Hi all,
did you see the blackHat behind me???;)
I was in "a" network and everyone who pinged me from "b" network, had got only router MAC and My IP-Address in ARP table, but my original MAC was unknown...


there is a link to the M$ tool which made it easier and everyone can see My MAC Address.
http://download.microsoft.com/download/win2000platform/getmac/1.00.0.1/nt5/en-us/getmac_setup.exe
I do not like it.


How to make my MAC invisible like B4.
How exactly the getmac.exe works? (ARP -request isn't enough, there must be some kind of services in my host responsible for that, could I get off the service?).

best regards,

Harry;)

P.S. everything is theory without practice.
Posted on 2003-11-14 08:47:27 by HarryTuttle
DoS is illegal. I suggest moderators close this thread immediately to prevent further damage to this board's fragile reputation!
Posted on 2003-11-14 08:50:21 by comrade
comrade let read it carefuly :)

I am not spoofing ,I am spoofed by someone who pretend to be me (my MAC)
Posted on 2003-11-14 09:10:32 by HarryTuttle
Spoofing is not done via MAC addres but via plain IP address usually, it exista because of an old 1955 old code in TCp/IP stack (yes it was never upgraded since then) :grin: stupid protocol TCP/IP

MAC is used internally by everu ethernet hardware and is embeded in each and every one of your sent packets (including reply) . MAC has been used for PC ID since immemorial times :grin:

You can use NETBIOS to get it locally but basically any good sniffer should be able to get it

Anti Spoofing patched to TCP/IP stack are available AFAIK but not very effective as long as the vas majority or internet is based on old code.

IMHO Linix/Unix is able to fake MAC for a workstation and also a TDI filter driver should be able to do it in Windows

Besides MAC should be unique world wide or elese someone else will/might get problems

PS
------
I have edited the thread's name to make it more legit
Posted on 2003-11-14 13:08:56 by BogdanOntanu

comrade let read it carefuly :)

I am not spoofing ,I am spoofed by someone who pretend to be me (my MAC)


Yeah, I am just kidding...
Posted on 2003-11-14 20:47:09 by comrade
BogdanOntanu: IMHO Linix/Unix is able to fake MAC for a workstation and also a TDI filter driver should be able to do it in Windows


Not exactly. Some Network Interface Cards allow you to change the MAC address. It just happens that it's easier to change these cards under linux.

Yes, MAC addresses are unique, 2^48. IPv6 was going to use 64 bit addresses, but that would of allowed a few thousand IP addresses per square angstrom (read really small) of earth surface.



HarryTuttle:
DoS usually means that your internet connection is being flooded.

If you want to make your MAC address invisible, simply disconnect you NIC. If your MAC address is invisible, you can't communicate with anyone.

What made you think that someone is spoofing you. And why would someone spoof you?
Posted on 2003-11-15 04:37:22 by eet_1024
If external host requests an ARP then the Default Gateway MAC is returning. If internal host from the other segment of network requests an ARP then the Router MAC is returning.
Only nearest host know its addresses and store it in IP/MAC table, which you can show by arp ?a .
There is no ?normal? possibilities to retrieve a MAC address when you are in different segment of a network. If it will be possible then a cookies will not needed to recognize a far host.

There are some kind of tricks to get MAC:

1)In many systems there are local services running and you can ask them. Look at the link to M$ tool (getmac -> ask the service about MAC)
2) if there is too much frames with different MAC generated, then old switches (routers) begin to work as a hub (works only in LAN)

some truth:
There is impossible to exist two the same number of IP in the network. It is easy to detect.
There is possible to exist two the same MAC because of that situation is unexpected.

There is possibility to inform network devices(bridges switches routers) about new IP is added to the same NIC (the same MAC) so IDS doesn?t report it as illegal. The single NIC can have many IP numbers.
The next IP added to MAC can come from original NIC or from intruder?s NIC which has the same MAC, so routers do not know about intruder.

Mac spoofing is less complicated than IP spoofing because of ACK storming.
Epilog:
I.T. experts caught an intruder.
He was 13 years old, very nice boy from our neighborhood.
He captured all network traffic in his segment and changed the MAC to our MACs.
He also changed default gate way.
Every my information went to his computer and by multiplexing and fragmentation bugs was sent to each other with my MAC.
His motivation was very trivial.
Last time I washed my car and he took a walk. I was very busy.
He said good morning and I said nothing two times a day.
He walked around my house a few times and wants to ask me about Linux.
I know his mother well and our parents are in a good relationship.



my question is:

which service in WinNT I responsible for such kind information like MAC?
(I want to kill it)




p.s. the "cracker" doesn't know how to program in asm or C/C++ yet. He used only tools from internet to "do" something.
he try to programm in tcl and XML and hates Bill and winblows, lamers and after this "accident"also the police.
Posted on 2003-11-17 05:18:48 by HarryTuttle
study the arp and bootp protocols young jedi
Posted on 2003-11-19 07:55:39 by Homer
to put it mildly, "killing your mac" will mean you won't be able to use your isp and you'll have NO INTERNET since the isp's routers won't be able to find you !! That's not to say that you can't alter your MAC, I sometimes use all zeroes as a MAC, which makes the hardware vendor appear null also :P
Posted on 2003-11-19 22:53:43 by Homer
yea i have my own custom mac addie, i can change it to any thing via the bios.
Posted on 2003-11-24 17:01:28 by Qages