Re: [LARTC] Terrible problem,

Re: [LARTC] Terrible problem,

[Krystian Antoni]

[-- Attachment #1.1: Type: text/plain, Size: 974 bytes --]

here is my one cent :-)

propably somebody is changing a MAC so you DHCP will grant them specific IP. 


u can try nmap them them to see whos behind that MAC (at the moment where 
there is only one station turned on). then by using unplug and 
seek-the-hacker method u can find from what switch/port he's comming.
if u posses administrable switch it can be much easyier.

if u must verify every user, turn to pptp.

On 5/30/05, Konrad <kcem@tlen.pl> wrote:
> 
> Is any way to detect changed MAC adresses?
> 
> Someone taught change MACs peoples in my network and I have problems.
> 
> E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
> WinXP is screaming some message... that two computers or more have the
> same IP.
> 
> How can I find out who's changed MAC?
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 



-- 
Miłego Dnia
Krystian Antoni

[-- Attachment #1.2: Type: text/html, Size: 1393 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Peter Surda]

On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:

>Is any way to detect changed MAC adresses?
I have been working on this for some time. You can try the current version:
http://shurdeek.routehat.org/tmp/dhcpwatch2.pl

(please don't ask how it works, I'm pretty busy now :-)).

>Someone taught change MACs peoples in my network and I have problems.
Yeah I know, I have seen this too.

>E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
Exactly.

>WinXP is screaming some message... that two computers or more have the
>same IP.
Actually this happens when people use the same IP but a *different* MAC.

Yours sincerely,
Peter
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[cristian_dimache]

Yes, I have this problem too. And I came up with two ideas: one money
comsuming, one time consuming.

Money comsuming: get management switches everywhere, and limit MAC
learning per port. My network amounts to 500+ stations, over a preety wide
area (all on ethernet), costs evaluated at 30.000$. Rather expensive, ha?

Time consuming: get into every windows workstation a program that alows
network connection if MAC is unchanged from the one stored localy in an
encrypted file.

Boss evaluated my ideas, and, guess what? I am now working on the program
described above.

It will be publicly available, of course...

> On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
>
>>Is any way to detect changed MAC adresses?
> I have been working on this for some time. You can try the current
> version:
> http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>
> (please don't ask how it works, I'm pretty busy now :-)).
>
>>Someone taught change MACs peoples in my network and I have problems.
> Yeah I know, I have seen this too.
>
>>E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
> Exactly.
>
>>WinXP is screaming some message... that two computers or more have the
>>same IP.
> Actually this happens when people use the same IP but a *different* MAC.
>
> Yours sincerely,
> Peter
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Krystian Antoni]

[-- Attachment #1.1: Type: text/plain, Size: 1875 bytes --]

for user verification pptp can be used. its free :-)

On 5/31/05, cristian_dimache@rtanet.ro <cristian_dimache@rtanet.ro> wrote: 
> 
> Yes, I have this problem too. And I came up with two ideas: one money
> comsuming, one time consuming.
> 
> Money comsuming: get management switches everywhere, and limit MAC
> learning per port. My network amounts to 500+ stations, over a preety wide
> area (all on ethernet), costs evaluated at 30.000$. Rather expensive, ha?
> 
> Time consuming: get into every windows workstation a program that alows
> network connection if MAC is unchanged from the one stored localy in an
> encrypted file.
> 
> Boss evaluated my ideas, and, guess what? I am now working on the program
> described above.
> 
> It will be publicly available, of course...
> 
> > On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
> >
> >>Is any way to detect changed MAC adresses?
> > I have been working on this for some time. You can try the current
> > version:
> > http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
> >
> > (please don't ask how it works, I'm pretty busy now :-)).
> >
> >>Someone taught change MACs peoples in my network and I have problems.
> > Yeah I know, I have seen this too.
> >
> >>E.g. Two computers working on one MAC, and one IP (static ARP and DHCP).
> > Exactly.
> >
> >>WinXP is screaming some message... that two computers or more have the
> >>same IP.
> > Actually this happens when people use the same IP but a *different* MAC.
> >
> > Yours sincerely,
> > Peter
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> 
> 
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 



-- 
Miłego Dnia
Krystian Antoni

[-- Attachment #1.2: Type: text/html, Size: 2670 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Sylvain BERTRAND]

Hi all,

I did not read the beginning of this thread, and I don't know if this has
been said before, so forgive me if it's irrelevant:

I highly suggest you use arpwatch. It's a daemon that monitors MAC/IP on a
network, and can notify the administrator when something changes.

