Page 1 of 1

We Need To Be Protect From MAC Hacking!!

Posted: Sun Nov 14, 2010 6:43 am
by alfrqan
Hi guys

I am suffering from getting Hack because i am using hotspot and the fuckers changing their mac address to a client mac address who is active so they get connected without user or pass!!
it is strange that mikrotik cannnot protect us from these bad people!!
Plz guid us!!!

Re: We Need To Be Protect From MAC Hacking!!

Posted: Sun Nov 14, 2010 7:03 am
by Docteh
whose mac address are they spoofing? yours? Your post is a tad sparse on details :(

Re: We Need To Be Protect From MAC Hacking!!

Posted: Sun Nov 14, 2010 3:01 pm
by mahnet
Yes this is possible with some utilities users come to know abt the mac/IP addresses in the network.
They then use those IP and MAC in their PC's and sometimes can use internet w/o renewing their a/c. We bind user IP and MAC both and to some extent it helps.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Sun Nov 14, 2010 5:24 pm
by Feklar
This has come up multiple times in this forum, run a search and you would have gotten the answer.

It basically comes down to this, it's completely up to you to set up the needed security on the LAN of the network in order to protect yourself from this. It doesn't matter what kind of router you use, and it doesn't matter that you are using the hotspot, any router will do the same thing. When an end user changes their MAC and IP, the router does what a router will do, it is replying to a completely legitimate request from a "known" IP and MAC, and it routes the traffic accordingly. The switches and access points relay that information according to their latest MAC address tables, it provides poor quality of service, but both end users are able to get online.

So to set up the needed security on your end, purchase managed switches that will do VLANs and port isolation. Invest in good access points that will do client isolation. Then use these features to prevent guests from talking to each other over the network. Client isolation on the access points will prevent people from talking to each other over the access point itself. Port isolation or setting up the proper VLANs on the switches will prevent clients from talking to each other over the switch. If you haven't bothered to invest in the right kind of hardware to run your network properly then you are stuck, either plan on investing in the network to get it running right or just live with this reality.

No matter what you set up on the LAN however, due to the nature of wireless since all traffic is being broadcasted, anyone that is range can pick up on this traffic and listen in on it. You can mitigate this by enabling WPA on your access points to encrypt everything, but since this is a hotspot it is very rarely cost effective to do so. The more complicated you make a network to connect to the more 'secure' it is, but your support costs will go up and less people will be happy about the service, then all of the sudden you are loosing more money dealing with support and unhappy guests than if you just lived with the ones that steal access that way.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Mon Nov 15, 2010 11:55 pm
by algerdasl
use 802.1x & radius

Re: We Need To Be Protect From MAC Hacking!!

Posted: Tue Dec 14, 2010 7:32 am
by namo
Does this help? how?
I'm sure your problem it from your bad configration of hotspot , if you can send the configration by
/ip hotspot export 
/ip dhcp-server export 
/ip firewall nat export 
and send it .

Your problem is happen when you use saim IP for DHCP and Hotspot .
the scanner software that hack the physical layer of network (( MAC )) and get the DHCP IP from your server who allow these ip to connect to your internet .

to remove these you must configer a temperary DHCP network that allow all user to connect to your hotspot , and configure the hotspot with diffrent ip . for example

1-DHCP server work in 192.168.0.1/24 in hotspot interface
2-do a hotspot server work with 10.200.10.1/24
3- allow the hotspot ips to acsess to you internet from from firewall by
ip firewall nat add chane=src  src-address=10.200.10.0/24 action=masq... out-interface=((yourWAN))
and told me what happen with you , and any one told you JAVA hotspot not secure told him you did not use right configration .

regard
what is the difference between the real user has IP from DHCP so the hotspot hacker?

Note: I didn't get this method to work. nothing seems diffrent when I put the hotspot pool diffrent than that of DHCP. after login the IP return to DHCP pool

Re: We Need To Be Protect From MAC Hacking!!

Posted: Tue Dec 14, 2010 5:25 pm
by Feklar
I'm 99% sure that isn't going to do anything to resolve this issue for you. If the end users copies the MAC and IP, the router has absolutely no way of knowing that there are two end users with the same MAC/IP. If it is able to tell that, how is it supposed to know which one is the legitimate user and which one is the fake one? The answer is it can't, all it knows is it has received a packet from an end user with the MAC/IP and it will route that traffic like a router will. It is a completely legitimate request and expected behavior for a router to do this.

