Sign in to follow this  
Followers 0
rakshit

How to avoid the spoof detection script employed by my isp

26 posts in this topic

Hi Guys

for the past two weeks i was sniffing my ethernet lan ... switch connection................

using Cain... in windows.......... and ettercap and dsniff using........ linux.........

Now my ISP .. has employed a spoof detection script ... which wud bann a mac address which is......spoofing......... I wanna know... first of all .. what is this script .. secondly how to by pass this restriction............... i tried using arpspoofing two mac .. one my routers one clients.... and also switched fargrouting on...... my isp was able to block my mac.

then i used using cain.. spoofing still no respite..

Regards

Rakshit

0

Share this post


Link to post
Share on other sites

Are you on a cable modem?? I know that if I change my mac address on my router I have to cycle the cable modem.

Edited by PurpleJesus
0

Share this post


Link to post
Share on other sites

This post makes me want to stab myself for every time i ever used more then one period in a row. That being said, if you think your mac address has been blocked, change it.

EDIT: Also it is really not a good idea to piss off the admins at your ISP. Remember that they can sniff all of your internet traffic, and chances are that their boss is too busy to care.

Edited by Lord Wud
0

Share this post


Link to post
Share on other sites

yeah its cable modem....................... I wanna continuing spoofing , that im not able to .. bcz when i start my spoofing program.. it bans my mac address how do i pass this restriction so that i continue spoofing and sniffing

reg

raks

0

Share this post


Link to post
Share on other sites
yeah its cable modem....................... I wanna continuing spoofing , that im not able to .. bcz when i start my spoofing program.. it bans my mac address how do i pass this restriction so that i continue spoofing and sniffing

reg

raks

If you're plugged straight into the cable modem, try cycling the power to the modem after you change your mac. If you're hooked up to a router it shouldn't matter unless you're spoofing the router's mac.

Either way, it won't help much; the IP still tracks back to your terminal address/modem.

0

Share this post


Link to post
Share on other sites

why do you post like such an asshole .................................................................

?

0

Share this post


Link to post
Share on other sites

Mind ur language Mr.

Secondly..... what asshole... features u find in this post! :huh:

do give ur insight??

0

Share this post


Link to post
Share on other sites
Secondly..... what asshole... features u find in this post! :huh:

Just a guess, but how about ............................................................................? Maybe? haha

0

Share this post


Link to post
Share on other sites
Mind ur language Mr.

Secondly..... what asshole... features u find in this post! :huh:

do give ur insight??

Isn't it obvious? maybe I am just delusional...

0

Share this post


Link to post
Share on other sites

may be dumb heads like u find this post.............. unsual lol.............

u need to expeirence....... to write something!

if u know the answer very well .. if u dont.. then please shut ur freakin mouth...

0

Share this post


Link to post
Share on other sites

@vector

No dude... it is a real script that bans a mac address found spoofing , i tried with some other mac and my connection was working as b4.

the only thing i cant do is arp sniffing... in my lan or else my mac is banner....... either i spoof or i dont.

0

Share this post


Link to post
Share on other sites

Write a script yourself to change your MAC address everytime it gets blocked.

0

Share this post


Link to post
Share on other sites

Generally EVERY TIME you change the MAC address you MUST POWER CYCLE THE MODEM.

I would read with care the MAC registry and rules and make sure the MAC you are using is 100% "valid" and of course powercycle the modem before you draw any conclusions.

Why would the ISP care if you spoofed the CM side IP of your device, anyways? I really think you just aren't powercycling.

0

Share this post


Link to post
Share on other sites

I have been sniffing the whole lan conn. by poisoning other clients mac address using cain.

My ISP .. have put up a script.. , where if u even spoof a mac address.. ur mac will be banned. and i have to configure some other mac to work it again.

@thenotwist

Nice idea... but .. can u tell me .. how to make this script in linux and windows (sorry sounding very noobe).

0

Share this post


Link to post
Share on other sites

@ thenotwist

Making a script for changing my mac everytime i connect d internet .. on linux .. by creating a shell script.. is easy

But how wud i do this in winxp.. (im really noob in here)

could u guide me how to go abt it .

thanks

0

Share this post


Link to post
Share on other sites
I have been sniffing the whole lan conn. by poisoning other clients mac address using cain.

My ISP .. have put up a script.. , where if u even spoof a mac address.. ur mac will be banned. and i have to configure some other mac to work it again.

So your ISPs script detects if you changed the MAC address without powercycling the modem? Please explain how you think the ISP can detect your are spoofing your MAC?

And if you don't mind saying, who is the ISP?

0

Share this post


Link to post
Share on other sites

Ummmm I don't think you can change your MAC from within Windows, you'd need some 3rd-party software for that I guess. Unfortunately I don't know of any off the tip of my hat... Just google for some, I'm sure you'll get plenty of hits or maybe someone on the forums here can throw in a link.

I know some programs that can change your MAC in WIndows, but they're GUI and to execute them from within a batch script (that's like the equivalent of a linux shell script) they'd have to be command line based.

You could compile a list of valid MAC addresses an put them in a text file and everytime pass a different one as argument.

0

Share this post


Link to post
Share on other sites

Maybe I haven't read this thread carefully enough, but what the hell are you talking about? How would your ISP's servers on the internet detect a MAC spoof on a laptop from within an internal network? Tons of random MAC addresses come and go as they connect and disconnect from an access point, so what's so special about your computer's spoofed MAC address?

0

Share this post


Link to post
Share on other sites

Well i was having same problem some months ago but thinking for some time i got an idea how to bypass it any way here is method.

1)Download Netscan (google It)

2)Open Netscan then press ctrl+o in additional tab check "Resolve Mac Address"

3)Then Click ok . In ip range type first three part of ip eg if ur ip address is 10.10.20.100 you will type 10.10.20.0 then in the to box type again 10.10.20.255

4)Click on scan.It will start scanning from their select an mac address

5) Download etterchange from this site http://ntsecurity.nu/toolbox/etherchange/ and change your mac address

6)Start Sniffing when mac address get's ban use another mac address from the list

You can detect sniffing through ettercap using one of it's plugin.

Hope it helps!!

0

Share this post


Link to post
Share on other sites

@ spyril and Vector. I was sniffing the whole lan connection

in my ethernet lan

there r two vlans

172.16.0.1-255 && 172.16.1.1-255

i was doing APR ARP Poison Routing

and poisoning their mac address so that the data gets redirected at my mac rather than to its default gateway.

Now.. its obvious ... bcz ... once i apr the whole (remember not 1 but the whole) lan.......... internet becomes.. very weak........ for the clients to surf.

and that very day ... i was caught.........! since that very day , even if i sniff two conn. my gateway bans my mac.. i had a word with my ISP guys they said .. they have put in a script .. which when detected spoofing wud bann that very mac.

Now guys above is the scenario i hope this is clear.

Now i wanna ask u expert guys.. firstly how r they detecting whether im spoofing or not secondly .. are they just bluffing and keeping a close look at my mac .

I used cain.. while sniffing .. even i sniff two conn my mac gets bann in winxp

i used arpspoofing , fragrouting and ettercap again arp poisoning .. and stil i gets banned

though i was reading some RFC regarding spoofing and if theres any script that can detects arp spoofing.. and i almost found that underlining concept.. ill surely post it here.. may be we can get some hint from their.

Thanks

for all of ur support till now!

0

Share this post


Link to post
Share on other sites

darkstar bro... thanks for that method

but apparently .. in my case... as soon as i on the apr button ... or sniff via ettercap etc.. i get banned in TWO seconds.

0

Share this post


Link to post
Share on other sites

But yeah ........ i have made provisions................ on changing my mac everytime.. i get banned using registry trick... as my NIC card doesnt allow changing my mac from etherchange,

0

Share this post


Link to post
Share on other sites

So your gateway is banning your MAC, not your ISP? You should have said that. Also, please make your posts more legible; it's really annoying having...to...read...everything...like...this.

That in mind, ARP spoofing isn't an easy thing to spot, but there is some software that tries to stop ARP spoofing If you could provide us with the models of your networking equipment, we may be able to figure out what kind of IDS they have set up. (Also if you have admin access to this equipment you could always telnet in and use the "ps" command to see what they're running)

0

Share this post


Link to post
Share on other sites

well .. appologies... for not being legitimate .. in my post.

@spyril

Regarding My Isp' s network equipment

Initiating OS detection (try #1) against 172.16.0.1

SCRIPT ENGINE: Initiating script scanning.

Initiating SCRIPT ENGINE at 16:46

Completed SCRIPT ENGINE at 16:46, 1.33s elapsed

Host 172.16.0.1 appears to be up ... good.

Interesting ports on 172.16.0.1:

Not shown: 1711 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99)

|_ SSH Protocol Version 1: Server supports SSHv1

53/tcp open domain ISC BIND 9.2.1

8888/tcp open http thttpd 2.25b 29dec2003

|_ HTML title: Inventum - Service Selection Gateway

10000/tcp open http thttpd 2.25b 29dec2003

|_ HTML title: 401 Unauthorized

| HTTP Auth: HTTP Service requires authentication

|_ Auth type: Basic, realm = .

MAC Address: 00:1C:F0:94:B5:77 (D-Link)

Device type: VoIP phone

Running: WebVOIZE embedded

OS details: WebVOIZE 120 IP phone

Uptime: 3.424 days (since Fri Jun 20 06:35:53 2008)

Network Distance: 1 hop

This is a port scan of my isp router! via which i connect to access the net!

I hope this wht u asked for.......

0

Share this post


Link to post
Share on other sites

i cant telnet......... this router caz its filtered............ , if u have any method i can access this .... pls guide!!!

0

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0