Results 1 to 10 of 10

Thread: Need to grab attackers mac address

  1. #1
    Member
    Join Date
    May 2006
    Posts
    119

    Default Need to grab attackers mac address

    Someone is repeatedly attacking our network with scans and brute force attempts (on the wire and also on our wireless gateway, and from the logs their MAC address keeps changing to a fake one (doesn't register with any vendor). I heard somewhere about a program that can send a type of response to such attackers to susss out their real MAC address. Does such a thing really exist? If so, I want it!

    Thanks!

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by bulgin View Post
    Someone is repeatedly attacking our network with scans and brute force attempts (on the wire and also on our wireless gateway, and from the logs their MAC address keeps changing to a fake one (doesn't register with any vendor). I heard somewhere about a program that can send a type of response to such attackers to susss out their real MAC address. Does such a thing really exist? If so, I want it!

    Thanks!
    When you say "on the wire" do you mean they're on your local LAN or coming across from the Internet?
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Member
    Join Date
    May 2006
    Posts
    119

    Default

    Sorry, not clear -- they are coming in from outside. IPCop's logs show multiple attempts and Snort is throwing out alerts. Their IP Address is changing daily. We have no web server and this network is setup only for accessing the internet. All ports are blocked to the outside so I don't fret that they could actually do any harm, it's just annoying and I'd like to grab their MAC address --although presumably they've changed that, too.

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Ok, so I'm confused, are they actually coming in across your wireless as well?

    Are you sure you're not seeing multiple attacks from multiple sources?
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Member
    Join Date
    May 2006
    Posts
    119

    Default

    Well I'm not an expert in pulling out relevant information from the logs but it seems like the logs for the wired interface in IPCop shows a sudden surge in activity from one IP, then hours later, a similiar pattern in the wireless logs interface in IPCop. When they attack from the wireless I'd like to grap their MAC because they must be in range although we are near a public internet site (in fact several), so it could be any number of things happening. Most curious about the program that grabs MAC addresses from connected users -- actually I heard it spills out the guts of the ROM of their mac card. Is there really such a thing? Sounds dangerous.

  6. #6
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    There is no point, nor do I think there is any way you're going to get the source mac address of the whatever is 'attacking' you. Even if you could get it, what are you going to do with it? The source IP address is more important information than a MAC address.

    Gather your logs up as best as you can, make sure that each entry is timestamped in UTC and send them to the Abuse@ address of the offender's ISP. Explain that you want the attacks to cease.

    As for attacks on your wireless, just take whatever measures necessary that you wireless is as secured as possible.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  7. #7
    Member
    Join Date
    May 2006
    Posts
    119

    Default

    I think you're right. I thought if I could get the MAC we could investigate the holder of that MAC.

  8. #8
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by bulgin View Post
    I think you're right. I thought if I could get the MAC we could investigate the holder of that MAC.
    ...and exactly how would you do that? There's no international registry of MAC address assignments. At best, you'd get the OUI which will tell you the manufacturer, but you'd have no way of finding the owner.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  9. #9
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default

    All you'd get is the MAC of the device from the hop, probably your ISP's router. It wouldn't be the MAC of the attacking IP.
    Thorn
    Stop the TSA now! Boycott the airlines.

  10. #10
    Member
    Join Date
    May 2006
    Posts
    119

    Default

    Alas I believe you are all correct. I was nevertheless hoping beyond hope.... Alas....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •