On Mon, Aug 22, 2022 at 06:04:17PM +0200, [email protected] wrote: > >Synopsis: IP Information leakage using MAC address > >Category: system > >Environment: > System : OpenBSD 7.1 > Details : OpenBSD 7.1 (GENERIC.MP) #3: Sun May 15 10:27:01 MDT 2022 > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP > > Architecture: OpenBSD.amd64 > Machine : amd64 > >Description: > Pretend you're on a large Wifi network at a conference and someone wants to > know your IP address but they only have your MAC address. Here is a quick > dirty way of finding your IP address: > > ./cb -ddc:a6:32:cc:db:a7,192.168.173.254 -I0.0 > -PAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaA > > The program is an ethernet spoofer and allows addressing the MAC address via a > bpf device. -I0.0 is icmp type 0 code 0 (echo reply) and -P is just any > random > payload. (old versions of this program shouldn't work as well). > > leakage of primary IP address: > > > 17:16:33.525822 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > > 192.168.177.254: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, > id 16785, len 98) > 17:16:33.525887 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > > 192.168.177.13: icmp: 192.168.177.254 protocol 1 port 62483 unreachable [icmp > cksum ok] (ttl 255, id 29020, len 56)
Do you have a "block return" in your pf.conf? Does it work differently if you disable pf with pfctl -d? How does your pf.conf filter to such packets? Note that sending an error reply to packets that cannot be processed is not uncommon and sometimes required to make the network behave smoothly. bluhm > > Also these two work (different subnet): > > 17:29:51.728721 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > > 192.168.173.254: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, > id 7720, len 98) > 17:29:51.728780 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > > 192.168.177.13: icmp: 192.168.173.254 protocol 1 port 62483 unreachable [icmp > cksum ok] (ttl 255, id 49018, len 56) > > > and this one (notice destination IP is 4.3.2.1): > > 17:30:35.448440 b8:ae:ed:73:a7:6c dc:a6:32:cc:db:a7 0800 112: 192.168.177.13 > > 4.3.2.1: icmp: echo reply (id:0000 seq:0) [icmp cksum ok] (ttl 64, id > 52302, len 98) > 17:30:35.448513 dc:a6:32:cc:db:a7 b8:ae:ed:73:a7:6c 0800 70: 192.168.177.14 > > 192.168.177.13: icmp: 4.3.2.1 protocol 1 port 62483 unreachable [icmp cksum > ok] (ttl 255, id 16147, len 56) > > Here is the /etc/sysctl.conf file of 192.168.177.14: > > root@host# more /etc/sysctl.conf > /etc/sysctl.conf: No such file or directory > > So there is no forwarding going on. How can this information leakage be > stopped? > >How-To-Repeat: > network ethernet spoofers can do this with tcpdump. > >Fix: > None provided, this is difficult. > > > dmesg: > removed.
