Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Spoofed MAC Addresses.? 1

Status
Not open for further replies.

techytopia

Technical User
May 29, 2009
10
GB
Hi,

Just found this in our Netwgear FVS 318 Router, just wondering if it someone spoofing the laptops MAC Addresses to get though our wireless.?

Our actual LAN IP is 192.168.1.## but there extra addresses have almost every variant, including some illegal ones. Interestingly, all the MC address are the sam except for one, *** below. Any ideas.?

Attached Devices

IP Address - Device Name MAC Address

192.168.1 .100 - DIDDY-XP 00:0A:E6:E6:##:##

192.168.1 .103 - AMILO-C 00:0A:E4:24:##:##

192.168.1 .104 - callisto 00:0E:35:1D:##:E2
192.168.192.104 - callisto 00:0E:35:1D:##:E2
192.0 .1 .104 - callisto 00:0E:35:1D:##:E2
192.168.130.104 - callisto 00:0E:35:1D:##:E2
192.104.1. 104 - callisto 00:0E:35:1D:##:E2
192.0 .82 .104 - callisto 00:0E:35:1D:##:E2
192.8 .1 .104 - callisto 00:0E:35:1D:##:E2
192.212.130.104 - callisto 00:0E:35:1D:##:E2
192.0 .130.104 - callisto 00:0E:35:1D:##:E2
192.0 .84 .104 - callisto 00:0E:35:1D:##:E2
1 .168.1 .104 - callisto 00:0E:35:1D:##:34 ***
192.168.212.104 - callisto 00:0E:35:1D:##:E2
 
It's easy to spoof a MAC address; but is the MAC address being spoofed the same as one on your access list, or one on your network?

What security do you have in place on your AP?

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Hi

Thank you for your reply. In answer to your first question, the MAC address being spoofed is correct, apart from the one with '34' on the end. It is [ possibly ] spoofing this valid connection, 192.168.1.104 - callisto - 00:0E:35:1D:##:E2 but I was actually asking whether you think this 'IS' an example of spoofing through our wireless AP, onto the FVS318.? We were wondering if it was an anomaly on the FVS318.

The wireless connector is only switched on during office hours, and is using WEP with MAC filtering, to answer your second question. We fully realise this is not that secure but it only gives access to the Internet, not the LAN.

Is this definitely a spoofing attempt.?

Regards
 
Greetings once more.

Well as long as you know what WEP isn't really secure (crackable in as little as a minute at worst), we can leave that one at the door.

Unless the legitimate client (callisto) has something funky on it and is trying various IP addresses, I would have to also put this down to spoofing. Having not used that model, or any Netgear routers for a while, I can't guarantee that it's not the router getting confused. I however doubt that to be the case.


"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
is it possible to spoof a MAC? YES
is this an example of spoofing? cant be 100% sure
can you run a scan on all connections?
change the WEP key and give to legit users, see if the behavior comes back.
 
Hi there,

Thank you for your reply. In answer to your question, when I first noticed this, I pinged all the addresses and ran Angry IP on them, but got no reply or information of any sort.

I realise this could just be because the potential spoofer tried all sorts of invalid IP addresses to get on to the network, and even the last one they tried could have been turned off anyway as they had given up. The Netgear FVS318 Router keeps those 'Active Connections' for a while after they have been disconnected anyway, I guess its the IP Lease time or something.

I also ran a netstat but there were no connections on anything that looked out of the ordinary.

Is there anything else you can suggest as far as scanning those connections, if and when the behavior is repeated.?

Cheers
 
What seems strange to me is the random network addresses. Anyone with the slightest clue should be able to listen to network messages to find out the range, and that's assuming DHCP isn't being used.

Does your router even register the devices if they haven't been WEP authenticated? Regardless, I would go with North's recommendation and change your WEP key.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Hi there,

Thank you for your reply. Yes the random network addresses were making me think it was something spurious on the router, or the laptop, casing the issue, not someone else attached to the network. But it is weird that they are so varied and illegal.

In answer to your second question, the router is connected to a Wireless Access Point that 'registers the clients', ie allows them to connect to the router wirelessly, and the router then allows access to the Internet, but not the network, which is on a Vlan on a gigabit switch.

Thus has not happened again anyway, and we will be upgrading the Access Point, even though the WEP key is changed now, plus wireless is disabled outside office hours, and most drive by wireless hacks seem to happen in the evening. Can anyone recommend the best form of wireless association with particular regard to stopping spoofing.? And any extra security measures we can take.?

Best regards
 
I would heartily recommend WPA2; WPA isn't secure, but there is no reason not to have the newer revision. You could use RADIUS authentication for added security, but since it's just an Internet access point, I wouldn't bother.

WPA2 with a strong key and you're sorted.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top