Re: WOL security issue

If a host wants to know the MAC address of another system in the same broadcast domain, it sends an ARP (Address Resolution Protocol) request, and the destination host responds with its MAC address. It doesn't need to passively wait hoping to observe MAC addresses.

Your statement: "It's impossible to sniff non-connected traffic on a switched Ethernet port. Try it with Wireshark and you'll only see your own traffic.", is false.

Although you normally would only see your own unicast traffic, broadcasts, multicasts, and the occasional unicast packet flooded by the switch because it had not yet learned which port the destination device resided on, it is possible to see "all" of the traffic the switch handles.

A switch maintains a table that associates source MAC addresses with the ports that they were received on. This table has a limited capacity (device dependent). If you exceed the tables capacity using readily available software, switch ports will typically "fail-open". The result is that unicast traffic will be flooded out "all" the ports (other than the one the packet was received on), rather than just the port to which the destination device was attached to.

With this exploit, a sniffer can then see all of the traffic the switch handles, and not just the traffic that would normally be seen on the port the sniffer is connected to.

Best Regards,
News Reader

Jeff Liebermann wrote:
On Sun, 23 Mar 2008 16:35:02 -0700 (PDT), seaweedsl
<seaweedsteve@xxxxxxxxx> wrote:

This is more of a LAN question than a wireless, but maybe somebody can
give me quick answer.

Sigh.

One of our clients on the LAN wrote me saying that he thinks I should
turn off Wake on LAN on each pc in the subnet because it's a security
issue if somebody inside our LAN is infected with malware.

Yes. In general, if the feature isn't used, turn it off. However,
WOL itself is not a security issue. However, tinkering with the
firewall settings in order to get WOL to work through the firewall
usually does result in a security problem.

He says that he knows, because it happened to him in the past.

Yep. There are programs the exploit WOL. WOL has no security from
attacks originating from the LAN side of the firewall. Of course, if
you have malware and other junk running on your LAN, you've got bigger
problems than just WOL. Try treating the causes instead of tinkering
with WOL.

I can not find any references to WOL security issues and will write
him asking for a link or example. , but thought I'd ask first here.

WOL can only turn on a computah, not off. In order to turn on a
computah, it needs to know the MAC address of the ethernet card. This
can be done by sniffing. If the PC's are on an ethernet switch, the
client machines will only see their own MAC address, the various
server MAC addresses, and any devices they can access (printers,
gateways, routers, etc). Sniffing does not magically obtain everyone
elses MAC address. Try it with a Windoze machine using a sniffer such
as Ethereal, Wireshark, or just "arp -a".

Once an attacker has a shopping list of MAC addresses, it can turn on
any of the machines it see. The theory is that if it's going to
spread viruses and worms, doing so at night, when the offices are
closed is a somewhat better time to attack. If the virus protection
and personal firewalls are functional on the PC's, nothing will
happen.

Frankly, I'm not worried, but there are some issues. Having someone
arrive at the office in the morning, and finding their machine turned
on is rather disconcerting. They usually suspect that someone has
been tinkering, hacking, or snooping on their private files. However,
it's usually NOT a WOL attack. It's me doing remote administration in
the middle of the night using VNC, PC Anywhere, or remote desktop. I
sometimes forget to turn off the machine when done (or screwup and
crash the machine). If your client has reported that machines are
magically turned on in the morning, when nobody is on, look for remote
control software, usually installed by employees that wanna do work at
home.

From what little I understand, it seems that packet sniffing and file-
sharing are more of a security issue within our LAN than having a
sleeping pc woken up.

It's impossible to sniff non-connected traffic on a switched ethernet
port. Try it with Wireshark and you'll only see your own traffic.
However, replace the switch with hub, and you can sniff merrily. Some
managed switches also offer a monitor port, which redirects all the
traffic to some designated port.

Anybody got any comments?

.

Relevant Pages

  • RE: Exploit code for IP Smart Spoofing
    ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ...
    (Bugtraq)
  • RE: mac duplication
    ... Another solution you could use depends on your switch. ... that allow you to do port mirroring. ... IP address map to MAC addresses via router tables. ... How do i set up mac duplication ...
    (Vuln-Dev)
  • Re: Ethernet switch flooding packets?
    ... course) so will have it's own MAC address. ... other VLANs there are are or how many hosts each has. ... was merely using the Ethernet switching terminology - if a switch ... doesn't know which individual port to push a frame out to, ...
    (comp.dcom.lans.ethernet)
  • Re: Network scanning
    ... that works with a radius server to auth mac address at port ... level before the switch will enable that port... ... new MAC and disable the port. ...
    (Security-Basics)
  • Re: Sniffing Internet Traffic
    ... >NIC's MAC to the new port so it can pass traffic. ... >for security because MITM ARP attacks are futile as the switch already ... >I don't know a whole lot about cable modems, but my guess is that, like ...
    (Security-Basics)