As has been said multiple times before and will continue to be the only answer to this is for you, the service provider, to set up the needed protection and security at the edge of the network. This means managed switches with port isolation and VLANs. This means access points with layer two isolation. The goal is to prevent people from seeing each other and "talking" to each other over the layer 2 network itself. No router can ever do this for you, it is a layer 3 hop, it must be stopped at the edge of the network. If you don't have this set up on the switches/access points, by the time it reaches the router it is far too late. This traffic is transmitted over layer 2, it never needs to touch or see the router for this to work because the switches/access points switch the traffic, they do this automatically like they are supposed to by default. If you want to prevent this, you need to invest in the hardware required to prevent it, there is no other answer.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Wed Dec 15, 2010 4:41 am
by namo
In case the Mac hacker that only change the MAC address and get IP from DHCP which is the same as the legitimate user. I notice that on the DHCP leases, the active host name change from the legitimate user PC name to the hacker PC now. Can't we use this fact and block this host name and tell any other legitimate user that might use the PC name to change theirs. This will block large portion of beginner hotspot hacker. What worry most provider that even normal windows user not Pro can hack hotspot easily by changing the mac address and scanning the Mac with an easy program.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Wed Dec 15, 2010 5:11 pm
by Feklar
The host name is not part of layer2 or layer3 really, and is definitely not sent along with every packet, so the router has no way of comparing two packets with the same src-address and MAC address and seeing which one has a different host name. With what you are thinking there, the absolutely best that a router would be able to do, if it is at all possible, is to block both end users, not just the one stealing access. Then all the other user would have to do is change his MAC and IP yet again to get around that. This also provides absolutely no protection for other end users on the system as well, as the guest that is stealing access still has full access to the layer2 network and can continue to try different combinations, or even try to hack other end users.

What you are asking is for a device that is NOT at the edge of the network and has NO control over the edge of the network, to stop stuff from happening at the edge at the network. All the router does is route traffic, it has absolutely no control over other devices on the network to control what they are doing, let alone what end users do. This is not possible, never has been, and never will be. That's why the answer has been and will always be to invest in the proper hardware that is capable of doing this. If you care about the end users or care about people stealing access, then you must spend the money on an infrastructure to support your goals. If you are not willing to do this then your ONLY other option is to live with the reality of end users stealing access and providing horrible quality of service to other end users when they do.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Sun Dec 19, 2010 2:52 pm
by namo
Does SwOS is enough as managed switch to have security protection from Mac spoofing? Are Mikrotik planning to make larger switches (more than 10 ports)?

Re: We Need To Be Protect From MAC Hacking!!

Posted: Sun Dec 19, 2010 6:53 pm
by fewi
No, SwOS will not work.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Mon Dec 20, 2010 9:48 am
by namo
No, SwOS will not work.
SwOS has VLan so what the feature that managed switch has and SwOS hasn't.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Mon Dec 20, 2010 4:02 pm
by fewi
Layer 2 security features such as DHCP and ARP inspection, and private VLANs. You're not looking for any managed switch.

You'd also need books or classes to learn those features since they need to be configured, and need to be configured correctly and appropriately for your specific network design.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Tue Dec 21, 2010 6:32 am
by namo
look like switches that has these feature are expesive. I tried to look for used one but I only found new one (Netgear ProSafe FSM726-300NAS Ethernet Switch 26 Port cost around $350 on ebay).

I read about Vlan before and I found this on cisco site about Dynamic ARP ispection (http://www.cisco.com/en/US/docs/switche ... #wp1039285)

For me, those cost might not be worth it now but I might think about it when I enlarge my network in the summer.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Tue Apr 05, 2011 11:27 pm
by IMAELMoftary
hi !
I'm anew user of mikrotik ,and i have the same problem
i think the MAC address in not unique it can change easily
so ,is any way that we can make relation between the mikrotik and the client processor id??
my scenario is that..
1- the login page in hotspot must contain block of code that reads the client processor id and store it in a table like this (client ip ,client MAC ,client processor id) and call it for example client table and integrate it with user options '/ip/hotspot/users' in order tp modify it if needed
2- the firewall check every packet with its client table if any difference drop the packet
3- create a new page called "intruder page" appear only for the hacker describe why disconnected
4-create "black list " contains processor id for the hackers always check this list To track hackers .
is it possible ????
thanks a lot...

