Become a fan of Slashdot on Facebook


Forgot your password?

Detecting Spoofed MAC Addresses On 802.11 Nets 18

Joshua Wright writes "I have written a white paper on detecting spoofed MAC addresses on wireless LAN's. This paper describes some of the techniques attackers utilize to disrupt wireless networks through MAC address spoofing, demonstrated with captured traffic that was generated by the AirJack, FakeAP and Wellenreiter tools. Utilizing the techniques I describe, it is possible to identify users who utilize spoofed MAC addresses on 802.11 networks to launch denial of service attacks, bypass access control mechanisms, or falsely advertise services to wireless clients."
This discussion has been archived. No new comments can be posted.

Detecting Spoofed MAC Addresses On 802.11 Nets

Comments Filter:
  • First Post! (Score:2, Interesting)

    Can these methods be used on traditional wired lans, or is the techniques different for spoofing on a wireless lan?
    • Re:First Post! (Score:2, Informative)

      by thebigmacd ( 545973 )
      From the amount of the whitepaper I skimmed through, it looks like this could be used over copper, but the type of attack that it detects is rare or non-existant on copper because of the inherent difficulty of taking down a single client with DoS without taking down the entire network itself.
      • Thanks. :-)

        ((Can someone tell my why my post was moderated as redundant?!))
      • by Anonymous Coward
        No, it will not apply to copper. The packet generation in 802.11x includes a counter. This counter is not present in the 100/10tx packets. The counter is generated at the physical (hardware level), and so when an intruder attempts to DoS a valid user and usurp the mac address, the counter cannot be changed to what the user's counter was...


        the intruder either waits until the user's counter is about to flip back to 0, then DoS the user, and reset his counter, then spoof the MAC address. Or perhaps a virus or trojan could be written that would reset the valid user's counter somehow.
    • Can these methods be used on traditional wired lans

      No. One technique relies on a bug in a script to detect anonomolous MACs from script kiddies; not generally useful or applicable. The second technique is much more interesting and useful: it uses sequence number analysis to find spoofed MACs. This is, of course, not relevant to wired nets because ethernet has no such thing as a sequence number (only source, destination and type). This might be worth investigating as some places do use MACs for authentication (eg, you have to "register" your NIC with a username/password before being allowed out of a sandbox network - very popular in wireless nets, but also used occasionally on wired nets). Off the top of my head, I can't figure out any way to reliably detect MAC spoofing over ethernet (you just have very little to work with - you might try detecting when there is a too small time difference between one MAC sending from a jack and another, but then the attacker could just wait; or you could try using some higher-level protocol stuff, similar to what's used to detect when a card goes promiscuous, but those are just heuristics and can be broken; and there are also valid reasons for MAC spoofing (like VMWare)).

      Also note that the techniques he describes are not foolproof. If someone knows an IDS using these techniques is in place, they could launch an attack as follows: 1. listen for a valid MAC; 2. send out some valid traffic using your factory-assigned MAC until your sequence number almost matches the target's (eg, keep hitting their authentication web page - might be difficult if the target is also active); 3. DOS the target using the few packets you have left until you meet the sequence number, or just use a second NIC to DOS the target; 4. take over target's IP, with no discontinuity in sequence numbers.

      Still a very interesting paper.

  • by ubiquitin ( 28396 ) on Thursday January 23, 2003 @08:38AM (#5142261) Homepage Journal
    Basically what this guy did was realize that the MAC-generation algorithm in spoofing software Wellenreiter [] has a weakness, namely that the OUI's it generates aren't all legit. (OUI is the organizational unique identified which is in the first few bits of the MAC address.) Also see helpful Sourceforge description of Wellenreiter [].

    He similarly points out limitations in denial of service tools: AirJack [] and FakeAP [] software. However, this isn't the same as giving a general technique for analyzing MAC addresses on 802.11b, something which was strongly implied in the original post.
    • An anonymous coward wrote:

      Basically what this guy did was realize that the MAC-generation algorithm in spoofing software Wellenreiter ... However, this isn't the same as giving a general technique for analyzing MAC addresses on 802.11b, something which was strongly implied in the original post.

      You didn't read the whole paper. The part with the bug in the script is only the first few pagers. Later in the paper, he goes into using 802.11 sequence numbers to detect spoofed MACs. I'm not even sure why he mentions the bug, as that's pretty trivial. The sequence number analysis stuff is far more interesting. It's not foolproof, but it could be very useful.

      I don't have mod points, so I've reposted it with my +1 bonus (since the Score:5, Informative parent post is wrong).
      • That's a really good point. I went back and read it again, but still stand by my previous post. The sequence number analysis techniques apply only to weaknesses in FakeAP and AirJack which will be easily modified on their part. All they have to do is follow the sequence control frames of their spoofing victim. The man in the middle attack described later is a better example of how sequence analysis could be useful, but it still wouldn't let the access point operator distinguish from an a attacker and the case where a legitimate user simply left the network and came back a short while later. This isn't a trivial problem to overcome on the part of the access point operator. (!)

        The most interesting part of the paper to me was the section where Josh mentions that Lucent cards aren't following 802.11b specification in their sequence generation. And I highly agree with his recommendation in the final paragraph for access point vendors to add extra processing power to their hardware to accomodate security tools- such as sequence analysis tools. But it is a two way street, since doing so will give attackers more potential when they've succeeded with an exploit.
    • Correct me if I'm wrong, but isn't there another flaw in the implementation. IEEE OUIs are supposed to change the 23rd bit of the OUI portion of the MAC address based on if it's a locally administered address or a globally administered one. If an attacker can set all the bits of the network card MAC address, isn't that a mistake in the hardware?

      Either way, wireless networks remain vulnerable...

  • Will the white papers never end. When will computers be secure enough that there are no vulnerabilities to write white papers about. Oh yeah never. I'm unpluging everything as soon as I get home. Spoof that!

Ernest asks Frank how long he has been working for the company. "Ever since they threatened to fire me."