Slashdot Mirror

← Back to Stories (view on slashdot.org)

Detecting Spoofed MAC Addresses On 802.11 Nets

Posted by timothy on from the leech-reduction dept.

Joshua Wright writes "I have written a white paper on detecting spoofed MAC addresses on wireless LAN's. This paper describes some of the techniques attackers utilize to disrupt wireless networks through MAC address spoofing, demonstrated with captured traffic that was generated by the AirJack, FakeAP and Wellenreiter tools. Utilizing the techniques I describe, it is possible to identify users who utilize spoofed MAC addresses on 802.11 networks to launch denial of service attacks, bypass access control mechanisms, or falsely advertise services to wireless clients."

4 of 18 comments (clear)

  1. Re:First Post! by thebigmacd · · Score: 2, Informative

    From the amount of the whitepaper I skimmed through, it looks like this could be used over copper, but the type of attack that it detects is rare or non-existant on copper because of the inherent difficulty of taking down a single client with DoS without taking down the entire network itself.

  2. No, for one important reason... by Anonymous Coward · · Score: 2, Informative

    No, it will not apply to copper. The packet generation in 802.11x includes a counter. This counter is not present in the 100/10tx packets. The counter is generated at the physical (hardware level), and so when an intruder attempts to DoS a valid user and usurp the mac address, the counter cannot be changed to what the user's counter was...

    UNLESS...........

    the intruder either waits until the user's counter is about to flip back to 0, then DoS the user, and reset his counter, then spoof the MAC address. Or perhaps a virus or trojan could be written that would reset the valid user's counter somehow.

  3. good effort, but not quite what it seems... by ubiquitin · · Score: 4, Informative

    Basically what this guy did was realize that the MAC-generation algorithm in spoofing software Wellenreiter has a weakness, namely that the OUI's it generates aren't all legit. (OUI is the organizational unique identified which is in the first few bits of the MAC address.) Also see helpful Sourceforge description of Wellenreiter.

    He similarly points out limitations in denial of service tools: AirJack and FakeAP software. However, this isn't the same as giving a general technique for analyzing MAC addresses on 802.11b, something which was strongly implied in the original post.

    --
    http://tinyurl.com/4ny52
    1. Re:good effort, but not quite what it seems... by iangoldby · · Score: 2, Informative
      An anonymous coward wrote:

      Basically what this guy did was realize that the MAC-generation algorithm in spoofing software Wellenreiter ... However, this isn't the same as giving a general technique for analyzing MAC addresses on 802.11b, something which was strongly implied in the original post.

      You didn't read the whole paper. The part with the bug in the script is only the first few pagers. Later in the paper, he goes into using 802.11 sequence numbers to detect spoofed MACs. I'm not even sure why he mentions the bug, as that's pretty trivial. The sequence number analysis stuff is far more interesting. It's not foolproof, but it could be very useful.

      I don't have mod points, so I've reposted it with my +1 bonus (since the Score:5, Informative parent post is wrong).