• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

MAC Address Broadcasted in TCP/IP Packets?

K

KeyserSoze

Diamond Member
So, I've been trying to read more on wireless security, and questioned on how someone could get access to your network if you had MAC Address filtering on your router, and your router password protected. Then, I was told that your MAC Address is sent with data packets, so they can "sniff" it out.

Obviously, I have WPA enabled, so it doesn't matter. But I was wondering if someone had any links on this. Mainly, what I want to see is how data is sent, with respect to TCP/IP packets. Also, I need an explanation of the header as well.

YES, I've searched google, but I can't find exactly what I'm looking for.

Links/articles would be appreciated. You'd be surprised how much trouble I'm having finding something that explains it easily first.

TIA




KeyserSoze
 
Wifi is a broadcast medium, like a hub, so how does your NIC know which packets are destined for it and not the guy with the wifi card sitting next to you? Each packet contains the MAC address of the destination NIC, all you have to do is have a card that will intercept and show you each packet it sees whether it's associated with an AP or not and you'll be able to generate a list of valid MAC addresses in under a minute, provided there's traffic.
 
I'd like to offer a minor correction:

The data from above gets "chunkified" into segments at layer four of the OSI (Transport) the segments get further "chunkified" (if necessary) and are put into PACKETS at layer three (Network), the packets are stuffed into FRAMES at layer two (Data-Link), the frames are broken down into whatever protocol-data-unit (PDU) is defined at layer one (Physical) ... usually bits (electrical or optical).

The addressing pf the packet at layer three is the IP address (or IPX, AppleTalk, XNS, DecNet ...)

The address at layer two is the MAC address (most frequently Ethernet these days, could be Token Ring, ArcNet, a DLCI on Frame-Relay ...)


Layer Two / Frames / MAC address (aka "Physical address" or "Burned-In Address" - BIA)
Layer three / Packets / IP address (aka "logical address")


The MAC is the most visible address on the segment, to see the IP address, you need to break into the frame and examine the packet. Frames never leave the local segment (they don't pass through routers). The MAC is visible to an analyzer because it is the only address available to get the payload (an IP packet) to the next hop towards the destination.

If you capture traffic on a segment, wireless or otherwise, the MAC will describe who sent it (on that segment) and who is supposed to receive it (on that segment).

With rare exception, a MAC can be manually entered as the local address (aka "Locally Administered Address" - LAA) in the "Advanced" section of the driver paramaters. As long as you follow the rules for a MAC definition, you can put any address in as an LAA (like in the Novell days: 0000deadbeef, 0000babeface, 0000feedface, etc).

Once you have captured some traffic (netstumbler, airsnort, etc), you can lift one of the MACS and install it as an LAA and get past the filter. MAC filtering is basically useless as security against anyone but the most lazy or ignorant (especially in fixed installations - like point-to-point bridging).

Pretty much the same for non-broadcast SSID - useless when someone is actively capturing your wireless traffic; the SSID is part of every transmission and quite visible.

WPA is the only secure method for keeping people from breaking into your wireless network ... and if using WPA-PSK, if the PSK is just a word, then it's not very secure either. It is still prone to dictionary or bruteforce attacks. The PSK should be a mix of letters and numbers, upper case and lower case, and of a length as long as you can tolerate / remember (up to 63(?) characters).

So it's not "Mac Address Broadcasted in TCP/IP Packets" it's "IP Addresses are included inside MAC Frames"

FWIW

Scott

 
Just to add onto what Scott said:

You really need to understand Layer 2 to understand where the wireless security is at. In WPA/WPA2, the source and destination address fields of the frame are not encrypted, but the data payload is. The SA/DA are where the MAC addresses are located, thus they are not encrypted. I believe the encryption starts after the length/type field.

The data payload in a layer 2 frame is the data from every layer above it. So layer 3 data (including IP addresses) is just encapsulated into the layer 2 frame. Here is a good link to some info you'll want to read up on:
http://www.cisco.com/univercd/...k/ito_doc/ethernet.htm

I have seen technology that does encryption starting at Layer 1. However from what I've read this is only used in government applications and maybe some health care applications too. It's certainly not anything you'd see in a consumer product, or in most enterprises either. I'd imagine a system like that would be *extremely* expensive.
 
Thanks for the responses. I need to get back to some fundamental readings! I've forgotten all about how the 7 Layer Model works.



KeyserSoze
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top