LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-08-2004, 07:51 AM   #1
bobwall
Member
 
Registered: Jul 2004
Location: Milpitas, California
Distribution: 1/2 Debian 1/2 my own
Posts: 189

Rep: Reputation: 30
physical ethernet hijacking


Hello all,

I'm not sure what this activity is called (involves partial mac and ip spoofing) so I couldn't find any search results.

When someone knows the mac and ip address of a computer and sets up their computer's settings to exactly match the target computer's ip address, mac address, subnet, and gateway and then unplug the network cable on the target computer and plug into their own computer, the person will have access to the network without having to go through dhcp, basically hijacking.

Is there anyway that I could detect that the computer is not the original computer?

-Yale
 
Old 10-08-2004, 08:16 AM   #2
christhom
Member
 
Registered: Sep 2004
Distribution: Debian sarge/sid
Posts: 41

Rep: Reputation: 15
well, this would be tricky. the usual way is via MAC address. You could try various scans and OS fingerprinting. If the OSes are different then that might be a giveaway, but this is getting into the field of network forensics. You could also do profiling on the packet statistics to see if you could differentiate the tcp/ip stacks, but again this is tricky (advanced - beyond my level of knowledge surely) and still requires different operating systems.

can't think of anything simpler off the top of my head.
 
Old 10-08-2004, 08:28 AM   #3
bobwall
Member
 
Registered: Jul 2004
Location: Milpitas, California
Distribution: 1/2 Debian 1/2 my own
Posts: 189

Original Poster
Rep: Reputation: 30
Quote:
[i]
You could try various scans and OS fingerprinting. If the OSes are different then that might be a giveaway, but this is getting into the field of network forensics.
[/B]
OK, but how is it possible to detect the OS? Also, if the most common way is by detecting MAC addresses, is it possible to reveal the card's factory written address and not the spoofed one?
 
Old 10-08-2004, 08:54 AM   #4
goofyheadedpunk
Member
 
Registered: Aug 2003
Distribution: Arch Linux
Posts: 140

Rep: Reputation: 15
nmap will resolve operating systems, within a certain degree of accuracy. I don't remember what switch it is, I'm sorry, but I can't look it up right now. However it should be plainly stated in the man page.
 
Old 10-08-2004, 09:34 AM   #5
christhom
Member
 
Registered: Sep 2004
Distribution: Debian sarge/sid
Posts: 41

Rep: Reputation: 15
-O in nmap will do OS fingerprinting. (that's a capital oh, not a zero). But I'd take this with a bit of a grain of salt, because if people are going to the trouble to spoof MAC addresses and switch ethernet cables, then OS spoofing is also possible.

In fact, if someone has physical access to your machine, they can just match OSes. The rule of thumb is, if you have physical access, you're screwed...
 
Old 10-08-2004, 10:09 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you're really concerned about this happening, you might want to implement either some kind of VPN or captive portal where all clients must authenticate to a central server before being given access.
 
Old 10-08-2004, 11:15 AM   #7
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
Usually besides setting your MAC and IP with ifconfig, you usually also set iptables input policy to drop all packets coupled with a rule to accept all connections established or related.

I usually do a ipconfig /all at the windows I am going to "clone" before pluging in my linux laptop.

If users have access to the computer being replaced they just copy the settings. Unless it is properly done.
 
Old 10-08-2004, 11:20 AM   #8
shinobi59
Member
 
Registered: Oct 2004
Location: Dimension X
Distribution: All
Posts: 60

Rep: Reputation: 15
I've never heard of this being done in quite this way.

The TCPIP sequence numbers would not match?

Is it possible to hijack a connection in this manner when the sequence numbers do not match?
 
Old 10-08-2004, 11:43 AM   #9
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
I wasn't talking real hijacking, I mean disconnect here and plug my laptop in.

Real Ethernet hijacking is using the ARP protocol. Arp poisoning.

