Ethernet card addres changed

[anban]

Problem 1:

I have a computer on the network, with dynamic IP assignment.
One fine morning i found my computers ethernet address is changed to broadcast mode (ff-ff-ff-ff-ff-ff). I know network card address is permanat but it can be changed or spoofed for the session.

Is there any way administrater through policies can set a computers mac address into broadcast mode remotley.

Problem 2:

any one can find the mac address of the server through arp and they spoof the mac address, as the computers are connected to network an dynamic ip address will be assigned to them. It would be same as the servers ip address, leading to 2 machines with same ip address. Is there any way to locate who has spoofed the mac. in the network.

I will be greatful if you people can clear my doubts.

thanking you
r. anbalagan

[Guus]

As far as I understand them, MAC addresses are coded on a chip on your actual network interface card (NIC). Some drivers let you change them, others not.

I don't think (but hey, I'm no expert) that there's a universal interface to change your NICs MAC address through an operating system, let alone through a network connection. You could however create some tool to do that if you have control over what kind/brand of NICs are used on your network, but that would require some inventive scripting/programming on your side.

[axio]

you can change your MAC address under windows with etherchange or similar tools (google it) because basically all you need to do is add a reg key and restart the network adaptor

under linux you just run
ifconfig eth0 down
ifconfig eth0 hw ether aa:bb:cc:dd:ee <-new mac
ifconfig eth0 up

if course this isnt a permanent change but its what the OS reports it as

not sure how this helps your problem but changing the mac is possible

[Guus]

This is the site axio mentioned: http://ntsecurity.nu/toolbox/etherchange/

The tool works for me. I stand corrected.

[anban]

Ethernet address can be changed in two ways

1. In Windows you can change it stright from the TCP/IP protocol menu
2. you can use a spoofer and change the mac id.

Both these methods are working for me. Problem is....

With sime arp -a reqeust you can find the mac addres of any computer in your network, and if you can change your mac address to that, the reqeust going to that specific computer is allowed and if that computer is a DHCP server than the whole network is slowing down.

But no address conflict because you are not changing the IP, and even when IP gets assigned dynamically it is not same as the servers. Now the problem is how do you find which computer is running with a duplicate mac id.

I tried IDS no use...

Any can solve my problem..

[Tiger Shark]

This will go a long way to helping.

Unfortunately, after that you need to apply some "sleuthing" skills to find the offending computer.... Ask more questions if you need more help but details, (sanitized if they are public addresses), would be good. (Don't forget to sanitize the Hex as well as the ASCII or anyone can see the IP's if they want).

[anban]

Thank you

Some has done it in my network comprising of 250 computes, I assume they have replaced my DHCP servers mac address. No one in the whole lab is able to log in to the network, as the request is going to some other computer.

We are finding it very hard to detect the system which is running with the spoofed mac address. If there is some solution or tool please let us know...

Thank you all for trying to solve my problem.

[anban]

I have found a way to find out who the person is.....

When you look at the entry in DHCP server, the computer who's mac is chaged will have more than one entry or more than one number would have been assigned by DHCP. Looking at that you know mac spoofing has happened there.

But if the person just changes the mac address and retains his IP by changing the tcp/ip icon in the network neig., there would not be two entries in the DHCP, but still it will cause trouble in the netwrok. How do you find this?

Any one knowes what problems it can give?....
If some one knowes help me.....

thank you all