LARTC - May 2005 - Terrible problem, some men in my net changed their MACs! :/

Is any way to detect changed MAC adresses?

Someone taught change MACs peoples in my network and I have problems.

E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
WinXP is screaming some message... that two computers or more have the 
same IP.

How can I find out who''s changed MAC?

here is my one cent :-)

propably somebody is changing a MAC so you DHCP will grant them specific IP. 


u can try nmap them them to see whos behind that MAC (at the moment where 
there is only one station turned on). then by using unplug and 
seek-the-hacker method u can find from what switch/port he's comming.
if u posses administrable switch it can be much easyier.

if u must verify every user, turn to pptp.

On 5/30/05, Konrad <kcem@tlen.pl> wrote:
> 
> Is any way to detect changed MAC adresses?
> 
> Someone taught change MACs peoples in my network and I have problems.
> 
> E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
> WinXP is screaming some message... that two computers or more have the
> same IP.
> 
> How can I find out who's changed MAC?
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


-- 
Miłego Dnia
Krystian Antoni


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
>Is any way to detect changed MAC adresses?
I have been working on this for some time. You can try the current version:
http://shurdeek.routehat.org/tmp/dhcpwatch2.pl

(please don''t ask how it works, I''m pretty busy now :-)).
>Someone taught change MACs peoples in my network and I have problems.
Yeah I know, I have seen this too.
>E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
Exactly.
>WinXP is screaming some message... that two computers or more have the
>same IP.
Actually this happens when people use the same IP but a *different* MAC.

Yours sincerely,
Peter

Yes, I have this problem too. And I came up with two ideas: one money
comsuming, one time consuming.

Money comsuming: get management switches everywhere, and limit MAC
learning per port. My network amounts to 500+ stations, over a preety wide
area (all on ethernet), costs evaluated at 30.000$. Rather expensive, ha?

Time consuming: get into every windows workstation a program that alows
network connection if MAC is unchanged from the one stored localy in an
encrypted file.

Boss evaluated my ideas, and, guess what? I am now working on the program
described above.

It will be publicly available, of course...
> On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
>
>>Is any way to detect changed MAC adresses?
> I have been working on this for some time. You can try the current
> version:
> http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>
> (please don''t ask how it works, I''m pretty busy now :-)).
>
>>Someone taught change MACs peoples in my network and I have problems.
> Yeah I know, I have seen this too.
>
>>E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
> Exactly.
>
>>WinXP is screaming some message... that two computers or more have the
>>same IP.
> Actually this happens when people use the same IP but a *different* MAC.
>
> Yours sincerely,
> Peter
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

for user verification pptp can be used. its free :-)

On 5/31/05, cristian_dimache@rtanet.ro <cristian_dimache@rtanet.ro> wrote:
> 
> Yes, I have this problem too. And I came up with two ideas: one money
> comsuming, one time consuming.
> 
> Money comsuming: get management switches everywhere, and limit MAC
> learning per port. My network amounts to 500+ stations, over a preety wide
> area (all on ethernet), costs evaluated at 30.000$. Rather expensive, ha?
> 
> Time consuming: get into every windows workstation a program that alows
> network connection if MAC is unchanged from the one stored localy in an
> encrypted file.
> 
> Boss evaluated my ideas, and, guess what? I am now working on the program
> described above.
> 
> It will be publicly available, of course...
> 
> > On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
> >
> >>Is any way to detect changed MAC adresses?
> > I have been working on this for some time. You can try the current
> > version:
> > http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
> >
> > (please don't ask how it works, I'm pretty busy now :-)).
> >
> >>Someone taught change MACs peoples in my network and I have
problems.
> > Yeah I know, I have seen this too.
> >
> >>E.g. Two computers working on one MAC, and one IP (static ARP and
DHCP).
> > Exactly.
> >
> >>WinXP is screaming some message... that two computers or more have
the
> >>same IP.
> > Actually this happens when people use the same IP but a *different*
MAC.
> >
> > Yours sincerely,
> > Peter
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 


-- 
Miłego Dnia
Krystian Antoni


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Hi all,

I did not read the beginning of this thread, and I don''t know if this
has
been said before, so forgive me if it''s irrelevant:

I highly suggest you use arpwatch. It''s a daemon that monitors MAC/IP
on a
network, and can notify the administrator when something changes.

