Information leakage of IP-layer data on LAN

Mon, 22 Aug 2022 10:09:41 -0700 

>Synopsis:      IP Information leakage using MAC address
>Category:      system
>Environment:
        System      : OpenBSD 7.1
        Details     : OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022
                         
r...@syspatch-71-amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        Architecture: OpenBSD.amd64
        Machine     : amd64
>Description:
Pretend you're on a large Wifi network at a conference and someone wants to
know your IP address but they only have your MAC address.  Here is a quick
dirty way of finding your IP address:

./cb -ddc:a6:32:cc:db:a7,192.168.173.254 -I0.0 
-PAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaA

The program is an ethernet spoofer and allows addressing the MAC address via a
bpf device.  -I0.0 is icmp type 0 code 0 (echo reply) and -P is just any random
payload.  (old versions of this program shouldn't work as well).

leakage of primary IP address:


17:16:33.525822 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > 
192.168.177.254: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id 
16785, len 98)
17:16:33.525887 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > 
192.168.177.13: icmp: 192.168.177.254 protocol 1 port 62483 unreachable [icmp 
cksum ok] (ttl 255, id 29020, len 56)

Also these two work (different subnet):

17:29:51.728721 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > 
192.168.173.254: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id 
7720, len 98)
17:29:51.728780 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > 
192.168.177.13: icmp: 192.168.173.254 protocol 1 port 62483 unreachable [icmp 
cksum ok] (ttl 255, id 49018, len 56)


and this one (notice destination IP is 4.3.2.1):

17:30:35.448440 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > 
4.3.2.1: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id 52302, 
len 98)
17:30:35.448513 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > 
192.168.177.13: icmp: 4.3.2.1 protocol 1 port 62483 unreachable [icmp cksum ok] 
(ttl 255, id 16147, len 56)

Here is the /etc/sysctl.conf file of 192.168.177.14:

root@host# more /etc/sysctl.conf
/etc/sysctl.conf: No such file or directory

So there is no forwarding going on.  How can this information leakage be 
stopped?
>How-To-Repeat:
        network ethernet spoofers can do this with tcpdump.
>Fix:
        None provided, this is difficult.


dmesg:
removed.

Reply via email to