Jump to content


Photo
- - - - -

How to avoid the spoof detection script employed by my isp


  • This topic is locked This topic is locked
27 replies to this topic

#21 darkstar

darkstar

    DDP Fan club member

  • Members
  • 49 posts

Posted 21 June 2008 - 02:11 AM

Well i was having same problem some months ago but thinking for some time i got an idea how to bypass it any way here is method.
1)Download Netscan (google It)
2)Open Netscan then press ctrl+o in additional tab check "Resolve Mac Address"
3)Then Click ok . In ip range type first three part of ip eg if ur ip address is 10.10.20.100 you will type 10.10.20.0 then in the to box type again 10.10.20.255
4)Click on scan.It will start scanning from their select an mac address
5) Download etterchange from this site http://ntsecurity.nu...ox/etherchange/ and change your mac address
6)Start Sniffing when mac address get's ban use another mac address from the list

You can detect sniffing through ettercap using one of it's plugin.

Hope it helps!!

#22 rakshit

rakshit

    Gibson Hacker

  • Members
  • 98 posts

Posted 22 June 2008 - 03:33 PM

@ spyril and Vector. I was sniffing the whole lan connection

in my ethernet lan

there r two vlans
172.16.0.1-255 && 172.16.1.1-255

i was doing APR ARP Poison Routing

and poisoning their mac address so that the data gets redirected at my mac rather than to its default gateway.


Now.. its obvious ... bcz ... once i apr the whole (remember not 1 but the whole) lan.......... internet becomes.. very weak........ for the clients to surf.

and that very day ... i was caught.........! since that very day , even if i sniff two conn. my gateway bans my mac.. i had a word with my ISP guys they said .. they have put in a script .. which when detected spoofing wud bann that very mac.



Now guys above is the scenario i hope this is clear.

Now i wanna ask u expert guys.. firstly how r they detecting whether im spoofing or not secondly .. are they just bluffing and keeping a close look at my mac .


I used cain.. while sniffing .. even i sniff two conn my mac gets bann in winxp
i used arpspoofing , fragrouting and ettercap again arp poisoning .. and stil i gets banned


though i was reading some RFC regarding spoofing and if theres any script that can detects arp spoofing.. and i almost found that underlining concept.. ill surely post it here.. may be we can get some hint from their.



Thanks
for all of ur support till now!

#23 rakshit

rakshit

    Gibson Hacker

  • Members
  • 98 posts

Posted 22 June 2008 - 03:36 PM

darkstar bro... thanks for that method


but apparently .. in my case... as soon as i on the apr button ... or sniff via ettercap etc.. i get banned in TWO seconds.

#24 rakshit

rakshit

    Gibson Hacker

  • Members
  • 98 posts

Posted 22 June 2008 - 03:37 PM

But yeah ........ i have made provisions................ on changing my mac everytime.. i get banned using registry trick... as my NIC card doesnt allow changing my mac from etherchange,

#25 Spyril

Spyril

    Hakker addict

  • Members
  • 588 posts
  • Location:North Dakota

Posted 22 June 2008 - 09:18 PM

So your gateway is banning your MAC, not your ISP? You should have said that. Also, please make your posts more legible; it's really annoying having...to...read...everything...like...this.

That in mind, ARP spoofing isn't an easy thing to spot, but there is some software that tries to stop ARP spoofing If you could provide us with the models of your networking equipment, we may be able to figure out what kind of IDS they have set up. (Also if you have admin access to this equipment you could always telnet in and use the "ps" command to see what they're running)

#26 rakshit

rakshit

    Gibson Hacker

  • Members
  • 98 posts

Posted 23 June 2008 - 06:32 AM

well .. appologies... for not being legitimate .. in my post.

@spyril

Regarding My Isp' s network equipment


Initiating OS detection (try #1) against 172.16.0.1
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 16:46
Completed SCRIPT ENGINE at 16:46, 1.33s elapsed
Host 172.16.0.1 appears to be up ... good.
Interesting ports on 172.16.0.1:
Not shown: 1711 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)
|_ SSH Protocol Version 1: Server supports SSHv1
53/tcp open domain ISC BIND 9.2.1
8888/tcp open http thttpd 2.25b 29dec2003
|_ HTML title: Inventum - Service Selection Gateway
10000/tcp open http thttpd 2.25b 29dec2003
|_ HTML title: 401 Unauthorized
| HTTP Auth: HTTP Service requires authentication

|_ Auth type: Basic, realm = .
MAC Address: 00:1C:F0:94:B5:77 (D-Link)
Device type: VoIP phone
Running: WebVOIZE embedded
OS details: WebVOIZE 120 IP phone
Uptime: 3.424 days (since Fri Jun 20 06:35:53 2008)
Network Distance: 1 hop

This is a port scan of my isp router! via which i connect to access the net!
I hope this wht u asked for.......

#27 rakshit

rakshit

    Gibson Hacker

  • Members
  • 98 posts

Posted 23 June 2008 - 06:35 AM

i cant telnet......... this router caz its filtered............ , if u have any method i can access this .... pls guide!!!

#28 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 24 June 2008 - 10:16 AM

At this point, we've drifted off-topic and the original poster is getting harder and harder to decipher.

Thread locked.




BinRev is hosted by the great people at Lunarpages!