Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm not sure what this activity is called (involves partial mac and ip spoofing) so I couldn't find any search results.
When someone knows the mac and ip address of a computer and sets up their computer's settings to exactly match the target computer's ip address, mac address, subnet, and gateway and then unplug the network cable on the target computer and plug into their own computer, the person will have access to the network without having to go through dhcp, basically hijacking.
Is there anyway that I could detect that the computer is not the original computer?
well, this would be tricky. the usual way is via MAC address. You could try various scans and OS fingerprinting. If the OSes are different then that might be a giveaway, but this is getting into the field of network forensics. You could also do profiling on the packet statistics to see if you could differentiate the tcp/ip stacks, but again this is tricky (advanced - beyond my level of knowledge surely) and still requires different operating systems.
can't think of anything simpler off the top of my head.
[i]
You could try various scans and OS fingerprinting. If the OSes are different then that might be a giveaway, but this is getting into the field of network forensics.
[/B]
OK, but how is it possible to detect the OS? Also, if the most common way is by detecting MAC addresses, is it possible to reveal the card's factory written address and not the spoofed one?
nmap will resolve operating systems, within a certain degree of accuracy. I don't remember what switch it is, I'm sorry, but I can't look it up right now. However it should be plainly stated in the man page.
-O in nmap will do OS fingerprinting. (that's a capital oh, not a zero). But I'd take this with a bit of a grain of salt, because if people are going to the trouble to spoof MAC addresses and switch ethernet cables, then OS spoofing is also possible.
In fact, if someone has physical access to your machine, they can just match OSes. The rule of thumb is, if you have physical access, you're screwed...
If you're really concerned about this happening, you might want to implement either some kind of VPN or captive portal where all clients must authenticate to a central server before being given access.
Usually besides setting your MAC and IP with ifconfig, you usually also set iptables input policy to drop all packets coupled with a rule to accept all connections established or related.
I usually do a ipconfig /all at the windows I am going to "clone" before pluging in my linux laptop.
If users have access to the computer being replaced they just copy the settings. Unless it is properly done.
I wasn't talking real hijacking, I mean disconnect here and plug my laptop in.
Real Ethernet hijacking is using the ARP protocol. Arp poisoning.
And it is possible to craft the whole ethernet frame, so spoofed MAC can go around the network.
But he wasn't talking about that because he said the target would be replaced with my own machine and remain undetected in the network as the MAC and IP are the same. Ideal in not too secure trusted LAN.
Whoa, thanks for letting me know about all those complicated procedures. Is there a standard way to automate the process such as have a daemon that routinely does those checks or is that impractical? I know that high end routers (i.e. Cisco, not wimpy Linksys ones) have builtin mac address spoofing detection.
The beauty of this is you can't exclude the attacker as he is using a valid MAC for your network, the MAC of the computer he just replaced. If you filter it the computer when reconnected will not be able to send packets anywhere.
Originally posted by bobwall Is there anyway that I could detect that the computer is not the original computer?
-Yale
Depending on your networking gear, you might be able to lock down the MAC address to certain switch ports. If it shows up on another port, then it doesn't go anywhere. Another method is to add a layer of authenication somewhere in the middle (ie passworded firewall).
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
You can actually detect OS fingerprints passively, for instance by using p0f. Of course, as others pointed out the hijacker could try to mimic the TCP/IP behavior of the target they were replacing (or it might actually be the same OS). The only way to be sure is with mutual authentication that is not susceptible to Man-in-the-Middle attacks.
Originally posted by stickman Depending on your networking gear, you might be able to lock down the MAC address to certain switch ports. If it shows up on another port, then it doesn't go anywhere. Another method is to add a layer of authenication somewhere in the middle (ie passworded firewall).
This doesn't work either, because the original suggestion was actually unplug the attacked machine and plug in the "evil" machine. So you have the same MAC address appearing on the same port. If you then match/spoof OSes, the only way I can think of is to use state information on the current connections. So, you could just maintain a connection tcp connection to the machine you're worried about, transmitting some random (or better, known) data every so often. Half-a-second or something. When that connection drops, you know something is up.
Hang on - my network card has a link light - it detects that the connection is there. Is it possible to do this in the reverse, from the switch/router - i.e. detect when the remote machine has been detatched? This is essentially testing the state of the actual wire, which is the goal in the first place. when the cable is unplugged, the electrical properties will change...surely someone's thought of this before!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.