ISP Experiment

[lucid]

Remember when I posted that tutorial about custom .service files in systemd? Well, if you read the tut I'm creating a macspoofing .service file to set a random Mac address on startup. For those of you who don't know how Mac addresses and the DHCP protocol work, what that basically does is make the ISP issue me a different internal IP address everytime I start up. The reason for this is that since I am starting up with a new Mac address before the DHCP request it looks as though a new computer has joined the network.

Now, when I first created this I wondered to myself, "What happens when the ISP issues out way too many IP addresses to one network." It got to the point where my internal IP was the 100th one on the network. Which needless to say is...odd for one household. Well, the experiment ended when I booted up as the 101th computer to join the network. They cut off the internet soon after bootup. I imagine all of this is automated since, if someone were paying closer attention, they would notice in the DHCP packet that the same OS and kernel and hostname were issuing a DHCP request as a different device every single day and sometimes more than once a day, and probably take further actions. They obviously aren't paying attention because once I stopped the macspoof service and rejoined the network with my old internal IP and old MAC, I got the internet back. Someone with ISP experience want to discuss this with me?


EDIT: Someone move this to General Discussion please, I think it fits well there instead of random.

[proxx]

Well Ive done some MAC spoofing on my modem.
At that time I had a cable connection, Euro DOCIS.

The only thing in which that resulted was a denial of service.
My best guess is that they keep a pool of legit MAC addresses.
I never tried spoofing the MAC of someone on the same IP range.
That would have been interesting though.

How the hell do you get your own PC as the first hop?
I assume you use a router/modem or anything like that ?

[RedBullAddicted]

Hi lucid,

your internal IP address is not assigned by your ISP. You get the IP address from your router which runs some kind of dhcp service. DHCP has a ip address range that is offered to clients which broadcast a dhcp request on startup. As the dchp request is a broadcast it is not possible to provide the service on a machine on the internet as a broadcast never leaves the subnet it was send to. Of course there are ways to provide different subnets with ip addresses from a single server. This is something you need to configure on a switch and it is called ip-helper address. The switch receives the broadcast and forwards the request to the address that is specified within the ip-helper address command.

Normally a dhcp server uses a lease database where MAC-IP bindings are stored to provide the same client with the same IP address every time. It is possible to configure the lease time (Windows dhcp server default setting is 8 days.)
to free IP addresses sooner or later If the dhcp server is running out of addresses to offer you won't get a address, dns server and default gateway assigned meaning you are not able to communicate with the network. In your case it would be possible to assign a static one that is not in use and you would be able to access the internet without a dhcp lease. If you have access to your router you are maybe able to disable the dhcp service and work with static assignments. That way you could change your mac address as often you like and still have the same ip settings all the time. You don't even need to turn of the dhcp service on the router to accomplish that. Just make a static configuration and try to use an address which is not in the dhcp scope.

As for your other question about keeping track of hostname / OS / Kernel. DHCP does not care about these things. DHCP is only interested in MAC addresses and has absolutely no security build-in. Thats the reason why there are a lot of dhcp protocol based attacks.

I hope this is not confusing (my engl. really is not the best) and I hope this answers your question. If you have further questions I will try to answer them

[EmilKXZ]

Beware, they might keep logs if you're using your public IP address to connect to the internet, I apply the same trick to get a different WAN IP... or when I need to put dirt on the logs of another person, I spoof the MAC as if I was that person and well...

My ISP called why I have 7 different IP's... they asked if my intention was to mount a rent-internet business...

[lucid]

Well Ive done some MAC spoofing on my modem.
At that time I had a cable connection, Euro DOCIS.

The only thing in which that resulted was a denial of service.
My best guess is that they keep a pool of legit MAC addresses.
I never tried spoofing the MAC of someone on the same IP range.
That would have been interesting though.

How the hell do you get your own PC as the first hop?
I assume you use a router/modem or anything like that ?

Yeah I use a router proxx.

@ RBA - Thanks alot for all that info. It appears to me that the router won't issue out more than 100 IPs or something like that since soon after I started up and got issued the 101 IP address my connection went out. So it seems to me that what your saying is that the ISP never get's DHCP requests? Which would mean they don't see the infomation being broadcasted?

[RedBullAddicted]

yes, thats right as long as we speak about your internal IP addresses. It seems like the dhcp scope configuration has 100 ip's to provide to connected clients. tbh for a normal home configuration 100 addresses should be really enough.. lol. Your internal IP address assignment never reaches your ISP as it is completely a local thing in your network. You can find out if you have a private IP address or a public one by looking at the address you get. There are reserved ranges of addresses for internal use and the same for public use as you can see here:
http://www.ccnaprep.com/public_ip_address_range.htm
Your internal IP address is not visible outside your network cause you are behind a NAT device. As you want to access the internet with one public address your internal address needs to be translated to the external one. If you have more computers on your internal network and you go to whatsmyip.com with all of them you will see the same address all the time. The NAT/PAT device keeps track of the port you are using to request something. For example: client1(tcp/51001) -> www.google.com(tcp/80), client2(tcp/51002) -> www.google.com(tcp/80). google will reply to your public IP (which is your router) on the port you used to query google (51001 for client1 and 51002 for client2). Your router knows that the specific port belongs to for example client 1 and changes the destination  ip address in the ip header of the packet to the one which belongs to client1. NAT and PAT are no simple topics but I tried to explain them as simple as possible. Hope I did not fail on this.. lol

[lucid]

No you did not this makes sense. I'm sure that I'm using an internal IP address which is the one that was changing every time I spoofed my MAC address.

