Some beginner questions about spoofing

[retyop]

1) For most people, their connection is to a defined IP range owned by
a single ISP provider, who probably gives its users the modem to use,
and thus, these modems are all probably of a certain make, and all have
the same first 3 hexadecimal numbers. Thus, since all users in that IP
range would share identical hex values in the first 3 digits of their
MAC address, if you randomized your entire MAC address, you would stand
out as the user with a different beginning MAC address than the rest.
It would be better, for the sake of anonimity, to keep the original
first 3 numbers and randomize only the last 3. Am I correct?

2) Using a sniffer, I can see that random packages sent to my IP
address by all those bots and whatever that are out there, already know
my MAC address without any communication from my part. This happens
even when I start my internet connection and I have been online for
only half a second, the first random bit of internet noise that hits me
already knows my MAC address despite my not communicating with anyone
besides my ISP to establish the connection. How does this work? Is my
modem changing the MAC on incoming packets? Or my ISP?

3) If I open my ISP monitoring window it shows me sent/received bytes
to the internet. By carefully following this flow with the sniffer, I
realized that there is a discrepancy, and that almost every packet
sent/received, according to the sniffer, is 20 bytes longer than
according to the ISP window. Any reason why (and which) 20 bytes would
be underreported from every packet (almost every packet)? The ECHO
packet behaves differently: my ISP window shows a flow of about 20
bytes per packet, while the sniffer program reports 50 to 60 bytes
(don't remember the exact number).

4) Is there a website that will show you a print out of the packet you
send it, the same way there are web sites that show you the details of
your web request (such as IP address, what IE you're using, etc.)?

 

[John Navas]

1) For most people, their connection is to a defined IP range owned by
a single ISP provider, who probably gives its users the modem to use,
and thus, these modems are all probably of a certain make, and all have
the same first 3 hexadecimal numbers.

Most non-trivial providers wind up supplying different hardware, sooner
or later, so there's usually a mix of products in the field. In
addition, some users may buy their hardware from a third-party source.

Thus, since all users in that IP
range would share identical hex values in the first 3 digits of their
MAC address, if you randomized your entire MAC address, you would stand
out as the user with a different beginning MAC address than the rest.
It would be better, for the sake of anonimity, to keep the original
first 3 numbers and randomize only the last 3. Am I correct?

Why would you want to change your MAC address? You're identifiable by
your IP address.

2) Using a sniffer, I can see that random packages sent to my IP
address by all those bots and whatever that are out there, already know
my MAC address without any communication from my part. This happens
even when I start my internet connection and I have been online for
only half a second, the first random bit of internet noise that hits me
already knows my MAC address despite my not communicating with anyone
besides my ISP to establish the connection. How does this work? Is my
modem changing the MAC on incoming packets? Or my ISP?

Those things out there just use your IP address. Your MAC address comes
from ARP. (Look it up in Wikipedia.)

3) If I open my ISP monitoring window it shows me sent/received bytes
to the internet. By carefully following this flow with the sniffer, I
realized that there is a discrepancy, and that almost every packet
sent/received, according to the sniffer, is 20 bytes longer than
according to the ISP window. Any reason why (and which) 20 bytes would
be underreported from every packet (almost every packet)? The ECHO
packet behaves differently: my ISP window shows a flow of about 20
bytes per packet, while the sniffer program reports 50 to 60 bytes
(don't remember the exact number).

Read up on Ethernet. (Wikipedia again, as a starting place.)

4) Is there a website that will show you a print out of the packet you
send it, the same way there are web sites that show you the details of
your web request (such as IP address, what IE you're using, etc.)?

You wouldn't learn anything more than by sniffing yourself.

 

[Dana]

Why would you want to change your MAC address? You're identifiable by
your IP address.

IP addresses are logical addresses, a host can change his IP address.
Where a MAC address is a burned in address for a paticular NIC. This address
cannot be changed, hence it represents one unique host. Of course you can
change out nics, but that is not usually done.

Those things out there just use your IP address. Your MAC address comes
from ARP. (Look it up in Wikipedia.)

Your MAC address does not come from ARP, your MAC address is burned into
your NIC by the manufacture. The first part af the MAC addressed is
controlled by a global body that gives addresses to the manufactures, the
second part of the MAC address is controlled by the manufacture to identify
the host.
ARP is a way to resolve addresses, ARP does not give out addresses.

 

[John Navas]

IP addresses are logical addresses, a host can change his IP address.
Where a MAC address is a burned in address for a paticular NIC. This address
cannot be changed, hence it represents one unique host. Of course you can
change out nics, but that is not usually done.

The remote bad guy can't see your MAC address (only the local network
sees it), so this is irrelevant.

Your MAC address does not come from ARP, your MAC address is burned into
your NIC by the manufacture. The first part af the MAC addressed is
controlled by a global body that gives addresses to the manufactures, the
second part of the MAC address is controlled by the manufacture to identify
the host.
ARP is a way to resolve addresses, ARP does not give out addresses.

Are you trying to be argumentative? ARP is how the local network finds
your MAC address from your IP address.

 

[Dana]

The remote bad guy can't see your MAC address (only the local network
sees it), so this is irrelevant.


Are you trying to be argumentative? ARP is how the local network finds
your MAC address from your IP address.

That is said better than your MAC address comes from ARP.

 

[Barry Margolin]

What does this have to do with Virtual PC for Macintosh?

 

[Travis M.]

IP addresses are logical addresses, a host can change his IP
address.
Where a MAC address is a burned in address for a paticular NIC.
This address cannot be changed, hence it represents one unique
host. Of course you can change out nics, but that is not
usually
done.

My router will "clone" a MAC address.

 

[Steve Jain]

Please remove the microsoft.public.mac.virtualpc newsgroup from
replies to this thread. It is NOT related to MAC addresses, but Apple
Mac software.

 

[Michael Vilain]

IP addresses are logical addresses, a host can change his IP address.
Where a MAC address is a burned in address for a paticular NIC. This address
cannot be changed, hence it represents one unique host. Of course you can
change out nics, but that is not usually done.

That's not completely true. DEC systems changed their MAC addresses and
SUN systems do also. If you have multiple NIC adapters in a SUN system,
they all use the same MAC address by default unless you change this at
the Open Boot Prompt. For the most part, this is only a problem with
mulithomed systems on the same network segment. If the NICs are in
different segments, they can broadcast the same MAC address. Only VLANs
get upset with having the same MAC address on the same box connected to
different ports.

 

[Dana]

That's not completely true. DEC systems changed their MAC addresses and
SUN systems do also.

Never said you cannot change MAC addresses. Only said that MAC addresses
were burned into the NIC by the MFG.

 

[Spender]

1) For most people, their connection is to a defined IP range owned by
a single ISP provider, who probably gives its users the modem to use,
and thus, these modems are all probably of a certain make, and all have
the same first 3 hexadecimal numbers. Thus, since all users in that IP
range would share identical hex values in the first 3 digits of their
MAC address, if you randomized your entire MAC address, you would stand
out as the user with a different beginning MAC address than the rest.
It would be better, for the sake of anonimity, to keep the original
first 3 numbers and randomize only the last 3. Am I correct?

I suppose that would be correct, but I fail to see the point of changing
the MAC. Regardless of the MAC, you are identifiable by your IP.

The translation of IP to MAC on an incoming packet is done at the last stop
before your modem (i.e by your ISP.) Other users on the net cannot see your
MAC. There is no need for them to see it, they have your IP.

Reverse the process for outgoing packets. Your ISP knows the MAC of the
modem the packet came from, but it forwards only your IP address, not your
MAC.

Note, I'm speaking of wired systems. On wireless systems, you may be able
to discover the MAC of someone's wireless adaptor in the signal between the
adaptor and the wireless access point. The only reason for doing so is to
spoof someone else's MAC so you can gain illicit access.

2) Using a sniffer, I can see that random packages sent to my IP
address by all those bots and whatever that are out there, already know
my MAC address without any communication from my part. This happens
even when I start my internet connection and I have been online for
only half a second, the first random bit of internet noise that hits me
already knows my MAC address despite my not communicating with anyone
besides my ISP to establish the connection. How does this work? Is my
modem changing the MAC on incoming packets? Or my ISP?

Oh, okay, it's bots, trojans, and background noise you are concerned about.
Changing your MAC isn't going to help. As I said above, no one else on the
net knows your MAC. Only your ISP knows it.

If you are being hit at random, that can be due to an infected system(s) on
your ISP subnet (though most reputable ISP's quickly cut off such systems
until the users fix their PC's.) Or you can be hit intentionally, but
blindly, by anybody, anywhere, targeting entire subnets.

Or you could be infected yourself. Have you run Spybot S&D or AdAware, and
do you have an up to date virus scanner?

3) If I open my ISP monitoring window it shows me sent/received bytes
to the internet. By carefully following this flow with the sniffer, I
realized that there is a discrepancy, and that almost every packet
sent/received, according to the sniffer, is 20 bytes longer than
according to the ISP window. Any reason why (and which) 20 bytes would
be underreported from every packet (almost every packet)? The ECHO
packet behaves differently: my ISP window shows a flow of about 20
bytes per packet, while the sniffer program reports 50 to 60 bytes
(don't remember the exact number).

20 bytes is the TCP overhead. If your MTU (Maximum Transmission Unit) is
set to 1500, your packets are 1460 bytes + 20 bytes overhead. The sniffer
program you are using is displaying the overhead while, apparently, the ISP
monitor is not.

Echo packets are ICMP, not TCP. So they will be a different size.

4) Is there a website that will show you a print out of the packet you
send it, the same way there are web sites that show you the details of
your web request (such as IP address, what IE you're using, etc.)?

I don't know of one offhand. But here is a site that will explain in detail
what the packets contain.
http://mike.passwall.com/networking/samplepacket.html

 

[Hadron Quark]

I suppose that would be correct, but I fail to see the point of changing
the MAC. Regardless of the MAC, you are identifiable by your IP.

The translation of IP to MAC on an incoming packet is done at the last stop
before your modem (i.e by your ISP.) Other users on the net cannot see your
MAC. There is no need for them to see it, they have your IP.

Could you tell a beginner how the router knows which machine to route
the packet sent to its external IP then? Good FAQ pointer appreciated.

 

[John Navas]

Could you tell a beginner how the router knows which machine to route
the packet sent to its external IP then? Good FAQ pointer appreciated.

The router uses ARP to learn the MAC address on a local network that
corresponds to a given IP address, and then sends packets for that IP
address to that MAC address.
<http://en.wikipedia.org/wiki/Address_Resolution_Protocol>

 

[retyop]

So you guys are saying that the unique hardware MAC address of my
internet card only gets transmitted as far as my local ISP provider? I
haven't been able to find a good FAQ or guide explaining in detail how
this works (and yes, I did read the links you've posted about ARP and
others).

How does this work?

As far as I can make out from what I've read here, I send a packet to
my ISP with my real MAC address and the destination MAC address. The
ISP records the destination IP and MAC address in its memory, and then
strips the packet of the MAC addresses because they are not necessary
from that point on. It sends out a slimmed version of my original
packet, which doesn't contain any MAC addresses. The destination ISP
receives the packet and uses its own table of stored IP/MAC addresses
to generate a packet that it will send to the destination IP that will
include the MAC addresses from its database. But the MAC address it is
sending has been generated by itself, it does not know the real MAC
address of my computer. With this method, the destination IP can route
the packet to the appropriate computer on its LAN network, if there are
more than one users on the destination IP.

Then their computer sends a reply packet to me, in which they include
the destination MAC address of my computer, which is actually the
randomly generated MAC their local ISP uses in its memory to identify
packets sent to my IP for this internet session. The process is
repeated, and I also receive the packet with a MAC generated by my own
local ISP, but in our communications, neither of us can know what the
real MAC of each other truly is.

Is this remotely close to how it works?

 

[Spender]

Then their computer sends a reply packet to me, in which they include
the destination MAC address of my computer, which is actually the
randomly generated MAC their local ISP uses in its memory to identify
packets sent to my IP for this internet session. The process is
repeated, and I also receive the packet with a MAC generated by my own
local ISP, but in our communications, neither of us can know what the
real MAC of each other truly is.

Is this remotely close to how it works?

No.

You send a packet out which reaches your ISP's first hop router. Your ISP
knows the MAC address of your computer because your computer is part of
their LAN (this is assuming you have a cable modem directly connected to a
single PC.)

The MAC address is recorded in a table, connecting it with your outgoing
packet in anticipation of a response.

Keep in mind that your packet has a destination IP in it. The recipient's
router knows which MAC address goes with that IP, and directs the packet
accordingly.

The recipient responds with a packet, and the same thing happens in
reverse. Thier first hop router strips their MAC and forwards the packet
with the destination IP (your IP). Your ISP's router receives the packet
and matches it to it's table to find out which MAC address to send the
packet to.

There is no generation of MAC's going on. Your MAC address is static - it
is permanently burned into your ethernet card.

The same process goes on in your home if you have a NAT router with more
than one computer hooked up. Say you and your girlfriend are both surfing
the web. How does your router know which computer to send responses to?

Your ISP *doesn't* know in this case since regardless of whether it is you
or your girlfriend sending a packet, all the ISP sees is your NAT router's
IP and MAC address. It is your NAT router that keeps a table of packets
connected to particular MAC's so that it can forward responses to the
correct computer.

Also keep in mind that the MAC address process is working at every hop your
packet takes. Routers have MAC addresses as well. If you open a command
prompt and type "tracert www.google.com", you will see the route your
packet takes to get to www.google.com. Each router knows the MAC address
of the one before it, and the one after it.

Technically, "knows" is a bad term, but it illustrates the point. What is
actually going on is what ARP is for. Each router knows how to find the MAC
address of the one before it, and the one after it.

That is all a router needs to know to forward a packet.

 

[Dana]

Some ISPs require MAC registration, with a limit on the number of
registrations.
If you have several devices directly connected (not going through a
router) it's very handy to use the same MAC address for all of them.

Do you know what the MAC is, and how it is used to determine where to send
packets.

 

[Some O]

I fail to see the point of changing
the MAC. Regardless of the MAC, you are identifiable by your IP.

Some ISPs require MAC registration, with a limit on the number of
registrations.
If you have several devices directly connected (not going through a
router) it's very handy to use the same MAC address for all of them.

 

[Kaptain Krunch]

I did the tracert and got this :

Tracing route to www.l.google.com [72.14.203.99]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 192.168.2.1
2 * Hardware error.

Trace complete.

and my network Icon said my cable had been disconnected... LOL forgot about
the bug in the BEFSX41 and tracert... damn Linksys had this problem In the
BEFSR41 too... Hmmmm

KK