After you change MAC Address in Unix via
"ifconfig eth[x] hw ether 00:40:8C:6E:11:FF"

I heard that there will be an indicator bit in the network packet which
allows the receiver of the packet to know that they got a spoofed MAC
Address.

However, can someone confirm this and tell me which bit is changed?

Thank you,
/la

Creator of SMAC - MAC Address Spoofer for Windows 2000, XP, 2003
http://www.klcconsulting.net

[ Post a follow-up to this message ]

On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
<qYNjg.907$YZ3.666@fe07.lga>, SMAC wrote:

>After you change MAC Address in Unix via
>"ifconfig eth[x] hw ether 00:40:8C:6E:11:FF"

That is Linux, not UNIX.   Did you bother to try that, and if so, sniff
the wire to see what the packet looks like?

>I heard that there will be an indicator bit in the network packet which
>allows the receiver of the packet to know that they got a spoofed MAC
>Address.

Did you review the IEEE documents?

>However, can someone confirm this and tell me which bit is changed?

Is your access to google blocked?   A search term is "Locally administered
address".   Did you think to try news://comp.dcom.lans.ethernet ?

>Creator of SMAC - MAC Address Spoofer for Windows 2000, XP, 2003

Color me really NOT impressed.  "Look at me, supplier to the stars", and
you don't know WTF is in a fourteen _byte_ header with just three lousy
parameters???

Old guy

[ Post a follow-up to this message ]

In article <slrne919mo.179.ibuprofin@compton.phx.az.us>,
ibuprofin@painkiller.example.tld (Moe Trin) wrote:

> On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
> <qYNjg.907$YZ3.666@fe07.lga>, SMAC wrote:
> 
>
> That is Linux, not UNIX.   Did you bother to try that, and if so, sniff
> the wire to see what the packet looks like?

I recall being able to do something like that on Solaris years ago.  The
syntax might not have been precisely the same, but it was similar.  And
I just checked my Mac OS X man page, and it also has a similar syntax.

> 
>
> Did you review the IEEE documents?
> 
>
> Is your access to google blocked?   A search term is "Locally administered
> address".   Did you think to try news://comp.dcom.lans.ethernet ?

But since he's selecting the address, nothing forces him to use one with
the Locally Administered bit set?

Which is basically the answer to his question.  There's a bit in the
address that indicates whether it's one that IEEE assigns uniquely
versus one that may be assigned locally (analogous to RFC 1918 IP
addresses).  If you assign an address manually you're *supposed* to use
one of the latter type, to avoid potential conflicts with devices that
use IEEE-assigned address blocks.  But there's nothing that forces this,
so there's no foolproof way to detect use of a spoofed address.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

[ Post a follow-up to this message ]

On Wed, 14 Jun 2006 19:16:34 -0500, Moe Trin <ibuprofin@painkiller.example.tld> wrote:[vbcol
=seagreen]
> On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
><qYNjg.907$YZ3.666@fe07.lga>, SMAC wrote:
> 
>
> That is Linux, not UNIX.   Did you bother to try that, and if so, sniff
> the wire to see what the packet looks like?[/vbcol]

You seem quite don-like today.  Rough day at work or something?

[ Post a follow-up to this message ]

On Wed, 14 Jun 2006 19:16:34 -0500
ibuprofin@painkiller.example.tld (Moe Trin) wrote:

> On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
> <qYNjg.907$YZ3.666@fe07.lga>, SMAC wrote:
> 
>
> That is Linux, not UNIX.
And here comes the old linux is not unix talk again...

[ Post a follow-up to this message ]

On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
<barmar-8C1945.21155514062006@comcast.dca.giganews.com>, Barry Margolin wrote:
>ibuprofin@painkiller.example.tld (Moe Trin) wrote:
 
[vbcol=seagreen] 
[vbcol=seagreen] 
[vbcol=seagreen]
>I recall being able to do something like that on Solaris years ago.  The
>syntax might not have been precisely the same, but it was similar.  And
>I just checked my Mac OS X man page, and it also has a similar syntax.

Correct Barry - and was it the eth[x], or le0, or hme0, or...

>But since he's selecting the address, nothing forces him to use one with
>the Locally Administered bit set?

And in fact, I haven't seen one do so. I believe the original intent of
the Local/Global bit was that it was to be set if the address was changed
and this "supposedly" prevented spoofing Global Administered Addresses.
However this basically defeats the main purpose of the ability to change.

Old guy

[ Post a follow-up to this message ]

On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
<20060614230142.3b645a51.rafaelc@dcc.ufmg.br>, Rafael Almeida wrote:
 
[vbcol=seagreen]
>And here comes the old linux is not unix talk again...

Sorry to disappoint you dude - but I'm not Don Kool, and I support Linux,
FreeBSD and Solaris boxes.   Or, don't you know the difference between
those? It's almost as bad as the difference between BSD and SystemV, so
the subtleties should be obvious.

Old guy

[ Post a follow-up to this message ]

In article <4fbruoF1i2hpdU1@individual.net>,
Dave Hinz <DaveHinz@spamcop.net> writes:
> On Wed, 14 Jun 2006 19:16:34 -0500, Moe Trin <ibuprofin@painkiller.example
.tld> wrote: 
>
> You seem quite don-like today.  Rough day at work or something?

Dave,

Wash your mouth out with soap, NOW!  Do NOT utter the name that shall not
be spoken lest it's bearer suddenly reappear.

Superstitious Ol' Bob

--
Robert G. Melson | Rio Grande MicroSolutions | El Paso, Texas
-----
Under democracy one party always devotes its chief energies to trying to
prove that the other party is unfit to rule---and both commonly succeed,
and are right." ---H. L. Mencken

[ Post a follow-up to this message ]

On Thu, 15 Jun 2006 03:49:01 GMT, Robert Melson <melsonr@aragorn.rgmhome.net> wrote:
> In article <4fbruoF1i2hpdU1@individual.net>,
> 	Dave Hinz <DaveHinz@spamcop.net> writes:
 
[vbcol=seagreen]
> Wash your mouth out with soap, NOW!

I washed it a bit with a nice single-malt Scotch, which is as much
washing as I'll do in this case.

> Do NOT utter the name that shall not
> be spoken lest it's bearer suddenly reappear.

From what I've been told, it is not in a situation which allows
grepping.

[ Post a follow-up to this message ]

In article <slrne91k8f.1ju.ibuprofin@compton.phx.az.us>,
ibuprofin@painkiller.example.tld (Moe Trin) wrote:

> On Wed, 14 Jun 2006, in the Usenet newsgroup comp.unix.admin, in article
> <barmar-8C1945.21155514062006@comcast.dca.giganews.com>, Barry Margolin wr
ote: 
> 
> 
> 
> 
>
> Correct Barry - and was it the eth[x], or le0, or hme0, or...
> 
>
> And in fact, I haven't seen one do so. I believe the original intent of
> the Local/Global bit was that it was to be set if the address was changed
> and this "supposedly" prevented spoofing Global Administered Addresses.
> However this basically defeats the main purpose of the ability to change.

I suppose some manufacturers could design the NICs so that they won't
allow you to set the address to a Global address, or automatically turn
on the Local bit whenever the address is set.  But one of the original
reasons for allowing settable MAC addresses was to support protocols
like DECnet, where the MAC address is derived from the Layer 3 address;
are DECnet addresses local or global?

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

[ Post a follow-up to this message ]