On 25/06/2019 16.44, Dave Howorth wrote:
On Tue, 25 Jun 2019 16:12:45 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 25/06/2019 15.34, Dave Howorth wrote:
On Mon, 24 Jun 2019 18:44:58 +0200 "Carlos E. R." <> wrote:
...
So that should stop things phoning home.
I think so, unless they use some "clever" trick I can't think about.
For instance, an evil someone could listen to the traffic, see an IP that is authorized to get out, and when that IP is not running, pose as it.
I don't know what happens if a device tries to spoof an IP address. I'll ask them if I can't find an answer in the docs.
Them who? :-?
AVM
¿the router manufacturer? Just force two machines (even two virtual ones) to the same IP and watch the router log. Possibly also watch traffic on both machines with wireshark.
In the scenario I related, as the "bad thing" uses that IP when it sees the machine that owns it is off the LAN, it would probably achieve its goal. You would not be able to stop it. It might spoof both the IP and the MAC. Perhaps by using a proxy and some authorization method.
Ah, I hadn't realized how easy it is to spoof a MAC address. When did that happen? How did I miss it? (the last is rhetorical of course) :)
Long ago. MsDOS. Apparently there were good reasons to support it - maybe to replace the card on a machine that connected on a corporate network that authorized only the known MAC. I'm not sure if I ever used the feature on real machines. On virtual machines, yes, often. Each time I replicate a machine, for instance.
Of course, when the correct machine goes back on the LAN there would be problems. The router would see the collision. But so might the rogue device, which would then go back to the correct MAC/IP to avoid corrective action.
Detecting the collision when an isolating switch is used might not be possible by the clients, because they don't see the full traffic, only their own. On WiFi things may be different, I'm unsure. And of course, the router might try to tell the clients that there is a collision (how, I do not know for sure), or it might close the port (the cable) connected to one of the two or both.
If the router knows the rogue machine is on DHCP, it would try to assign another IP. You would see nothing, only that when the good machine connects again DHCP would simply give it another address. The problem would be if the bad machine also spoofs the MAC.
I tend to assign static IP addresses on the LAN so something might notice. I asked AVM what was logged in such circumstances.
But I'm not a "bad hacker", this is not my stuff ;-)
Evidently more of a hacker than me ;)
But I invented all the above, I have not read it up. They would know every trick and strategy and counter. Surely they can invent more. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)