mister444
@comcast.net
| MAC spoofing
I have users on my free public wireless network that are employees. I have reason to believe they are spoofing their mac address to get onto the network since we block all of our laptops using mac filtering. I am looking for a way to gain access to their machines to see if they have mac spoofing software installed since that seems to be the only way I can be sure they are spoofing. I can assure you that the computers in question are company owned and this request is not for malicious intent. I know, why believe me. I am just looking to be able to prove that mac spoofing is going on so that the proper measures can be taken agains the offenders. Any info would be appreciated. I do have complete access to our wired and wireless network and can sniff all data but I can not seem to figure out how to get access to the hard drives of the offenders. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | I'm not sure what you are expecting to find. "Mac spoofing software" can just be an operating system or a card driver.
--
AT&T dsl; Speedstream 5100b modem; Zyxel NBG334W router; openSuSE 11.0; firefox 3.0.13 |
|
mister444
@comcast.net
| reply to mister444
our wireless cards do not allow changing the mac address without using software. I have heard by word of mouth that they have mac spoofing software installed that changes their mac address each time they boot the laptop. I just need to find proof of it before we can prove they are doing it. We are trying to do this behind the scenes because we do not want to alert others that we know what they are doing. If push comes to shove we will just take their laptops from then and then search the machine. I do not have much experience trying to remotely break into machines. I am just looking for ideas. We also have Cisco WCS for our wireless controllers but it is not much help at this point. |
|
docrice
join:2008-03-31
Fremont, CA
| reply to mister444
One thing you could try (assuming these are Windows machines that you have administrative access on) is to perform WMI-based verifications of the hardware and compare it to the hardware address registered "in memory" (so to speak). If there's a difference, proceed to the next step and do a process list dump and scan the file system for unknown software, assuming that you have a baseline setup to reference against. Some of the Sysinternals tools might come in handy.
If the "hardware address changing software" is registered in the OS, you can probably use a WMI script to grab the info or do a psinfo -s.
These are all just ideas though, not saying I've tried these exactly. |
|
Anon123456
@rr.com
| reply to mister444
If they are company owned computers, you should have set them up with limited user accounts that would not allow the employee to install software. Your company IT should be the only one that can install software. If you can hack their computer to determine if they have MAC spoofing software install then you have bigger security issues to deal with. |
|
docrice
join:2008-03-31
Fremont, CA
| While I agree that least-privilege is the recommended course, this unfortunately isn't always possible due any number of reasons in a business environment such as 1) applications that don't run well without admin privs, 2) lazy IT department, 3) business managers have decided that it's permissible to grant end-users admin privs on their machine ... etc..
There are lots of large enterprises out there that throw the user's domain account into the assigned machine's local administrator's group. From a technical security perspective, this is almost as dumb as it gets, but reality has to account for a lot of other needs and sometimes restricted accounts isn't practical. |
|
Neyland
join:2003-02-04
USA
| reply to mister444
Use NMAP to sweep the IPs and gather the host names.
If you feel a person is using the network and they aren't supposed to be, simply perform a manual audit of the machine. This sounds more like you're wanting to get a co-worker in trouble more than these are your employees. |
|
PghComp
@comcast.net | reply to mister444
Is there a reason they are not allowed on the free public network? |
|
Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
| reply to mister444
You cannot control a free public wifi network and you think you may via some controls over their work computers, but then usb sticks will bypass those.
More education and ramifications on the company or their employee status may provide some direction. Seems that they crave decent internet access that is not provided through the current media. Suggest you provide stand alone computers with internet (not connected to the network) in enough places so people can check bank accounts etc.........
--
Ain't nuthin but the blues! "Albert Collins".
Leave your troubles at the door! "Pepe Peregil" De Sevilla. Just Don't Wifi without WPA, "Yul Brenner"
LlamaWorks Equipment |
|
Anwaltskanzl
join:2009-11-15 | reply to mister444
Is there a reason they are not allowed on the free public network? |
|
joako
Premium
join:2000-09-07
/dev/null | reply to mister444
If they are company owned computers and you have authority to use them simply ask for the machines physically, if you don't have remote access software.
--
PRescott7-2097 |
|