You can find out if you have a private IP address or a public one by looking at the address you get.

Wait I thought everyone behind a router had both.

[RedBullAddicted]

Your client only has one address. The public address is assigned to your router and thanks to NAT you can share the one address to communicate with the outside world with all clients in your internal network. Due to the way routing works it is not a good idea to use a public range for your internal network. google.com for example has a couple of addresses in the range 173.194.44.0/24. If you would use this range for your internal clients you would not be able to visit google.com anymore. If you would request the address 173.194.44.49 for example your client thinks "hey.. thats on my local network" and would never send the request to the router. The client would only forward packets to the default gateway (which is your router) if he would not know the network it belongs to. If the router does not know the destination he would send it to his default gateway (specified with a default route like 0.0.0.0 0.0.0.0 10.10.0.1 -> would send everything that is not directly connected to 10.10.0.1). This is going on until it reaches a device which is directly connected to the network you are looking for. Everytime your request is send to another router your round trip time increases and we are talking about hops. You can have a look at it when you issue the traceroute command on your machine. You will see a lot of addresses on the path until you finally reach your requested destination.

[proxx]

Well what you did was in fact a known attack.
This is called DHCP starvation.

The Pool of IP's thats availible for the DHCP server to give out to its clients reached its end.
For local networks this typically is 192.168.0.2-256 or often 192.168.1.100-200 or alike.
If you spoofed your MAC over and over again you probably reached the end of the pool.

What I previously described was actually changing the modem/routers MAC address.
Which as I said just knocked me off the network.

The DHCP starvation attack is interesting though.
Whats fun about it that it can be used as an alternative to ARP spoofing.

Imagine this;
Client connects to network..
DHCP server is starved by attacker before the client gets an IP address from the router.
The attacked sets up his own fake DHCP server and gives the client an IP address.
However it will tell the client that the gateway is actually the one of the attacker.
Attacker forwards his packets to the real gateway , resulting in  MITM.
 

[lucid]

Oh wow, call me a noob but I have never heard of such an attack. I'm really glad I did this I think I gained some valuable information through doing this experiment. Yeah that's what I was thinking too, that I reached the end of the pool.

[proxx]

Glad I could be of use today

[techb]

@rba, Idk how cable works but with dsl I thought if the modem was routed bridge, then a dhcp leases out a WAN to the modem. And since PPPoE used authentication, does it still get a WAN from a dhcp or is it something else?.


Speaking of dsl, I've had customers at work who have a BroadBand Connection set up in internet options. They where getting the WAN ip on the pc. I disabled the broadband connection and then it lost internet but had the correct LAN settings.

At one point they had 2 ips and 2 default gateways, some odd shit. Anyway if your pc dials a broadband connection doesn't that skip NAT since it itself is leased the WAN?

[RedBullAddicted]

@Proxx:
That attack is a nice approach and the idea is good. I wrote a tutorial about how to do that and how specific security features on a switch can prevent those attacks. Has been some time ago and I just remembered I did something like that as I read your post

http://evilzone.org/tutorials/network-security-features-and-how-to-get-pass-part-2-dhcp-snooping/

@lucid:
Don't remember everything I wrote there but I guess it has a lot of information about the dhcp protocol

@techb
You are right about the broadband connection. You get a public address assigned to the virtual network adapter that is created by the software you use to dial in. I am no expert on that topic but I think the software sends a direct IP address request to a configured dhcp server (or maybe usese a complete other mechanism???). You really made me curios need to buy one of these things and try to capture traffic. Guess I won't see much but it is worth a try and theses prepaid sticks are not very expensive.

PPPoE uses a different kind of IP address assignment method called IPCP. PPPoE is basically the dial in method nearly every home router does and what the ISPs require. A good and short explanation can be found here: http://www.shafagh.net/2009/10/pppoe.html
Just skip the PIX/ASA and IOS configuration part.. lol. I only have bookmarks like this cause I am mainly interested how to configure it on cisco devices. Even when I like ProCurve more if you want a good router there is no way around cisco

As for the first question about the modem in bridge mode I have no clue tbh. But I found that on google: Bridge mode means that the device will not estalish the PPP link, it will only pass through the details to another device which is capable of handling the PPP - much like a modem.
I think the modem then does nothing except translating from Analog to digital (basically what a modem does). A little of topic.. some time ago I was asked what a modem does and I searched for a simple explanation to find that:

The word "modem" is short for "modulator-demodulator" which is essentially what it does. A computer moves data around on parallel wires by applying one or another voltage to each wire (representing 0's and 1's) and the voltage is read at the other end of the wires. This is digital communication. In order for multiple computers to communicate over greater distances, a method was developed to exchange data over a world-wide pre-existing network: the telephone network. Telephone transmissions are analog in nature. Instead of streaming ones and zeroes with varying voltage over multiple parallel wires, signals are sent as analog wave frequencies (sounds) over a single wire.
 
 The device that translates voltages into frequencies (digital into analog) and back again is called a modem. (Actually, a modulator converts digital to analog and a demodulator converts analog to digital.) In order for one computer to exchange data with another via a telephone line, the sending computer must activate its modem and dial the receiving computer. The receiving computer's modem must answer the call, "handshake" to establish communications, and signal its computer to be ready to receive. When this is done, the modems are in a state referred to as "connected". The two computers can exchange data, which the modems translate and pass through the telephone network

I liked it so much that I bookmarked it as most of the routers have a modem build in many ppl do not not that they even have one and what it does.