If you want to force the MAC for an IP, use "arp -f /etc/ethers" (man arp).
Iptables does the same thing with MAC matching, but using arp with a fixed
table is "the proper thing to do" (tm).

I hope this helps.

Regards,

Sylvain


On Mar 31 mai 2005 13:17, Krystian Antoni a écrit :
> for user verification pptp can be used. its free :-)
>
> On 5/31/05, cristian_dimache@rtanet.ro <cristian_dimache@rtanet.ro> wrote:
>>
>> Yes, I have this problem too. And I came up with two ideas: one money
>> comsuming, one time consuming.
>>
>> Money comsuming: get management switches everywhere, and limit MAC
>> learning per port. My network amounts to 500+ stations, over a preety
>> wide
>> area (all on ethernet), costs evaluated at 30.000$. Rather expensive,
>> ha?
>>
>> Time consuming: get into every windows workstation a program that alows
>> network connection if MAC is unchanged from the one stored localy in an
>> encrypted file.
>>
>> Boss evaluated my ideas, and, guess what? I am now working on the
>> program
>> described above.
>>
>> It will be publicly available, of course...
>>
>> > On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
>> >
>> >>Is any way to detect changed MAC adresses?
>> > I have been working on this for some time. You can try the current
>> > version:
>> > http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>> >
>> > (please don't ask how it works, I'm pretty busy now :-)).
>> >
>> >>Someone taught change MACs peoples in my network and I have problems.
>> > Yeah I know, I have seen this too.
>> >
>> >>E.g. Two computers working on one MAC, and one IP (static ARP and
>> DHCP).
>> > Exactly.
>> >
>> >>WinXP is screaming some message... that two computers or more have the
>> >>same IP.
>> > Actually this happens when people use the same IP but a *different*
>> MAC.
>> >
>> > Yours sincerely,
>> > Peter
>> > _______________________________________________
>> > LARTC mailing list
>> > LARTC@mailman.ds9a.nl
>> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> >
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
>
>
> --
> Mi³ego Dnia
> Krystian Antoni
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[cristian_dimache]

There are a few problems here that my app is ment to solve, other than VPN
using PPTP.

Number 1: folks are changing IP just because the can, as to annoy the
other people in the network with Win XP screaming...
Number 2: folks will change PPTP users/passwords among them, to benefit
from higher bandwidth. This cannot be achived with this program, as it is
tied to the computer it was instaled by my technicians (TIED = motherboard
Serial Number, HDD Serial Number. etc.).
Number 3: folks trying to change their MACs will be caught and their acts
will be logged. A message will be printed as to make them see that this
are not proper manners and discourage them from trying again. Hopefully.

Downsides: if the user uninstalles the software...I can do nothing about
it, but limit internet and partial network access (where management
switches and routers are placed).So my solution does no more good than a
rub on a wodden leg. But with the app installed, we are sure of better
results than with PPTP. Even the psichological ones are good.


> for user verification pptp can be used. its free :-)
>
> On 5/31/05, cristian_dimache@rtanet.ro <cristian_dimache@rtanet.ro> wrote:
>>
>> Yes, I have this problem too. And I came up with two ideas: one money
>> comsuming, one time consuming.
>>
>> Money comsuming: get management switches everywhere, and limit MAC
>> learning per port. My network amounts to 500+ stations, over a preety
>> wide
>> area (all on ethernet), costs evaluated at 30.000$. Rather expensive,
>> ha?
>>
>> Time consuming: get into every windows workstation a program that alows
>> network connection if MAC is unchanged from the one stored localy in an
>> encrypted file.
>>
>> Boss evaluated my ideas, and, guess what? I am now working on the
>> program
>> described above.
>>
>> It will be publicly available, of course...
>>
>> > On Mon, 30 May 2005 20:41:20 +0200 Konrad <kcem@tlen.pl> wrote:
>> >
>> >>Is any way to detect changed MAC adresses?
>> > I have been working on this for some time. You can try the current
>> > version:
>> > http://shurdeek.routehat.org/tmp/dhcpwatch2.pl
>> >
>> > (please don't ask how it works, I'm pretty busy now :-)).
>> >
>> >>Someone taught change MACs peoples in my network and I have problems.
>> > Yeah I know, I have seen this too.
>> >
>> >>E.g. Two computers working on one MAC, and one IP (static ARP and
>> DHCP).
>> > Exactly.
>> >
>> >>WinXP is screaming some message... that two computers or more have the
>> >>same IP.
>> > Actually this happens when people use the same IP but a *different*
>> MAC.
>> >
>> > Yours sincerely,
>> > Peter
>> > _______________________________________________
>> > LARTC mailing list
>> > LARTC@mailman.ds9a.nl
>> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>> >
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
>
>
> --
> Mi³ego Dnia
> Krystian Antoni
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Peter Surda]

On Tue, 31 May 2005 13:36:25 +0200 (CEST) "Sylvain BERTRAND"
<sylvain@2001-space-odyssey.net> wrote:

>Hi all,
hi

>I highly suggest you use arpwatch. It's a daemon that monitors MAC/IP on a
>network, and can notify the administrator when something changes.
arpwatch can only find out if the user changes his/her IP. If they change their
MAC (and fake someone elses), you're out of luck :-(.