If you want to force the MAC for an IP, use "arp -f /etc/ethers" (man
arp).
Iptables does the same thing with MAC matching, but using arp with a fixed
table is "the proper thing to do" (tm).

I hope this helps.

Regards,

Sylvain


On Mar 31 mai 2005 13:17, Krystian Antoni a écrit :
> for user verification pptp can be used. its free :-)
>
> On 5/31/05, cristian_dimache@rtanet.ro <cristian_dimache@rtanet.ro>
wrote:
>>
>> Yes, I have this problem too. And I came up with two ideas: one money
>> comsuming, one time consuming.
>>
>> Money comsuming: get management switches everywhere, and limit MAC
>> learning per port. My network amounts to 500+ stations, over a preety
>> wide
>> area (all on ethernet), costs evaluated at 30.000$. Rather expensive,
>> ha?
>>
>> Time consuming: get into every windows workstation a program that alows
>> network connection if MAC is unchanged from the one stored localy in an
>> encrypted file.
>>
>> Boss evaluated my ideas, and, guess what? I am now working on the
>> program
>> described above.
>>
>> It will be publicly available, of course...
>>
>> > On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl>
wrote:
>> >
>> >>Is any way to detect changed MAC adresses?
>> > I have been working on this for some time. You can try the current
>> > version:
>> > http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>> >
>> > (please don''t ask how it works, I''m pretty busy
now :-)).
>> >
>> >>Someone taught change MACs peoples in my network and I have
problems.
>> > Yeah I know, I have seen this too.
>> >
>> >>E.g. Two computers working on one MAC, and one IP (static ARP
and
>> DHCP).
>> > Exactly.
>> >
>> >>WinXP is screaming some message... that two computers or more
have the
>> >>same IP.
>> > Actually this happens when people use the same IP but a
*different*
>> MAC.
>> >
>> > Yours sincerely,
>> > Peter
>> > _______________________________________________
>> > LARTC mailing list
>> > LARTC@mailman.ds9a.nl
>> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> >
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
>
>
> --
> Mi³ego Dnia
> Krystian Antoni
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

There are a few problems here that my app is ment to solve, other than VPN
using PPTP.

Number 1: folks are changing IP just because the can, as to annoy the
other people in the network with Win XP screaming...
Number 2: folks will change PPTP users/passwords among them, to benefit
from higher bandwidth. This cannot be achived with this program, as it is
tied to the computer it was instaled by my technicians (TIED = motherboard
Serial Number, HDD Serial Number. etc.).
Number 3: folks trying to change their MACs will be caught and their acts
will be logged. A message will be printed as to make them see that this
are not proper manners and discourage them from trying again. Hopefully.

Downsides: if the user uninstalles the software...I can do nothing about
it, but limit internet and partial network access (where management
switches and routers are placed).So my solution does no more good than a
rub on a wodden leg. But with the app installed, we are sure of better
results than with PPTP. Even the psichological ones are good.