And it is possible to craft the whole ethernet frame, so spoofed MAC can go around the network.

But he wasn't talking about that because he said the target would be replaced with my own machine and remain undetected in the network as the MAC and IP are the same. Ideal in not too secure trusted LAN.
 
Old 10-08-2004, 11:57 AM   #10
bobwall
Member
 
Registered: Jul 2004
Location: Milpitas, California
Distribution: 1/2 Debian 1/2 my own
Posts: 189

Original Poster
Rep: Reputation: 30
Whoa, thanks for letting me know about all those complicated procedures. Is there a standard way to automate the process such as have a daemon that routinely does those checks or is that impractical? I know that high end routers (i.e. Cisco, not wimpy Linksys ones) have builtin mac address spoofing detection.
 
Old 10-08-2004, 01:00 PM   #11
Krugger
Member
 
Registered: Oct 2004
Posts: 229

Rep: Reputation: 30
The beauty of this is you can't exclude the attacker as he is using a valid MAC for your network, the MAC of the computer he just replaced. If you filter it the computer when reconnected will not be able to send packets anywhere.
 
Old 10-08-2004, 01:47 PM   #12
shinobi59
Member
 
Registered: Oct 2004
Location: Dimension X
Distribution: All
Posts: 60

Rep: Reputation: 15
Sorry, I was thinking TCP hijacking, on the order of using a hijack package (e.g. Hunt),

My apologies.

As I said ... this form of highjacking is new to me, because it requires physical access to the switch.

I'll sit out and just read for now.
 
Old 10-08-2004, 04:42 PM   #13
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Re: physical ethernet hijacking

Quote:
Originally posted by bobwall
Is there anyway that I could detect that the computer is not the original computer?

-Yale
Depending on your networking gear, you might be able to lock down the MAC address to certain switch ports. If it shows up on another port, then it doesn't go anywhere. Another method is to add a layer of authenication somewhere in the middle (ie passworded firewall).
 
Old 10-09-2004, 12:45 AM   #14
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
You can actually detect OS fingerprints passively, for instance by using p0f. Of course, as others pointed out the hijacker could try to mimic the TCP/IP behavior of the target they were replacing (or it might actually be the same OS). The only way to be sure is with mutual authentication that is not susceptible to Man-in-the-Middle attacks.
 
Old 10-10-2004, 06:00 AM   #15
christhom
Member
 
Registered: Sep 2004
Distribution: Debian sarge/sid
Posts: 41

Rep: Reputation: 15
Re: Re: physical ethernet hijacking

Quote:
Originally posted by stickman
Depending on your networking gear, you might be able to lock down the MAC address to certain switch ports. If it shows up on another port, then it doesn't go anywhere. Another method is to add a layer of authenication somewhere in the middle (ie passworded firewall).
This doesn't work either, because the original suggestion was actually unplug the attacked machine and plug in the "evil" machine. So you have the same MAC address appearing on the same port. If you then match/spoof OSes, the only way I can think of is to use state information on the current connections. So, you could just maintain a connection tcp connection to the machine you're worried about, transmitting some random (or better, known) data every so often. Half-a-second or something. When that connection drops, you know something is up.

Hang on - my network card has a link light - it detects that the connection is there. Is it possible to do this in the reverse, from the switch/router - i.e. detect when the remote machine has been detatched? This is essentially testing the state of the actual wire, which is the goal in the first place. when the cable is unplugged, the electrical properties will change...surely someone's thought of this before!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
hijacking with Hunt jgomes Linux - Security 1 06-03-2005 05:46 PM
Hijacking jgomes Linux - Software 1 06-01-2005 12:24 PM
hijacking tcp connection atul_mehrotra Linux - Networking 4 04-30-2005 12:50 AM
hijacking posts titanium_geek LQ Suggestions & Feedback 2 10-13-2004 07:31 PM
Browser Hijacking frkstein Linux - General 1 04-18-2003 06:58 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:25 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration