Hello all,

I'm not sure what this activity is called (involves partial mac and ip spoofing) so I couldn't find any search results.

When someone knows the mac and ip address of a computer and sets up their computer's settings to exactly match the target computer's ip address, mac address, subnet, and gateway and then unplug the network cable on the target computer and plug into their own computer, the person will have access to the network without having to go through dhcp, basically hijacking.

Is there anyway that I could detect that the computer is not the original computer?

-Yale

well, this would be tricky. the usual way is via MAC address. You could try various scans and OS fingerprinting. If the OSes are different then that might be a giveaway, but this is getting into the field of network forensics. You could also do profiling on the packet statistics to see if you could differentiate the tcp/ip stacks, but again this is tricky (advanced - beyond my level of knowledge surely) and still requires different operating systems.

can't think of anything simpler off the top of my head.

OK, but how is it possible to detect the OS? Also, if the most common way is by detecting MAC addresses, is it possible to reveal the card's factory written address and not the spoofed one?

nmap will resolve operating systems, within a certain degree of accuracy. I don't remember what switch it is, I'm sorry, but I can't look it up right now. However it should be plainly stated in the man page.

-O in nmap will do OS fingerprinting. (that's a capital oh, not a zero). But I'd take this with a bit of a grain of salt, because if people are going to the trouble to spoof MAC addresses and switch ethernet cables, then OS spoofing is also possible.

In fact, if someone has physical access to your machine, they can just match OSes. The rule of thumb is, if you have physical access, you're screwed...

If you're really concerned about this happening, you might want to implement either some kind of VPN or captive portal where all clients must authenticate to a central server before being given access.

Usually besides setting your MAC and IP with ifconfig, you usually also set iptables input policy to drop all packets coupled with a rule to accept all connections established or related.

I usually do a ipconfig /all at the windows I am going to "clone" before pluging in my linux laptop.

If users have access to the computer being replaced they just copy the settings. Unless it is properly done.

I've never heard of this being done in quite this way.

The TCPIP sequence numbers would not match?

Is it possible to hijack a connection in this manner when the sequence numbers do not match?

I wasn't talking real hijacking, I mean disconnect here and plug my laptop in.

Real Ethernet hijacking is using the ARP protocol. Arp poisoning.

And it is possible to craft the whole ethernet frame, so spoofed MAC can go around the network.

But he wasn't talking about that because he said the target would be replaced with my own machine and remain undetected in the network as the MAC and IP are the same. Ideal in not too secure trusted LAN.

Whoa, thanks for letting me know about all those complicated procedures. Is there a standard way to automate the process such as have a daemon that routinely does those checks or is that impractical? I know that high end routers (i.e. Cisco, not wimpy Linksys ones) have builtin mac address spoofing detection.

The beauty of this is you can't exclude the attacker as he is using a valid MAC for your network, the MAC of the computer he just replaced. If you filter it the computer when reconnected will not be able to send packets anywhere.

Sorry, I was thinking TCP hijacking, on the order of using a hijack package (e.g. Hunt),

My apologies.

As I said ... this form of highjacking is new to me, because it requires physical access to the switch.

I'll sit out and just read for now.

Depending on your networking gear, you might be able to lock down the MAC address to certain switch ports. If it shows up on another port, then it doesn't go anywhere. Another method is to add a layer of authenication somewhere in the middle (ie passworded firewall).

You can actually detect OS fingerprints passively, for instance by using p0f. Of course, as others pointed out the hijacker could try to mimic the TCP/IP behavior of the target they were replacing (or it might actually be the same OS). The only way to be sure is with mutual authentication that is not susceptible to Man-in-the-Middle attacks.

This doesn't work either, because the original suggestion was actually unplug the attacked machine and plug in the "evil" machine. So you have the same MAC address appearing on the same port. If you then match/spoof OSes, the only way I can think of is to use state information on the current connections. So, you could just maintain a connection tcp connection to the machine you're worried about, transmitting some random (or better, known) data every so often. Half-a-second or something. When that connection drops, you know something is up.

Hang on - my network card has a link light - it detects that the connection is there. Is it possible to do this in the reverse, from the switch/router - i.e. detect when the remote machine has been detatched? This is essentially testing the state of the actual wire, which is the goal in the first place. when the cable is unplugged, the electrical properties will change...surely someone's thought of this before!