Re: WOL security issue
- From: News Reader <user@xxxxxxxxxxx>
- Date: Wed, 26 Mar 2008 13:32:38 -0400
If a host wants to know the MAC address of another system in the same broadcast domain, it sends an ARP (Address Resolution Protocol) request, and the destination host responds with its MAC address. It doesn't need to passively wait hoping to observe MAC addresses.
Your statement: "It's impossible to sniff non-connected traffic on a switched Ethernet port. Try it with Wireshark and you'll only see your own traffic.", is false.
Although you normally would only see your own unicast traffic, broadcasts, multicasts, and the occasional unicast packet flooded by the switch because it had not yet learned which port the destination device resided on, it is possible to see "all" of the traffic the switch handles.
A switch maintains a table that associates source MAC addresses with the ports that they were received on. This table has a limited capacity (device dependent). If you exceed the tables capacity using readily available software, switch ports will typically "fail-open". The result is that unicast traffic will be flooded out "all" the ports (other than the one the packet was received on), rather than just the port to which the destination device was attached to.
With this exploit, a sniffer can then see all of the traffic the switch handles, and not just the traffic that would normally be seen on the port the sniffer is connected to.
Jeff Liebermann wrote:
On Sun, 23 Mar 2008 16:35:02 -0700 (PDT), seaweedsl.
This is more of a LAN question than a wireless, but maybe somebody can
give me quick answer.
One of our clients on the LAN wrote me saying that he thinks I should
turn off Wake on LAN on each pc in the subnet because it's a security
issue if somebody inside our LAN is infected with malware.
Yes. In general, if the feature isn't used, turn it off. However,
WOL itself is not a security issue. However, tinkering with the
firewall settings in order to get WOL to work through the firewall
usually does result in a security problem.
He says that he knows, because it happened to him in the past.
Yep. There are programs the exploit WOL. WOL has no security from
attacks originating from the LAN side of the firewall. Of course, if
you have malware and other junk running on your LAN, you've got bigger
problems than just WOL. Try treating the causes instead of tinkering
I can not find any references to WOL security issues and will write
him asking for a link or example. , but thought I'd ask first here.
WOL can only turn on a computah, not off. In order to turn on a
computah, it needs to know the MAC address of the ethernet card. This
can be done by sniffing. If the PC's are on an ethernet switch, the
client machines will only see their own MAC address, the various
server MAC addresses, and any devices they can access (printers,
gateways, routers, etc). Sniffing does not magically obtain everyone
elses MAC address. Try it with a Windoze machine using a sniffer such
as Ethereal, Wireshark, or just "arp -a".
Once an attacker has a shopping list of MAC addresses, it can turn on
any of the machines it see. The theory is that if it's going to
spread viruses and worms, doing so at night, when the offices are
closed is a somewhat better time to attack. If the virus protection
and personal firewalls are functional on the PC's, nothing will
Frankly, I'm not worried, but there are some issues. Having someone
arrive at the office in the morning, and finding their machine turned
on is rather disconcerting. They usually suspect that someone has
been tinkering, hacking, or snooping on their private files. However,
it's usually NOT a WOL attack. It's me doing remote administration in
the middle of the night using VNC, PC Anywhere, or remote desktop. I
sometimes forget to turn off the machine when done (or screwup and
crash the machine). If your client has reported that machines are
magically turned on in the morning, when nobody is on, look for remote
control software, usually installed by employees that wanna do work at
From what little I understand, it seems that packet sniffing and file-sharing are more of a security issue within our LAN than having a
sleeping pc woken up.
It's impossible to sniff non-connected traffic on a switched ethernet
port. Try it with Wireshark and you'll only see your own traffic.
However, replace the switch with hub, and you can sniff merrily. Some
managed switches also offer a monitor port, which redirects all the
traffic to some designated port.
Anybody got any comments?
- Prev by Date: Re: Why Can't I run two DSL lines in the same CAT5E cable??
- Next by Date: Re: Powerline product question need wireless expansion
- Previous by thread: Re: WOL security issue
- Next by thread: Re: WOL security issue