Skip to main content

can MAC address help to identify an attacker?

More
18 years 10 months ago #12539 by n_arvind2000
can MAC address help to identify an attacker? was created by n_arvind2000
Can anyone tell me how MAC address will be helpful in identifying an attacker?

In 2 scenario's!

If a direct connection is there and also if a gateway is in between?
More
18 years 10 months ago #12545 by TheBishop
Replied by TheBishop on topic MAC Address
The MAC address is the only thing that you can be reasonably certain will uniquely identify the source machine. Of course it is even possible to spoof a MAC address or change the address burned into the machine's NIC but that's another subject. On a direct connection where you are on the same segment, the MAC address of the attacker identifies the machine that sourced the attack. If a gateway is between you and the attacker then the attack packets will contain the source MAC address of the gateway. So you'd then have to go to the gateway and query its ARP cache to find out the address of the offending machine. If there are several gateways in the path you'd need to repeat this for each gateway until you got to the home network of the attacker. Obviously this is only feasible where all the gateways are under your control and you have access to them
More
18 years 10 months ago #12546 by naughtypaul
Replied by naughtypaul on topic Re: can MAC address help to identify an attacker?
Hi Bishop

Can you brief out the concept of Quering the Gateway for the ARP Cache...

Thanks
Paul 8)
Thanks
NaughtyPaul
More
18 years 10 months ago #12547 by TheBishop
Replied by TheBishop on topic ARP Cache
It depends on what the gateway device is, because each manufacturer has different commands for doing this. However basically you'd connect to the device using web interface or a telnet session then enter the appropriate command. On a Cisco router you use the command Show Arp in EXEC mode
More
18 years 10 months ago #12548 by n_arvind2000
Replied by n_arvind2000 on topic Re: can MAC address help to identify an attacker?
Thanks Bishop for ur reply!

If gateway is in the path then the gateway replaces the MAC address of the sender with its own address. As a result, you can trace the attack to the gateway only.(Unless you have the control over the gateway.)
If there is no control over the gateway will it be feasible to know abt the details of the attacker?
More
18 years 10 months ago #12584 by TheBishop
Replied by TheBishop on topic Attacker
You won't be able to use this method to find the MAC address if you can't query the gateway/router. However there are possibilities. First, sometimes it is possible to dump the MAC address table of a device using SMNP is the device supports it and you know (or can discover) the community strings. Secondly, even without the MAC address you can discover things about an attacker. The IP address will tell you the subnet they are on which may narrow it down to a particular building or floor within a company. Or if across the internet then do a DNS lookup which may give you details on the owner of the domain or the ISP
Time to create page: 0.140 seconds