Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: can MAC address help to identify an attacker?

can MAC address help to identify an attacker? 10 years 11 months ago #12539

Can anyone tell me how MAC address will be helpful in identifying an attacker?

In 2 scenario's!

If a direct connection is there and also if a gateway is in between?
The administrator has disabled public write access.

MAC Address 10 years 11 months ago #12545

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
The MAC address is the only thing that you can be reasonably certain will uniquely identify the source machine. Of course it is even possible to spoof a MAC address or change the address burned into the machine's NIC but that's another subject. On a direct connection where you are on the same segment, the MAC address of the attacker identifies the machine that sourced the attack. If a gateway is between you and the attacker then the attack packets will contain the source MAC address of the gateway. So you'd then have to go to the gateway and query its ARP cache to find out the address of the offending machine. If there are several gateways in the path you'd need to repeat this for each gateway until you got to the home network of the attacker. Obviously this is only feasible where all the gateways are under your control and you have access to them
The administrator has disabled public write access.

Re: can MAC address help to identify an attacker? 10 years 11 months ago #12546

  • naughtypaul
  • naughtypaul's Avatar
  • Offline
  • Frequent Member
  • Posts: 23
  • Karma: 0
Hi Bishop

Can you brief out the concept of Quering the Gateway for the ARP Cache...

Thanks
Paul 8)
Thanks
NaughtyPaul
The administrator has disabled public write access.

ARP Cache 10 years 11 months ago #12547

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
It depends on what the gateway device is, because each manufacturer has different commands for doing this. However basically you'd connect to the device using web interface or a telnet session then enter the appropriate command. On a Cisco router you use the command Show Arp in EXEC mode
The administrator has disabled public write access.

Re: can MAC address help to identify an attacker? 10 years 11 months ago #12548

Thanks Bishop for ur reply!

If gateway is in the path then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only.(Unless you have the control over the gateway.)
If there is no control over the gateway will it be feasible to know abt the details of the attacker?
The administrator has disabled public write access.

Attacker 10 years 10 months ago #12584

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
You won't be able to use this method to find the MAC address if you can't query the gateway/router. However there are possibilities. First, sometimes it is possible to dump the MAC address table of a device using SMNP is the device supports it and you know (or can discover) the community strings. Secondly, even without the MAC address you can discover things about an attacker. The IP address will tell you the subnet they are on which may narrow it down to a particular building or floor within a company. Or if across the internet then do a DNS lookup which may give you details on the owner of the domain or the ISP
The administrator has disabled public write access.
Time to create page: 0.088 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup