Results 1 to 7 of 7

Thread: Security Breach: Find user with fake mac adress.

  1. #1
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    17

    Exclamation Security Breach: Find user with fake mac adress.

    Hi all!

    To make it simple lets say I have a big wlan and a security breach.
    The new computer seems to random spoof his mac address on the wlan.

    Is there a way to get his real mac address?
    Like somehow hammer his NIC over and over again to get it?

    Or is it possible to track him thru the radio waves?

    And can it be done with the included software in BT?

    Another question is there like a whois for mac addresses?
    I think I know the answer already on that question but how do track the user if I can’t grab him on site?

  2. #2
    Member
    Join Date
    Aug 2007
    Posts
    468

    Default

    I'd start by watching the following to vid from IronGeek :

    Finding Promiscuous Sniffers and ARP Poisoners on your Network with Ettercap

    */Edit:
    To answer to added question, if you running system with the latest Intel chipset the software has an option to export the setting which you could write a script to reinstall to install the new one your system but if your security has been breached doing this manually maybe a better but more time consuming answer.
    */

  3. #3
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Is there a way to get his real mac address?
    Like somehow hammer his NIC over and over again to get it?
    There is no way to figure out the real MAC address, or even if it is a faked address that he is using (as long as it is a legitimate one and not a completely random).

    As BOFH139 states it is possible to locate sources that are either ARP-spoofing the network or sniffing in promiscuous mode. However, if he is just connected to the network and passively sniffing for openly sent passwords this method will not work.

    Or is it possible to track him thru the radio waves?
    It is possible to track down his physical location using for example a directional antenna and kismet, which comes with BT. You will simply have to go by the power readings and slowly track down his position in this way as there is no way to directly pinpoint his location.

    Another question is there like a whois for mac addresses?
    There is not a publicly available whois database for mac addresses. However there are multiple programs, for example macchanger, and internet databases that will tell you which brand the wlan-card using the MAC address belongs to. Alas, if he is spoofing his MAC this information will not help you out.
    -Monkeys are like nature's humans.

  4. #4
    Junior Member drwalter's Avatar
    Join Date
    Mar 2008
    Posts
    88

    Lightbulb

    Sounds like you need some strong WPA encryption on there. Also try lowering the range of the wifi. As for hunting the scoundrel down the kismet tracking idea is good. Maybe once/if you find the general location you'll get lucky and be able to pick up the probe too with kismet. You'll usually see it come up with something like suspicious mac address probing but never participating. With luck that might catch the culprits mac unless they spoof before scanning. Try dropping your wifi network for a little while... hopefully the person will keep scanning trying to pick you up when you aren't there.

    Edit: Another prevention technique... FakeAP if this guy's using a network scanner that'll thwart his scanning attempts or at least make them an unbelievably more difficult. Try changing your essid to one of them. Maybe if possible change your AP's hardware address too in case he's got that stored.
    You can never be TOO secure that should be one of Offensive Security's maxims.
    ================================================== ===
    Dr. Walter - Depraved linguist, Benevolent troublemaker extraordinaire
    ================================================== ===

  5. #5
    Senior Member
    Join Date
    Jan 2006
    Posts
    1,334

    Default

    Quote Originally Posted by =Tron= View Post
    ...........There is not a publicly available whois database for mac addresses. However there are multiple programs, for example macchanger, and internet databases that will tell you which brand the wlan-card using the MAC address belongs to........
    The IEEE have a good online database which is also downloadable in text form.
    http://standards.ieee.org/regauth/oui/index.shtml

    (Although, yes, it's no good in the context of this thread. Just thought it worth a mention here)

  6. #6
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    5

    Default

    it is possible ... sector scanner [renders direction from which wdriver is targeting OMNI]

  7. #7
    Senior Member secure_it's Avatar
    Join Date
    Feb 2010
    Location
    在這兩者之間 BackTrack是4 FwdTrack4
    Posts
    854

    Thumbs up

    Quote Originally Posted by Mickef View Post
    Hi all!

    To make it simple lets say I have a big wlan and a security breach.
    The new computer seems to random spoof his mac address on the wlan.

    Is there a way to get his real mac address?
    Like somehow hammer his NIC over and over again to get it?

    Or is it possible to track him thru the radio waves?

    And can it be done with the included software in BT?

    Another question is there like a whois for mac addresses?
    I think I know the answer already on that question but how do track the user if I can’t grab him on site?
    Instead of finding and wasting time on tracing someone.make your security perfact.Use WPA/WPA2 with stronger passphrase or go with MAC Filtering and also you can put an IDS in either promiscous or IPS as Inline mode that will fire an alram or mitigating the security violation (based on ure rules)if it finds attack signature like invalid MAC address or Source IP etc.give a try using WIDS/WIDZ too.may be they could help.make AP's Login password strong enough and disable wireless access of AP Login(if you dont need it)also enable SSL on AP for accesing GUI of AP using SSL protocol.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •