-
Rotating MAC addr
I recently had the pleasure of speaking with a former employee of Raytheon. Along our conversation we got to talking about the script kiddies in his class he's now teaching at a high school. Anyhow...he mentioned a card (ethernet or dsl/cable?) that had the capability in the hardware to rotate the MAC addresses of the card. Anyone heard/know about these? Keep in mind he was with Raytheon...go figure...
-
well cloning MAC address is nothing new.. there are hundreds of intellegent devices whose MAC address can be modified.. one such example is a router where in some modell you can set your OWN mac address...
-
but what about a specific ethernet card that, by default, rotates its own MAC?
-
well I don't know why NIC's would be doing that....it's not neccessary yet. Maybe the really expensive ones...?
-
He was on the issue of internal security. We are getting ready to beta some security apps on our servers and try to take them down in one week. I was just looking to find something that would at least provide a challenge... The sniffer thats installed is fairly new and I want to see how it would handle this genre of hardware.
-
A NIC that automatically rotates its MAC wouldn't make much sense. Every time it did, the ARP tables on the rest of the network would have to be updated.
The only way to be protected against MAC spoofing would be to make the IDS recognize some kind of fingerprint for the real computer, like the ports it has open or the response to quieries on those ports.
I don't think there would be any other way of protecting against such an attack, since in a LAN, computers don't even use IPs (except for building the ARP table), so if your ARP table is outdated you could be talking to another computer, or speak to a completely different computer in the middle of a conversation if the ARP table was updated.
-
The software we're testing was written by a kid in comp sci and is based on the MAC for and ID since he *knows that the macs *can't be changed. He has promise, but....maybe some better ideas could be though of. Anyhow, just wanted to know if there were any of these cardson the open market. The Raytheon guy is can be spooky to talk to.... You never know what he knows
-
If you're ready to pay for them, you can probably get them easily.
http://www.jsiinc.com/SUBG/TIP3000/rh3020.htm
tells you how to change it in Windows XP (other versions should be close). The NIC in my laptop seems to be able to change it, although I haven't actually tried it, as I'm not using that NIC. My dad's Belkin 54g Wi-Fi NIC can also change it, so they don't seem to be rare. I'll check my desktop tomorrow.
In short, assuming somebody is somebody because they have a MAC address won't work if somebody has enough time (around two seconds, a simple ping to the IP address or name will be enough) to find out the MAC, although that is how it's done and it's not gonna change overnight.
-
I've discussed this further with "Mr. Raytheon" and he has given me some interesting food for thought. The MAC changes for every x number of packets sent and then catches the return packets on the same that was sent. I got the picture that one request (sending multiple packets) sends a fraction of the packets from one MAC, rotates, finishes the sending, then recieves the packets under the original MAC that was the request was sent then assembles the packets internally and returns the results. That is scary but I don't doubt him. So essentially you would be running multiple MACs simultaneously? Thats all he would elaborate on. Any clues?