Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4400
  • Last Modified:

MAC Spoofing Question

nbtstat - a 10.0.1.82

Local Area Connection:
Node IpAddress: [10.0.1.76] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    MARIA-PC       <00>  UNIQUE      Registered
    MARIA-PC       <20>  UNIQUE      Registered
    ARC            <00>  GROUP       Registered
    ARC            <1E>  GROUP       Registered

    MAC Address = 00-1D-09-87-2B-71


Right away the address in request changes to 76. Why is that?


Symantec Endpoint Protection gives this:



Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100
Occurrence: 1
Alert: 1
Begin Time: 10/12/2008 22:42:58
End Time: 10/12/2008 22:42:58
Domain Name: Default
Site Name: Site server2
Server Name: server2
Group Name: My Company\team ARC
Computer Name  
Current: maria-pc
When event occurred: maria-pc
 
IP Address  
Current: 10.0.1.82

 
Operating system name: Windows XP Professional
Location Name: Default
User Name: maria
Severity: Minor
Local MAC: 001D09872B71
Remote MAC: 001D092868F4
Hardware Key: F99127C11A4FC6F9A870D8029F5CD7E7
Network Protocol: Other
Traffic Direction: Inbound
Send SNMP trap: 1
Remote Host Name:  
Hack Type: 0
Application Name:


About 20 of those messages came up before the PC got disconnected from the network by the firewall.


There is a thread on symantec forums here:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=17717&query.id=324180#M17717

But what I really need is way to get down to the bottom of this and see what's causing it in on my network.

Being new to dealing with MAC address I tried things like lookin both of them up in the vendor DB which came up as Dell for both addresses.

I only have 1 network adapter on that PC.

Points are 250.

0
Anti-Mhz
Asked:
Anti-Mhz
  • 4
  • 2
1 Solution
 
TolomirAdministratorCommented:
Could you post an

arp -a

result here too please.

And what is your setup. Are you on a bigger network, or connected to the Internet by cable /DSL / modem ?
0
 
Anti-MhzAuthor Commented:
Interface: 10.0.1.82 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.1              00-0c-86-3d-4a-b0     dynamic
  10.0.1.100            00-1d-09-28-68-f4     dynamic
  10.0.1.129            00-0f-1f-f8-78-ec     dynamic
  10.0.1.150            00-0d-56-6f-b7-b3     dynamic


.1 - gateway
 .100, .129, .150 - 3 servers

all of these connections should be allowed.

im on a network with 3 servers all running windows 2003 flavors (2 standard and 1 sbs) with 15 workstations.

0
 
TolomirAdministratorCommented:
OK so basically symantec found a computer using IP 10.0.1.76 and you wonder how did it get into your network, right?

Is there anything WLAN related around?

How big is the network (in physical terms) ? Is it permanently installed with wall plugs or are all computers connected on a single switch?




0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
Anti-MhzAuthor Commented:
actually i mislead u. 76 is the pc im running nbtstat -a from. My mistake. What doesn't change is that

there is a workstation on the network under class D IP of 82 which has SED screaming that there is MAC spoofing going in.  u can see the log in my first post.

this is a small network with 1 switch, 3 servers ( 1 dc), about 15 workstations


0
 
TolomirAdministratorCommented:
OK could be the case that there is a server with 2 network cards for load balancing with one IP.

Thus having 2 networks card with different MACS and one "shared" IP, could result in Symantec shouting crime and murder.

Tolomir


0
 
TolomirAdministratorCommented:
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100

---

.100, .129, .150 - 3 servers

Please check if server .100 is connected with 2 network cards to the switch.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now