can MAC address help to identify an attacker?

n_arvind2000
Topic Author
Offline
New Member

18 years 4 months ago #12539 by n_arvind2000

can MAC address help to identify an attacker? was created by n_arvind2000

Can anyone tell me how MAC address will be helpful in identifying an attacker?

In 2 scenario's!

If a direct connection is there and also if a gateway is in between?

TheBishop
Offline
Moderator

18 years 4 months ago #12545 by TheBishop

Replied by TheBishop on topic MAC Address

The MAC address is the only thing that you can be reasonably certain will uniquely identify the source machine. Of course it is even possible to spoof a MAC address or change the address burned into the machine's NIC but that's another subject. On a direct connection where you are on the same segment, the MAC address of the attacker identifies the machine that sourced the attack. If a gateway is between you and the attacker then the attack packets will contain the source MAC address of the gateway. So you'd then have to go to the gateway and query its ARP cache to find out the address of the offending machine. If there are several gateways in the path you'd need to repeat this for each gateway until you got to the home network of the attacker. Obviously this is only feasible where all the gateways are under your control and you have access to them

naughtypaul
Offline
Junior Member

18 years 4 months ago #12546 by naughtypaul

Replied by naughtypaul on topic Re: can MAC address help to identify an attacker?

Hi Bishop

Can you brief out the concept of Quering the Gateway for the ARP Cache...

Thanks
Paul

Thanks
NaughtyPaul

TheBishop
Offline
Moderator

18 years 4 months ago #12547 by TheBishop

Replied by TheBishop on topic ARP Cache

It depends on what the gateway device is, because each manufacturer has different commands for doing this. However basically you'd connect to the device using web interface or a telnet session then enter the appropriate command. On a Cisco router you use the command Show Arp in EXEC mode

n_arvind2000
Topic Author
Offline
New Member

18 years 4 months ago #12548 by n_arvind2000

Replied by n_arvind2000 on topic Re: can MAC address help to identify an attacker?

Thanks Bishop for ur reply!

If gateway is in the path then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only.(Unless you have the control over the gateway.)
If there is no control over the gateway will it be feasible to know abt the details of the attacker?

TheBishop
Offline
Moderator

18 years 4 months ago #12584 by TheBishop

Replied by TheBishop on topic Attacker

You won't be able to use this method to find the MAC address if you can't query the gateway/router. However there are possibilities. First, sometimes it is possible to dump the MAC address table of a device using SMNP is the device supports it and you know (or can discover) the community strings. Secondly, even without the MAC address you can discover things about an attacker. The IP address will tell you the subnet they are on which may narrow it down to a particular building or floor within a company. Or if across the internet then do a DNS lookup which may give you details on the owner of the domain or the ISP