> for user verification pptp can be used. its free :-)
>
> On 5/31/05, cristian_dimache@rtanet.ro <cristian_dimache@rtanet.ro>
wrote:
>>
>> Yes, I have this problem too. And I came up with two ideas: one money
>> comsuming, one time consuming.
>>
>> Money comsuming: get management switches everywhere, and limit MAC
>> learning per port. My network amounts to 500+ stations, over a preety
>> wide
>> area (all on ethernet), costs evaluated at 30.000$. Rather expensive,
>> ha?
>>
>> Time consuming: get into every windows workstation a program that alows
>> network connection if MAC is unchanged from the one stored localy in an
>> encrypted file.
>>
>> Boss evaluated my ideas, and, guess what? I am now working on the
>> program
>> described above.
>>
>> It will be publicly available, of course...
>>
>> > On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl>
wrote:
>> >
>> >>Is any way to detect changed MAC adresses?
>> > I have been working on this for some time. You can try the current
>> > version:
>> > http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>> >
>> > (please don''t ask how it works, I''m pretty busy
now :-)).
>> >
>> >>Someone taught change MACs peoples in my network and I have
problems.
>> > Yeah I know, I have seen this too.
>> >
>> >>E.g. Two computers working on one MAC, and one IP (static ARP
and
>> DHCP).
>> > Exactly.
>> >
>> >>WinXP is screaming some message... that two computers or more
have the
>> >>same IP.
>> > Actually this happens when people use the same IP but a
*different*
>> MAC.
>> >
>> > Yours sincerely,
>> > Peter
>> > _______________________________________________
>> > LARTC mailing list
>> > LARTC@mailman.ds9a.nl
>> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> >
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
>
>
> --
> Mi³ego Dnia
> Krystian Antoni
>

Dear Krystian

Or even maybe better pppoe :)
> for user verification pptp can be used. its free :-)
> On 5/31/05, cristian_dimache@rtanet.ro
> <cristian_dimache@rtanet.ro > wrote:
> Yes, I have this problem too. And I came up with two ideas: one money
> comsuming, one time consuming.
> Money comsuming: get management switches everywhere, and limit MAC
> learning per port. My network amounts to 500+ stations, over a preety wide
> area (all on ethernet), costs evaluated at 30.000$. Rather expensive, ha?
> Time consuming: get into every windows workstation a program that alows
> network connection if MAC is unchanged from the one stored localy in an
> encrypted file.
> Boss evaluated my ideas, and, guess what? I am now working on the program
> described above.
> It will be publicly available, of course...
>> On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
>>
>>>Is any way to detect changed MAC adresses? 
>> I have been working on this for some time. You can try the current
>> version:
>> http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>>
>> (please don''t ask how it works, I''m pretty busy now
:-)).
>>
>>>Someone taught change MACs peoples in my network and I have
problems.
>> Yeah I know, I have seen this too.
>>
>>>E.g. Two computers working on one MAC, and one IP (static ARP and
DHCP).
>> Exactly.
>>
>>>WinXP is screaming some message... that two computers or more have
the
>>>same IP.
>> Actually this happens when people use the same IP but a *different*
MAC.
>>
>> Yours sincerely, 
>> Peter
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc 
>>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc 







-- 
Ń óâŕćĺíčĺě,
 Denys                          mailto:nuclearcat@nuclearcat.com

On Tue, 31 May 2005 13:36:25 +0200 (CEST) "Sylvain BERTRAND"
<sylvain@2001-space-odyssey.net> wrote:
>Hi all,
hi
>I highly suggest you use arpwatch. It''s a daemon that monitors
MAC/IP on a
>network, and can notify the administrator when something changes.
arpwatch can only find out if the user changes his/her IP. If they change their
MAC (and fake someone elses), you''re out of luck :-(.
>If you want to force the MAC for an IP, use "arp -f /etc/ethers"
(man arp).
>Iptables does the same thing with MAC matching, but using arp with a fixed
>table is "the proper thing to do" (tm).
[advertisement+joke]
Actually, "the proper thing to do" is to use ipset + macipmap, just
like Route
Hat does ;-)
[/advertisement+joke]
>Sylvain
Yours sincerely,
Peter

On Mar 31 mai 2005 16:10, Peter Surda a écrit :
> On Tue, 31 May 2005 13:36:25 +0200 (CEST) "Sylvain BERTRAND"
> <sylvain@2001-space-odyssey.net> wrote:
>
>>Hi all,
> hi
>
>>I highly suggest you use arpwatch. It''s a daemon that monitors
MAC/IP on
>> a
>>network, and can notify the administrator when something changes.
> arpwatch can only find out if the user changes his/her IP. If they change
> their
> MAC (and fake someone elses), you''re out of luck :-(.
apt-cache show arpwatch
[...]
Description: Ethernet/FDDI station activity monitor
 Arpwatch maintains a database of Ethernet MAC addresses seen on the
 network, with their associated IP pairs.  Alerts the system administrator
 via e-mail if any change happens, such as new station/activity,
 flip-flops, changed and re-used old addresses.

