny what's I've written?
>
> On Wednesday 28 March 2001 09:09, Nick Summy wrote:
> > Now I hardly know anything about this subject, so correct me If im wrong,
> > but I have a few questions.
>
> <SNIP>
>
> - --
>
> Patrick Patterson                       Tel: +1 514 485-0789
> President, Chief Security Architect     Fax: +1 514 485-4737
> Carillon Information Security Inc.      E-Mail: ppatterson () carillonis com
>
> - ----------------- The New Sound of Network Security -----------------
>                   <<  http://www.carillonis.com  >>