Solved

MAC Spoofing Question

Posted on 2008-10-13
6
4,120 Views
Last Modified: 2013-11-16
nbtstat - a 10.0.1.82

Local Area Connection:
Node IpAddress: [10.0.1.76] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    MARIA-PC       <00>  UNIQUE      Registered
    MARIA-PC       <20>  UNIQUE      Registered
    ARC            <00>  GROUP       Registered
    ARC            <1E>  GROUP       Registered

    MAC Address = 00-1D-09-87-2B-71


Right away the address in request changes to 76. Why is that?


Symantec Endpoint Protection gives this:



Event Description: Unsolicited incoming ARP reply detected, this is a kind of MAC spoofing that may consequently do harm to your computer. Packet data is shown in the right window.
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100
Occurrence: 1
Alert: 1
Begin Time: 10/12/2008 22:42:58
End Time: 10/12/2008 22:42:58
Domain Name: Default
Site Name: Site server2
Server Name: server2
Group Name: My Company\team ARC
Computer Name  
Current: maria-pc
When event occurred: maria-pc
 
IP Address  
Current: 10.0.1.82

 
Operating system name: Windows XP Professional
Location Name: Default
User Name: maria
Severity: Minor
Local MAC: 001D09872B71
Remote MAC: 001D092868F4
Hardware Key: F99127C11A4FC6F9A870D8029F5CD7E7
Network Protocol: Other
Traffic Direction: Inbound
Send SNMP trap: 1
Remote Host Name:  
Hack Type: 0
Application Name:


About 20 of those messages came up before the PC got disconnected from the network by the firewall.


There is a thread on symantec forums here:
https://forums.symantec.com/syment/board/message?board.id=endpoint_protection11&message.id=17717&query.id=324180#M17717

But what I really need is way to get down to the bottom of this and see what's causing it in on my network.

Being new to dealing with MAC address I tried things like lookin both of them up in the vendor DB which came up as Dell for both addresses.

I only have 1 network adapter on that PC.

Points are 250.

0
Comment
Question by:Anti-Mhz
  • 4
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Tolomir
ID: 22704137
Could you post an

arp -a

result here too please.

And what is your setup. Are you on a bigger network, or connected to the Internet by cable /DSL / modem ?
0
 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22705038
Interface: 10.0.1.82 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.1              00-0c-86-3d-4a-b0     dynamic
  10.0.1.100            00-1d-09-28-68-f4     dynamic
  10.0.1.129            00-0f-1f-f8-78-ec     dynamic
  10.0.1.150            00-0d-56-6f-b7-b3     dynamic


.1 - gateway
 .100, .129, .150 - 3 servers

all of these connections should be allowed.

im on a network with 3 servers all running windows 2003 flavors (2 standard and 1 sbs) with 15 workstations.

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22705346
OK so basically symantec found a computer using IP 10.0.1.76 and you wonder how did it get into your network, right?

Is there anything WLAN related around?

How big is the network (in physical terms) ? Is it permanently installed with wall plugs or are all computers connected on a single switch?




0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:Anti-Mhz
ID: 22705758
actually i mislead u. 76 is the pc im running nbtstat -a from. My mistake. What doesn't change is that

there is a workstation on the network under class D IP of 82 which has SED screaming that there is MAC spoofing going in.  u can see the log in my first post.

this is a small network with 1 switch, 3 servers ( 1 dc), about 15 workstations


0
 
LVL 27

Accepted Solution

by:
Tolomir earned 250 total points
ID: 22705828
OK could be the case that there is a server with 2 network cards for load balancing with one IP.

Thus having 2 networks card with different MACS and one "shared" IP, could result in Symantec shouting crime and murder.

Tolomir


0
 
LVL 27

Expert Comment

by:Tolomir
ID: 22705844
Attack Type: MAC Spoofing
Event Time: 10/13/2008 10:43:10
Remote Host IP: 10.0.1.100

---

.100, .129, .150 - 3 servers

Please check if server .100 is connected with 2 network cards to the switch.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now