Re: We Need To Be Protect From MAC Hacking!!

Posted: Wed Apr 06, 2011 1:26 am
by Feklar
hi !
I'm anew user of mikrotik ,and i have the same problem
i think the MAC address in not unique it can change easily
so ,is any way that we can make relation between the mikrotik and the client processor id??
my scenario is that..
1- the login page in hotspot must contain block of code that reads the client processor id and store it in a table like this (client ip ,client MAC ,client processor id) and call it for example client table and integrate it with user options '/ip/hotspot/users' in order tp modify it if needed
2- the firewall check every packet with its client table if any difference drop the packet
3- create a new page called "intruder page" appear only for the hacker describe why disconnected
4-create "black list " contains processor id for the hackers always check this list To track hackers .
is it possible ????
thanks a lot...
No, read the rest of the thread it clearly states the solution. Not possible to do on the router, this is something you need to handle at the edge of the network, usually by preventing clients machines from "talking" to each other or seeing others on the network. Nothing along the lines of "client processor id" is passed when a client sends a packet.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Wed Apr 06, 2011 2:05 am
by IMAELMoftary
No, read the rest of the thread it clearly states the solution. Not possible to do on the router, this is something you need to handle at the edge of the network, usually by preventing clients machines from "talking" to each other or seeing others on the network. Nothing along the lines of "client processor id" is passed when a client sends a packet.
i read the thread ,but i want the solution by the software not hardware, could it be?

Re: We Need To Be Protect From MAC Hacking!!

Posted: Wed Apr 06, 2011 7:49 am
by Sanity
hi !
I'm anew user of mikrotik ,and i have the same problem
i think the MAC address in not unique it can change easily
so ,is any way that we can make relation between the mikrotik and the client processor id??
my scenario is that..
1- the login page in hotspot must contain block of code that reads the client processor id and store it in a table like this (client ip ,client MAC ,client processor id) and call it for example client table and integrate it with user options '/ip/hotspot/users' in order tp modify it if needed
2- the firewall check every packet with its client table if any difference drop the packet
3- create a new page called "intruder page" appear only for the hacker describe why disconnected
4-create "black list " contains processor id for the hackers always check this list To track hackers .
is it possible ????
thanks a lot...
Yes, this is a great idea. Start implementing it.

First thing to do: change security on all web browsers so that the hotspot webpage can actully ccess security and identity relevant information like client mac, client processor id etc. Start talking to the major vendors here.
Secnod thing to do: change the IP protocol to actually embed information about client mac and client processor id in every packet. Obviously the people were not smart enough to foresee that - not even in ipv6 - so you need to talk to them and all the vendors implementing ip stacks to implement that. Naturally thre wil lbe a small performance drop (double packet size for stuff like voip) but then who cares.

Reality check: do use approaches already there.

Reality check: 350 USD for a larger securing switch is not "expensive", it is cheap. It is less than the price of a decent high end network card for servers. No, you can not get most higher end equipment for pennies.

Get decent switches and access points. This needs, as has been repeatedly said, to be stopped at the network edge. Not by funny ramblings about how you should collect processor id etc. which simply are so out of reality it is not even funny.

And somewhere on the way, as has also been suggested, consider reading a book or two on the subject.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Wed Apr 06, 2011 4:30 pm
by uldis
For ethernet hotspot devices, try to use a management switch and use Vlan, for example, for each port and do not allow communication between the ports.
For wireless network you can use management-frame protection if you have Mikrotik clients:
http://wiki.mikrotik.com/wiki/Manual:In ... protection

If you have suggestions that we might need to add in the RouterOS, you are welcome to suggest.

Re: We Need To Be Protect From MAC Hacking!!

Posted: Tue Nov 08, 2011 2:14 pm
by IMAELMoftary
Mozilla Firefox 8 after install it the program asked to send reports about memory usage and CPU performance
if this done with Firefox it could be done by Mikrotik hotspot

We Need To Be Protect From MAC Hacking!!

Posted: Tue Nov 08, 2011 2:30 pm
by fewi
Errr, no.