>Synopsis: IP Information leakage using MAC address >Category: system >Environment: System : OpenBSD 7.1 Details : OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022 r...@syspatch-71-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64 Machine : amd64 >Description: Pretend you're on a large Wifi network at a conference and someone wants to know your IP address but they only have your MAC address. Here is a quick dirty way of finding your IP address: ./cb -ddc:a6:32:cc:db:a7,192.168.173.254 -I0.0 -PAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaA The program is an ethernet spoofer and allows addressing the MAC address via a bpf device. -I0.0 is icmp type 0 code 0 (echo reply) and -P is just any random payload. (old versions of this program shouldn't work as well). leakage of primary IP address: 17:16:33.525822 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > 192.168.177.254: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id 16785, len 98) 17:16:33.525887 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > 192.168.177.13: icmp: 192.168.177.254 protocol 1 port 62483 unreachable [icmp cksum ok] (ttl 255, id 29020, len 56) Also these two work (different subnet): 17:29:51.728721 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > 192.168.173.254: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id 7720, len 98) 17:29:51.728780 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > 192.168.177.13: icmp: 192.168.173.254 protocol 1 port 62483 unreachable [icmp cksum ok] (ttl 255, id 49018, len 56) and this one (notice destination IP is 4.3.2.1): 17:30:35.448440 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > 4.3.2.1: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id 52302, len 98) 17:30:35.448513 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > 192.168.177.13: icmp: 4.3.2.1 protocol 1 port 62483 unreachable [icmp cksum ok] (ttl 255, id 16147, len 56) Here is the /etc/sysctl.conf file of 192.168.177.14: root@host# more /etc/sysctl.conf /etc/sysctl.conf: No such file or directory So there is no forwarding going on. How can this information leakage be stopped? >How-To-Repeat: network ethernet spoofers can do this with tcpdump. >Fix: None provided, this is difficult. dmesg: removed.