>>If you want to force the MAC for an IP, use "arp -f
/etc/ethers" (man
>> arp).
>>Iptables does the same thing with MAC matching, but using arp with a
>> fixed
>>table is "the proper thing to do" (tm).
> [advertisement+joke]
> Actually, "the proper thing to do" is to use ipset + macipmap,
just like
> Route
> Hat does ;-)
> [/advertisement+joke]
Well, it''s up to you ;-)


Regards,


Sylvain

On Tue, 31 May 2005 16:32:43 +0200 (CEST) "Sylvain BERTRAND"
<sylvain@2001-space-odyssey.net> wrote:
>apt-cache show arpwatch
>[...]
>Description: Ethernet/FDDI station activity monitor
> Arpwatch maintains a database of Ethernet MAC addresses seen on the
> network, with their associated IP pairs.  Alerts the system administrator
> via e-mail if any change happens, such as new station/activity,
> flip-flops, changed and re-used old addresses.
Yes exactly. If they fake both MAC and IP (in case you have DHCP changing MAC is
enough because it will take the same IP), arpwatch doesn''t find any
changes.
>Sylvain
Peter

On Mar 31 mai 2005 17:07, Peter Surda a écrit :
> On Tue, 31 May 2005 16:32:43 +0200 (CEST) "Sylvain BERTRAND"
> <sylvain@2001-space-odyssey.net> wrote:
>
>>apt-cache show arpwatch
>>[...]
>>Description: Ethernet/FDDI station activity monitor
>> Arpwatch maintains a database of Ethernet MAC addresses seen on the
>> network, with their associated IP pairs.  Alerts the system
>> administrator
>> via e-mail if any change happens, such as new station/activity,
>> flip-flops, changed and re-used old addresses.
> Yes exactly. If they fake both MAC and IP (in case you have DHCP changing
> MAC is
> enough because it will take the same IP), arpwatch doesn''t find
any
> changes.
>

2 possible solutions:

- check the router''s ability to map a port to a mac, and detect changes
on
oe port
- have a script check the dhcp log file to report windows netbios name
change on the same IP/MAC


Regards,

Sylvain

Sylvain wrote:
> 2 possible solutions:
> 
> - check the router''s ability to map a port to a mac, and detect
changes on
> oe port
> - have a script check the dhcp log file to report windows netbios name
> change on the same IP/MAC
Second solution is hard to do... no everyone my users uses DHCP.
It is not a problem sniff IP and correct MAC, and use it.

My network it''s a Wireless LAN with only several computers on cable.

First solution need from me some costs. And sometimes there no 
diferrents between users.

--

How can I check operating system and netbios name in different way?
Are more possible differences between computers in network (with the 
same MAC and IP)?

How can I find out, that IP is being doubled?

--
Thanks for all replies :P

Lenthir

> How can I check operating system and netbios name in different way?
> Are more possible differences between computers in network (with the
> same MAC and IP)?
You can nmap the ip''s you think is stolen. You can guess the operating
system using the -O parameter to nmap. Other tools give you more data.
> How can I find out, that IP is being doubled?
You cand find out if an IP is being doubled using arping. If you do arping
-b, all the machines using that IP will respond to the broadcast arp, thus
giving you the posibility to immediatly spot a conflict (there will be two
machines responding).
> --
> Thanks for all replies :P
>
> Lenthir
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>