When the router receives the package of the subnet from the outside, the corresponding MAC address is directly used in advance storage, and the MAC address of this MAC address is packaged in the subnet, so that no registered network card will not receive To the outside of the package. But this method has a defect, that is, the package does not check, even if the NIC Mac is not registered, it can also be applied to the outbound packet, and can be used for fake IP, of course, router check source The scope of IP, this time the forged IP must also belong to IP in the subnet. We have the router here to set the MAC corresponding to the registered IP to 0123456789Ab, so as long as the MAC of the NIC is changed to this universal Mac, You can go out with any IP that is not registered, as for money
I don't know which unfortunate head. So fundamentally, IP-Mac is used to prevent IP to steal it, all NIC Mac can be modified. And more surprising is the package of the network card. The source MAC address is not written by the NIC itself, but the application is provided, but in the usual implementation, the application first gets the MAC address from the NIC. Each time the package is sent, use this MAC address as a source MAC address. Moreover, it is only possible to modify the MAC only by modifying the network's driver without using the NIC with the configurable program. I have tested it in the PKT-Driver Win31 environment. Win95 is used to use NDIS. .
For connection-based TCP protocols, forgery IP is not too easy, which involves the prediction of TCP connection serial numbers, there are a lot of knowledge in this, and there are many HACK sites with many problems. Discussion.
This is .... To be honest, I have never done ....
Just chatting with such people, the method:
1. Directly to the network card, change its EPROM content (Ethernet card address is existence)
2. Now some network cards are said to be drivers to change the NIC address. Some people have discussed, you can find ...
In fact, I also want to experiment, I can't understand the specific details in detail, the old brother
Have a further experience, but also hope to enlighten me.
First post article, I am ugly here, first put my research on Wang Ka's research with everyone.
We know that the NIC has a physical address that represents its address, which is written in the ROM (regardless of the ROM)
Is EEPROM or ROM), you need to write the network card address into the frame when the network card group frame is written.
Is it writing a MAC address directly from the ROM in the frame? the answer is negative.
In fact, there is an address register in the NIC, which also remembers the MAC address, the Mac used when the network card group frame
The address is read from this, and then written in the frame by hardware, and the content of the address register is the program in the network card.
When it is initialized, it is written from the ROM, represented by the following:
------------------
| ROM | | Address Register | | Frame |
---------------------------------
| | | | | |
| ----- Program ---------------- | | ---- Hardware ------
As can be seen from this process, the program part is the only part of which can be used to modify the part of the Mac, that is, we can take it.
The partial code in the NIC driver is modified to modify the MAC.
If you exchange Switch, some Switch can lock ports and Mac, and a port only allows for specification.
MAC access, plus IP-MAC bindings, but also to lock Switch, and return it. At this time
Someone else to steal IP In addition to change IP, change Mac, but also moving the machine to change the network cable :).
Have this problem, as if TCP / IP starts to start ARP broadcasts, IP and Mac (?) I don't know if I can detect this. My trial is done on two Linux (many experiments) Lunux running Router
There is no information for two machines after at least ifconfig (in the front desk, did not look at the log). The key here is that the legal
The IP's MAC address is based on the Router, and the Router does not send an ARP query Mac, so at least
From Router's external package ARP will not be chaotic (that is, the MAC of the legitimate IP machine), and the purpose of stealing IP is not
Is it in the subnet :-) It is equivalent to stealing the IP machine into the PROMISC mode, and takes out from the legal IP machine.
Both the IP package (Ports are not discarded). After experiment, ping, traceroute and other ICMP (legal illegal IP machine)
You can use it, UDP can also (DNS experiment). But TCP is not available (Telnet, FTP, etc.), I see Source is
What's going on, it is now legal IP machine TCP available, and theft is not available ...
If TCP is OK, it is not very simple to use IP, don't need to change what mac, ifconfig / route
Two orders have been done ...
Talk again to modify the network card MAC address
After I saw the 22nd, 23rd computer newspaper, I think it's so troublesome to modify the NIC MAC address. In fact, the function of changing the NIC MAC address is already provided, but it is already provided, but everyone has not noticed. Let me talk about how to change it. Very simple. . .
Ok, let's take a look at Win2000. On the online neighbor icon on the desktop, right click, select "Properties", in the "Network and Dial-up" window, one is the "New Connection" icon, one is the "My Connection" icon. If there are two network cards on your machine, there are three icons. If you have only one network card, just right click on the "My Connection" icon, select "Properties", will come out of a "My Connection Properties" window. There is a "connection time when connecting:" on the top of the picture, below is the network card model on your machine. There is a "configure" button below. After clicking this button, you have entered the network card's property dialog. There are five attribute pages in this dialog, click on the second "Advanced" page, there are two in the "Properties" Item: One is "Link Speed / Duplex Mode", which is the operating rate of the network card, we need to change the following "NetWork Address", click on the item, there are two orders under the "value" mark on the right side of the dialog Option, the default is "do not exist", we only need to select a single option above, then enter the network card MAC address you want to change in the box, click "OK", wait for a while, the network card address will change, you or even No network card!
In addition, you can also modify the property page of the network card in the "Setup Manager", the effect is the same.
Changes in 98 and the Win2000 is similar. On the "Online Neighbor" icon, right click, select "Properties", come out, come out, in the Configuration box, double-click the network card you want to modify, and come out to a network card properties dialog. In the "Advanced" option, it is also a "network address" item under the "Properties" identity. In the two single options to the right, select the above, enter the network card MAC address you want to modify in the box, click "OK" The system will prompt you to restart. After restarting, your network card address will be successful! ! If you want to restore the MAC address of the NIC, just select the single option on the right of the "NetWork Address" item again to restart again. Below the Win2000 is to select "Does Not exist", of course, no need to restart.
Editor's Note: The editor has taken the author's method, but does not see the author's modification options in the NIC attribute page, which is estimated to be different from the NIC used by the author (ISA used by the editor) The 7009 network card of the interface, I hope the reader has tried it. Welcome to the Tianji DIY Forum discussion results to replace the physical address of the NIC to change the physical address of the network card - how to be refreshing
We have two types until the address of the NIC
1, IP address -> This is easier to modify.
2, MAC Address -> NIC physical address, the address used by the Ethernet protocol, mainly used in the LAN.
Generally consisting of 16-digit numbers between 6 00--0ffh, the intermediate is expressed by "-", such as: 00-80-c8-74-12-37
In general, this MAC address is a unique identifier of the NIC's own, and cannot be replaced casually. This article is the network card MAC address
Modifications are based on registry technology.
The principle that can be changed // This is what we need until it is also the flash of this article.
Under Windows 9x, the NIC driver communicates with the operating system communication using the NDIS specification. The MAC address is stored in the operating system
In a storage unit, the Windows9x system identifies the physical address of your NIC based on the content of this storage unit. and so
We don't have to modify the contents of the EPROM, but only the purpose of modifying the MAC address is achieved by modifying the content of the storage unit.
Modification method:
Run regedit.exe, find
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / CLASS / NET / 0000, if
You have a network card, there is 0001,000 ... here saved the information about your machine network card, of which
Driverdesc's content is your information description of your NIC, such as my network card is
Intel 21041 based EtherNet Controller
Create a string "NetWorkaddress" under the corresponding 0000, the key value is set to the address you want to set, and the idea should be written continuously.
For example, I set up 112233445566 set, restart your computer, you use WiniPCFG or use
NBTSTAT -A XXX.XXX.XXX.XXX
Xxx.xxx.xxx.xxx is your specific IP, to view you, you will find your NIC's MAC address has been modified.
11-22-33-44-55-66.
Further setting:
In HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / CLASS / NET / 0000
The new primary key networkAddress is added in NDI / Params; then adds a string value named default in the NetworkAddress primary key. The key value is set to the MAC address you want to pre-set, such as 112233445566; Continue to add named ParmasDesc string, key
Value is set to "Mac Address"
After setting, restart the machine, open the online neighbor property, select the corresponding network card, see the advanced options in its property page
One is just now we set up the Mac Addess its set value is our preset value 112233445566
The above modifications are only suitable for the Windows Series operating system, which may have some ways to do other ways.
Please pay attention to backup before modifying the registry. Another: After you change your network card, you can't go online.
. (However, this time another is more vicious
In my thoughts of fire ..........)
Theft and prevention of IP addresses
The Internet is an open, interoperable communication system whose base protocol is TCP / IP. Internet protocol address (Jane
Namely, IP address is a unique logical identifier of addressable facilities in the TCP / IP network, which is a 32-bit binary unsigned number. for
Ann a host on the Internet, it must have a unique IP address. IP address is divided by INTERNIC and its sub-level authorization
With, the host that is not assigned to its own IP address is not able to connect directly to the Internet.
With the rapid development of the Internet, the IP address consumes very fast, according to authoritative institutions, the current IPv4 version of IP is only enough.
Used in 2007. It is very difficult to apply, companies, institutions, and individuals to apply for enough IP address, as a thin price
Source, IP address of the IP address is a very common problem. Especially in the CERNET network billing the IP traffic, due to the cost is
According to IP addresses, many users use IP address to steal network traffic, using IP address.
Transfer to others. In addition, some users use IP address to steal the way to evade because some of the purpose of non-maribebies.
Track, hide your identity.
IP address steals the right to infringe the normal user of the Internet, and to the network bill, network security and network operation
Brought a huge negative impact, so IP address stealing problems has become an urgent topic.
1 IP address stealing method analysis
The IP address has a variety of ways of stealing, and its common methods are mainly used:
1) Static modification IP address
For any TCP / IP implementation, the IP address is the must-have of its user configuration. If the user is configuring TCP / IP
Or when you modify the TCP / IP configuration, use the IP address assigned by the authorized authority, it is used to form an IP address. Due to IP
The location is a logical address, is a value that requires a user setting, so the user cannot limit the static modification of the IP address.
Other management issues will be brought to other management issues unless you allocate an IP address using the DHCP server.
2) Pair of modifying IP-MAC addresses
For static modification of IP addresses, many units now add static routing technology. For static routing skills
The IP pirate technology has developed new development, ie, modified IP-MAC addresses. The MAC address is the hardware address of the device.
As usually used in Ethernet, that is, a commonly known computer network card address. MAC address of each NIC in all Ethernet
The device must be unique, it is assigned by the IEEE, which is cured on the NIC, generally cannot be arbitrarily changed. but now
Some compatible network cards, and its MAC address can be modified using a network card configuration program. If you put a computer's IP address and
The MAC address is changed to another legal host's IP address and MAC address, and that static routing technology is powerless. In addition, for network cards that the MAC address cannot be directly modified, the user can use the software to modify the MAC address.
That is, the purpose of deceiving the upper layer network software is achieved by modifying the underlying network software.
3) Dynamically modify the IP address
For some hacker masters, the direct written programs send and receive packets on the network, bypass the upper network software, dynamically modify their own
The IP address (or IP-MAC address) reaches IP deception is not a very difficult thing.
2 prevention technology research
In response to IP stealing problems, network experts adopt a variety of prevention technology, and now more common precautions are mainly based on TCP / IP layers.
The secondary structure is used in different layers to prevent the IP address of the IP address.
2.1 Switch Control
The most thorough way to solve the IP address is to use the switch to control, that is, control at the second layer of the TCP / IP: Using the switch provided
The single address mode of the port, that is, each port of the switch allows one host to access the network through this port, any other address
The host's access is rejected [1]. However, the biggest disadvantage of this program is that it requires all the network to provide user access, this
Today is not a solution that is universally adopted today.
2.2 router isolation
The way to use router isolation It is based on the MAC address as an Ethernet card address. The only thing that cannot be changed. Its practice method is through
The SNMP protocol regularly scans the ARP table of each router of the campus network to obtain the current IP and Mac control relationship, and the prior legal IP and
If the MAC address is compared, if it is inconsistent, it is illegally accessible [2]. There are several ways to stop for illegal access, such as:
Cover the illegal IP-MAC entries using the correct IP and MAC address mapping;
Send ICMP unreachable spoof pack to illegally accessed hosts, interfere with its data transmission;
Modify the router's access control list and prohibit illegal access.
Another implementation method of router isolation is to use a static ARP table, that is, the mapping of IP and MAC addresses in the router does not obtain ARP.
Static settings. Thus, when the IP address and the MAC address of illegally accessed are inconsistent, the router forwards according to the correct static setting.
The frame will not reach the illegal host. Router isolation technology can better solve the problem of pirates of IP addresses, but if illegal users are responsible for them
On the basis of destruction, it is impossible to modify the IP-MAC address, and it is impossible to steal such IP address.
2.3 Firewall and Proxy Server
The use of firewall combines with the proxy server, can also solve the IP address stealing problem: firewall is used to isolate internal networks and
Network, users access external networks through the proxy server [3]. Use this way is to put IP anti-theft to the application layer to solve,
Variable IP management is managed by user identity and password, because users use network applications for the use of the network. This is achieved
The advantage is that the use of IP addresses can only be used within the subnet, lose the meaning of stealing; legal users can choose any IP host,
Access the external network resources through the proxy server, without the right users, even if the IP is stolen, there is no identity and password, and the external network cannot be used.
The disadvantage of using firewalls and proxy servers is also obvious. Since the use of proxy servers access to external networks is not transparent to users,
Increase the trouble of user operations; in addition, for large number of user groups (such as college students), user management is also a problem.
How to prevent broadband network IP addresses
With the vigorous development of network technology in China, broadband networks come in many buildings and communities. However, while enjoying various multimedia information, there is a problem that there is a problem that network administrators and users, that is, IP addresses allocated within the broadband network are often stolen, authorized users to conflict with their own IP addresses and cannot enter The internet. This phenomenon has led to the confusion of network management, affecting the interests of authorized users, and also brought a large impact on broadband networks with network traffic. First, open system interconnect model structure
To clear the IP address, you must first understand the structural level of the open system interconnect model (OSI) specified by ITU. The data that needs to be transmitted is split and recombined as a data string (segment), then add the source and destination IP address, package forming (Packet), and then adds the frame head and frame of the data link layer. Tail, place the data package into the frame (FRAME), and finally converted to data in bits in the physical layer. Therefore, the IP address is the logical address used to identify different locations, and its length is 32 bits; and in the data link layer is the location of the network node with a MAC (Media Access Control) address, its length It is 48 bits, it is also the physical address of the device.
Second, several ways to use IP address
1. Modify the static IP address
When modifying the TCP / IP Protocol Properties Configuration, use is not the IP address assigned by the network administrator, but the known authorized IP address. Since the IP address is a logical address, it is a value that requires a user setting, so the user cannot restrict the static modification of the IP address. When the pirator modifies the IP address, it can also access the external network through the gateway.
2. Modify the IP address and MAC address pair
To prevent static IP addresses from being modified, it is generally solved by static routing technology. For static routing technology, IP pirate technology has a new doorway, which is a modified IP-MAC address. The MAC address is the physical address of the device. It is commonly known as the computer network card address for the Ethernet of our commonly used Ethernet. The MAC address of each NIC must be unique in all Ethernet devices. It is assigned by the IEEE, which is cured on the NIC. It is generally not arbitrarily changed. However, some of the current compatible network cards, its MAC address can be modified using a network card configuration program. If you change a computer's IP address and MAC address to a legitimate host's IP address and MAC address, the static routing technology is powerless. In addition, for network cards that the MAC address cannot be directly modified, the high pirator can also use the software's way to modify the MAC address.
Third, several methods for preventing IP addresses
1. Lock switch port
For each Ethernet port of the switch, the port is locked in a Mac-address-Table mode. Only the network administrator's MAC address specified in the MAC address table can connect to the network through this port, and other NIC addresses cannot access the network through this port. We can run the ping command first on the computer, and then use the ARP-A command to see the MAC address corresponding to the corresponding IP address corresponding to the network user, so that the MAC address and physical sequence correspond to a network cable, one port corresponds to A MAC address. This method is more suitable for broadband users of a single building building, placing a switch at each floor or each unit, which is limited to each Ethernet port of the switch, so that each user occupies a port, if someone is stolen The IP address will not help. Below with a program, an example of the E0 / 9 port of the specified switch corresponds to the MAC address 083C.0000.0002, and only this MAC address can access the network through this port.
Switch # config terminal
Switch (conf) # mac-address-table permanent 083c.0000.0002 E0 / 9Switch (conf) #int E0 / 9
Switch (conf-IF) #port Secure Max-Mac-Count1
Switch (conf-if) #exit
Switch (conf) #exit
2. Apply ARP binding IP address and MAC address
ARP (Address Resolution Protocol) is an address resolution protocol, which is a protocol that will correspond to the network physical address. The MAC address of the NIC of each computer is unique. There is a table called ARP in the three-layer switch and router to support one of the corresponding relationships between IP addresses and MAC addresses. It provides the mutual conversion of both. Specifically, resolving network layer addresses to data. The address of the link layer.
We can bind the IP address of the legal user and the MAC address of the NIC in the ARP table. When someone is stolen with an IP address, although the pirator has modified the IP address, the network is not accessible due to the MAC address of the NIC and the corresponding MAC address in the ARP table. Take the Cisco switch as an example, on the Cisco Catalyst 5000 network switch, the settings and deletions of the ARP table have the following commands:
SET ARP [Dynamic | Static] {ip_addr hw_addr} (setting dynamic or static ARP table);
IP_ADDR (IP address), HW_ADDR (MAC address);
SET ARP STATIC 20.89.21.1 00-80-1C-93-80-40 (Binds IP Address 20.89.21.1 and NIC MAC Address 00-80-1C-93-80-40);
SET ARP STATIC 20.89.21.3 00-00-00-00-00 (Bind the unused IP, set the MAC address to 0);
SET ARP AGINGTIME Seconds (setting the refresh time of the ARP table, such as SET AGINGTIME 300);
SHOW ARP (used to display the contents of the ARP table);
CLEAR ARP [Dynamic | Static] {ip_addr hw_addr} (Clear content in the ARP table).
Other brands of three-layer switches also have similar commands and functions. When building a broadband network with other switches, this way to set up the ARP table can also be used to prevent the IP address to achieve the traffic of each IP address and the network according to the network. The traffic is based on the purpose of charging. This method is more suitable for broadband users of the community, but it can only prevent the pirator from staticly modify the IP address.
3. User certification with the PPPoE protocol
When the IP address and MAC address are modified using the second method, the PPPoE protocol can be used to perform user authentication. There are now many PPPoE-based software, widely used in the ADSL's broadband network. PPPOE is full of Point to Point Protocol Over Ethernet (based on local area-to-point communication protocol), this protocol is to meet the more and more broadband Internet access devices and the network between networks, which is based on two widely accepted. The standard, that is, Ethernet and PPP point-to-point dial protocols. For operators, do not cost huge investment on the existing local area network, making PPPoE more advantages over the broadband access service, and therefore gradually become the best choice for broadband Internet access. The essence of PPPoE is a relay protocol between Ethernet and dial-up networks, which combines Ethernet's fastness and PPP protocol dialing, and user verification and IP allocation. In the practical application of the ADSL broadband network, PPPoE uses the working principle of the Ethernet, interconnecting the ADSL Modem's 10Base-T interface with internal Ethernet, PPPoE access, built a PVC (permanent virtual circuit) between network side and ADSL MODEM You can complete the common access to multi-user on Ethernet. The actual networking method is simple and easy, which greatly reduces the complexity of the network. Like the client, its settings, and dial-up, install the virtual dial-up software, complete through virtual dialing. After the client access network, the PPP server or the RADIUS server is authenticated, and there are two types of authentication protocols: PAP and CHAP.
PAP is a password authentication protocol, which uses the original text (not encrypted) password, is the simplest authentication protocol. If the network's access cannot be used in a more secure verification method, PAP is usually used.
CHAP is a challenge master authentication protocol, which is a hash solution using MD5 (Message Digest 5 Industrial Standard). The hash solution is a way to convert a password. Its result is unique and cannot be changed Back to the original form. CHAP uses a challenge-response mechanism and a one-way MD5 hash when responding. With this method, you can prove that the user knows the password to the server, but it is not necessary to actually send the password to the network. By supporting CHAP and MD5, networks, and dial-up connections, you can securely connect to almost all other PPP servers.
When the user legal identity is verified by the RADIUS server, the IP address is assigned by the broadband access server to the client to avoid the case where IP address is stolen. This method of cooperating with a broadband access server and a RADIIUS server to complete the user identity and assign IP addresses, and can also assign different nature IP addresses (such as public network addresses or private addresses), and comply with RFC 2138 and RFC 2139 recommendations, support The RADIUS Proxy feature enables user roaming authentication. In a wide range of broadband networks, using the network firewall also has the same user authentication.
The user-certified manner in which the PPPoE protocol is used to install ADSL and the broadband user group of ADSL and local area networks, which is a method that can better prevent the IP address.
