Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

MAC Spoofing Question

Posted on 2008-10-13
6
Medium Priority
?
4,356 Views
Last Modified: 2013-11-16
nbtstat - a 10.0.1.82

Local Area Connection:
Node IpAddress: [10.0.1.76] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    MARIA-PC       <00>  UNIQUE      Registered
    MARIA-PC       <20>  UNIQUE      Registered
    ARC            <00>  GROUP       Registered
    ARC            <1E>  GROUP       Registered

    MAC Address = 00-1D-09-87-2B-71


Right away the address in request changes to 76. Why is that?


Symantec Endpoint Protection gives this:



Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100
Occurrence: 1
Alert: 1
Begin Time: 10/12/2008 22:42:58
End Time: 10/12/2008 22:42:58
Domain Name: Default
Site Name: Site server2
Server Name: server2
Group Name: My Company\team ARC
Computer Name  
Current: maria-pc
When event occurred: maria-pc
 
IP Address  
Current: 10.0.1.82

 
Operating system name: Windows XP Professional
Location Name: Default
User Name: maria
Severity: Minor
Local MAC: 001D09872B71
Remote MAC: 001D092868F4
Hardware Key: F99127C11A4FC6F9A870D8029F5CD7E7
Network Protocol: Other
Traffic Direction: Inbound
Send SNMP trap: 1
Remote Host Name:  
Hack Type: 0
Application Name:


About 20 of those messages came up before the PC got disconnected from the network by the firewall.


There is a thread on symantec forums here:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=17717&query.id=324180#M17717

But what I really need is way to get down to the bottom of this and see what's causing it in on my network.

Being new to dealing with MAC address I tried things like lookin both of them up in the vendor DB which came up as Dell for both addresses.

I only have 1 network adapter on that PC.

Points are 250.

0
Comment
Question by:Anti-Mhz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 22704137
Could you post an

arp -a

result here too please.

And what is your setup. Are you on a bigger network, or connected to the Internet by cable /DSL / modem ?
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22705038
Interface: 10.0.1.82 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.1              00-0c-86-3d-4a-b0     dynamic
  10.0.1.100            00-1d-09-28-68-f4     dynamic
  10.0.1.129            00-0f-1f-f8-78-ec     dynamic
  10.0.1.150            00-0d-56-6f-b7-b3     dynamic


.1 - gateway
 .100, .129, .150 - 3 servers

all of these connections should be allowed.

im on a network with 3 servers all running windows 2003 flavors (2 standard and 1 sbs) with 15 workstations.

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22705346
OK so basically symantec found a computer using IP 10.0.1.76 and you wonder how did it get into your network, right?

Is there anything WLAN related around?

How big is the network (in physical terms) ? Is it permanently installed with wall plugs or are all computers connected on a single switch?




0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22705758
actually i mislead u. 76 is the pc im running nbtstat -a from. My mistake. What doesn't change is that

there is a workstation on the network under class D IP of 82 which has SED screaming that there is MAC spoofing going in.  u can see the log in my first post.

this is a small network with 1 switch, 3 servers ( 1 dc), about 15 workstations


0
 
LVL 27

Accepted Solution

by:
Tolomir earned 750 total points
ID: 22705828
OK could be the case that there is a server with 2 network cards for load balancing with one IP.

Thus having 2 networks card with different MACS and one "shared" IP, could result in Symantec shouting crime and murder.

Tolomir


0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22705844
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100

---

.100, .129, .150 - 3 servers

Please check if server .100 is connected with 2 network cards to the switch.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question