MAC Adapters Curb on SLIP/PPP : Tools Sanitization ================================================== http://triosec.secniche.org Abstract: The adapter connection over SLIP/PPP shows a problematic behavior when certain tools are used. The problem most of the tools found is getting the right adapter info. As a result of this number of tools does not respond well. For Example : TCP based traceroute for windows platform i.e. tracetcp. Tcptraceroute is tool that uses TCP functionality to trace the destination on Linux. The similar implementation is tracetcp on windows. The problem arise when this tool fails to respond with SLIP/PPP. Lets see: D:\tools>tracetcp -? Usage: tracetcp host [options] where host = hostName|ipAddress[:portNumber|serviceName] if portNumber or serviceName is not present then port 80 (http) is assumed. Options: -? Displays help information. -F Disables the Anti-flood timer. -R Use Raw Sockets to send packets. -c Select condensed output mode. -g address Send to remote host using specified gateway. -h start_hop Starts trace at hop specified. -m max_hops Maximum number of hops to reach target. -n No reverse DNS lookups for each node. -p num_pings # of pings per hop (default 3). -r p1 p2 Multiple traces from port p1 to p2. -s p1 p2 Scan ports p1 to p2. Eqiv of: -cnr p1 p2 -h 128 -m 1 -p 1 -t timeout Wait timeout milliseconds for each reply. -v Displays version information. Examples: tracetcp www.microsoft.com:80 -m 60 tracetcp post.sponge.com:smtp tracetcp 192.168.0.1 -n -t 500 D:\tools>tracetcp www.google.com:80 -m 60 -n -t 100 Error retrieving the MAC address of the adapter. So the response is MC address of the adapter cannot me verified or retrived by the program. So its better to have a look at the ARP table or cache entries. As we are querying system interface the best way to get into it is [getmac] | [arp -a] tools. It will provide us the clear picture of the updated or present ARP entries. D:\tools>arp -a No ARP Entries Found D:\tools>getmac Physical Address Transport Name =================== ========================================================== Disabled Disconnected 00-14-22-DD-FE-BA \Device\Tcpip_{4F763D29-98B2-43AF-A94C-25EBCF61AE5C} 00-13-CE-61-5E-75 Media disconnected Disabled Disconnected Disabled Disconnected As the ARP table is empty. No specific ARP cache is encountered. But one of the working adapter is configured in well state manner. The device is properly intialized and is activated. Then why the tool fails to retrieve the MAC of the adapter. I have found many tools that follows the same structure and fails to respond. Most of these tools based on Packet Designing. Lets check the IP configuration. D:\tools>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : kn0ck Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Wireless Network Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : Intel(R) PRO/Wireless 2200BG Network Connection Physical Address. . . . . . . . . : 00-13-CE-61-5E-75 Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller Physical Address. . . . . . . . . : 00-14-22-DD-FE-BA Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Autoconfiguration IP Address. . . : 169.254.197.137 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : PPP adapter [BSNL]: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface Physical Address. . . . . . . . . : 00-53-45-00-00-00 Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 59.94.184.65 Subnet Mask . . . . . . . . . . . : 255.255.255.255 Default Gateway . . . . . . . . . : 59.94.184.65 DNS Servers . . . . . . . . . . . : 218.248.240.79 218.248.240.135 NetBIOS over Tcpip. . . . . . . . : Disabled As stated above the two Adapters have MAC defined. The IP configuration states the same pattern. But PPP adapter is also configured.It is a kind of ADSL Modem is used for Point to Point protocol. Many times with different systems using SLIP/PPP connection the devices have same standard Physical Address. As RFC states no specific reference to physical address is required while using PPP connection. Even the Local adapters are configured with IP address but the REAL scenario states no Physical Address is used for initiating connection in PPP. The ethernet card of the system is used to have a working interface with the ADSL Modem connected for Broadband services. So it looks like MAC is used but as such no specific or elemental usage of MAC address is udertaken. Thats why most of the tools show vulnerable responses because the MAC address is not retrieved as such when a syatem is running net connection over SLIP/PPP. ____________ 0kn0ck