never seen it on a windows box before, but it would be trivial to do so on may unix hosts that allow MACs to be altered with ifconfig.... For instance, in redhat, it would be a simple case of writing a perl or shell script that did (assuming DHCP is already configured for the machine in the first place) $mac = "00:00:00:00:00:00"; $remainingAddys = true; while ($remainingAddys) { system ("ifconfig eth0 hw $mac"); system ("ifdown eth0"); system ("ifup eth0"); $remainingAddys = createNewMac($mac); } You would have to write the routing that makes $mac get updated and return whether there are any more mac addresses.... I don't know how you could prevent this though!!! I am sure that using etherpeek, you could find the machine rather quickly. (at least after if stomped you a couple of times). If the person is malicious, you would prove it is them. If the box is compromised, you would reinstall and smack the admin. -----Original Message----- From: Reeves, Michael (GEAE, Compaq) [mailto:michael.reevesat_private] Sent: Thursday, August 09, 2001 6:29 AM To: 'incidentsat_private' Subject: DHCP, ARP, oh my Anyone know of an exploit that dupes ARP on wind ows 95? Yesterday we had a machine that caused a nasty ARP storm and started snagging DHCP addresses as fast as it could (stealing addresses). It was ARPing as if it were every machine on the network. It was a windows 95 box and was immediately pulled off of the network. Once the machine was rebooted it stopped. Doing a quick onceover on the machine and looking through the registry I didn't see anything that seemed suspect. I have seen bad NICs cause broadcast storms but this is a first for me. If anyone knows of any exploits or seen anything like this as a hardware failure could ya let me know. Thanks, Mike Reeves Security Administrator ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:36:22 PDT