>If you want to force the MAC for an IP, use "arp -f /etc/ethers" (man arp).
>Iptables does the same thing with MAC matching, but using arp with a fixed
>table is "the proper thing to do" (tm).
[advertisement+joke]
Actually, "the proper thing to do" is to use ipset + macipmap, just like Route
Hat does ;-)
[/advertisement+joke]

>Sylvain
Yours sincerely,
Peter
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Sylvain BERTRAND]

On Mar 31 mai 2005 16:10, Peter Surda a écrit :
> On Tue, 31 May 2005 13:36:25 +0200 (CEST) "Sylvain BERTRAND"
> <sylvain@2001-space-odyssey.net> wrote:
>
>>Hi all,
> hi
>
>>I highly suggest you use arpwatch. It's a daemon that monitors MAC/IP on
>> a
>>network, and can notify the administrator when something changes.
> arpwatch can only find out if the user changes his/her IP. If they change
> their
> MAC (and fake someone elses), you're out of luck :-(.

apt-cache show arpwatch
[...]
Description: Ethernet/FDDI station activity monitor
 Arpwatch maintains a database of Ethernet MAC addresses seen on the
 network, with their associated IP pairs.  Alerts the system administrator
 via e-mail if any change happens, such as new station/activity,
 flip-flops, changed and re-used old addresses.


>>If you want to force the MAC for an IP, use "arp -f /etc/ethers" (man
>> arp).
>>Iptables does the same thing with MAC matching, but using arp with a
>> fixed
>>table is "the proper thing to do" (tm).
> [advertisement+joke]
> Actually, "the proper thing to do" is to use ipset + macipmap, just like
> Route
> Hat does ;-)
> [/advertisement+joke]

Well, it's up to you ;-)


Regards,


Sylvain

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Peter Surda]

On Tue, 31 May 2005 16:32:43 +0200 (CEST) "Sylvain BERTRAND"
<sylvain@2001-space-odyssey.net> wrote:

>apt-cache show arpwatch
>[...]
>Description: Ethernet/FDDI station activity monitor
> Arpwatch maintains a database of Ethernet MAC addresses seen on the
> network, with their associated IP pairs.  Alerts the system administrator
> via e-mail if any change happens, such as new station/activity,
> flip-flops, changed and re-used old addresses.
Yes exactly. If they fake both MAC and IP (in case you have DHCP changing MAC is
enough because it will take the same IP), arpwatch doesn't find any changes.

>Sylvain
Peter
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[Sylvain BERTRAND]

On Mar 31 mai 2005 17:07, Peter Surda a écrit :
> On Tue, 31 May 2005 16:32:43 +0200 (CEST) "Sylvain BERTRAND"
> <sylvain@2001-space-odyssey.net> wrote:
>
>>apt-cache show arpwatch
>>[...]
>>Description: Ethernet/FDDI station activity monitor
>> Arpwatch maintains a database of Ethernet MAC addresses seen on the
>> network, with their associated IP pairs.  Alerts the system
>> administrator
>> via e-mail if any change happens, such as new station/activity,
>> flip-flops, changed and re-used old addresses.
> Yes exactly. If they fake both MAC and IP (in case you have DHCP changing
> MAC is
> enough because it will take the same IP), arpwatch doesn't find any
> changes.
>


2 possible solutions:

- check the router's ability to map a port to a mac, and detect changes on
oe port
- have a script check the dhcp log file to report windows netbios name
change on the same IP/MAC


Regards,

Sylvain

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Terrible problem,

[cristian_dimache]

> How can I check operating system and netbios name in different way?
> Are more possible differences between computers in network (with the
> same MAC and IP)?

You can nmap the ip's you think is stolen. You can guess the operating
system using the -O parameter to nmap. Other tools give you more data.

> How can I find out, that IP is being doubled?
You cand find out if an IP is being doubled using arping. If you do arping
-b, all the machines using that IP will respond to the broadcast arp, thus
giving you the posibility to immediatly spot a conflict (there will be two
machines responding).

> --
> Thanks for all replies :P
>
> Lenthir
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc