[ previous ] [ next ] [ threads ]
 From:  Michael Brown <knightmb at knightmb dot dyndns dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
 Date:  Tue, 06 May 2008 20:29:22 -0500
Are you using a wireless access point to run everyone through captive 
portal or are they all wired in via Ethernet port?


Mohammed Ismail wrote:
> I have been using m0n0 wall since 2006 and till now it is relay the best, providing me high
stability and hardware cost effective.
> turning 200 MHZ PC into an advanced Router.
> now adays i faced a problem, spoofing wrong MAC
> my LAN ip is > MAC 00:23:34:43:f4:b1
> so when i type arp -a in command under windows xp from any client PC i should get the right mac i
get for instade for example
>    wr:on:g:ma:ca:dd
> now the trojan give wrong MAC
> also in ARP cache on m0n0wall i get all MAC addresses of the client are the same!!!
> like this>>
> 00:16:17:ec:9f:b8	 
>	   00:16:17:ec:9f:b8	 
>	   00:16:17:ec:9f:b8	   00:16:17:ec:9f:b8	 	
> so in captive portal i must check on , disable MAC filtering , so thoes clients get internet
> there are some applecations that uses winpcap and make statice arp entire on the infected pc
> keep telling my mac is xx:xx:xx:xx:xx:xx and keep Gateway Mac as static entry in arp table in
windows xp
> sorry for long explainning of the problem, 
> now is it possible that i make m0n0wall keep telling clients that M0n0 IP is and MAC
is 00:23:34:43:f4:b1
> so it is added in arp table of the client machine as static entery , or keep sending this arp
packet every 1 sec to prevent spoofing of m0n0 mac 
> this also will provide security from spoofing.
> Note: i am useing 1.3b10
> and i have this problem in 7 networks that i dont have easy access to client PCs 
> so i need a remote solution. if possible
> best regards
> Mohammed Abd El Wadoud
> Account Manager
> Sharm El Sheikh
> m dash ismail at link dot net
> +20105337746