should i sniff for macs on my subbed modem

[badboy_uk]

yes i dont really get that as well any explanation would be good thanks

[TheCoder]

Passive sniffing is where you set things up so you listen only. You simply listen to the real background messages as subscribers modems log onto the network and request lease extensions etc. This tends to be quite a slow method of data collection but is effectively untraceable.

Active scanning is where you set things up so you are sending messages, often at quite an accelerated rate. Your pinging and interrogating other peoples modems in an attempt to actively extract information from them. This system is higly visible on the network segment, a single scanner can often increase smtp message transfers by 100 fold during the scan period. This is partly why you should NEVER actively scan for more than a few minutes.

"Bruteforce" scanning would be an example of the active method. Here you are setting up to actively scan a range of IP addresses one by one in an attempt to ellicit responses to your queries. Scanning a small range (say 255 IP addresses) over few minutes is fair enough but lots of people set up to scan huge ranges often taking hours at a time. During this period you are highly visible and theres really only one reason you would be scanning.........

The keywords are really "sniff" (passive) and "scan" (active)

[/24]

A passive scan is just when dhcp sniffer is listening on the network for dhcp replys as they are sent to all nodes within the broadcast domain but targeted at a specific mac address if the modem sees a reply that isn't for it then it ignores it but when you are using dhcp sniffer it records the mac address and boot file in the dhcp reply. Any macs that are got passively need to be traded otherwise you will keep knocking the legit paying customer off. When you use brute force and give it a base mac I believe that it starts with the mac you give it and keeps incrementing it sending DHCP discover packets each time and listening for replies. Due to the amount of requests this will generate it is very obvious to vm whats going on as say there are only 3000 devices on the segment and in the past hour the cmts has seen 6000 dhcp discovers its quite obvious whats happening! Im not sure on figures there im just using that as an example. you can confirm whats happening when actively scanning by using wireshark on your pc and sniffing the packets.

@the coder

do you work for VM or something? as you seem to know alot of inside info


Edit: I was to slow the coder beet me to it. I thought bruteforcing used DHCP discovers as I saw alot of these being sent when I used the brute force option which put me off wanting to use it again

@ the coder

Is that correct?

[TheCoder]

Quote:

Originally Posted by /24

Edit: I was to slow the coder beet me to it. I thought bruteforcing used DHCP discovers as I saw alot of these being sent when I used the brute force option which put me off wanting to use it again

@ the coder

Is that correct?

Yeh, thats pretty much correct

There's actually been a couple or more of bruteforce methods used but what you say above is, I think, the later method.

Its still active scanning though, your still sending messages out and hoping to ellicit a response - its just from a VM server rather than from other customers modems.

And, no, I dont work for VM although I have previously worked in the Sat and cable industries as a consultant.

[/24]

thanks for clarifying that I only did the active scanning very briefly as when I saw what was going on in wire shark I didn't like the big red flag I was waving. Am I also right in saying that any macs that where passively scanned will need to be traded with someone from a different ubr?

[TheCoder]

If the Macs are passive scanned on your own segment, then yes, they need to be traded.

With passively scanned Macs at least you know that they are active on a particular segment and that chances are they wont move elsewhere.

Active scan macs, on the other hand, you may have no idea about (depending on how scanned - DHCP discovery is worst here). You dont know whether they are already active on your segment (but not switched on) or whether they will imminently become active (new installs - modems tend to be released in MAC batches) or whether they are active in adjacent segments. You really have no idea so potential problems for both yourself and the poor customer who is assigned the MAC !

[cockneysean]

Quote:

Originally Posted by TheCoder

Your pinging and interrogating other peoples modems in an attempt to actively extract information from them...

...a single scanner can often increase smtp message transfers by 100 fold during the scan period. This is partly why you should NEVER actively scan for more than a few minutes.

Sorry mate, I don't mean to split hairs, but don't you mean SNMP as opposed to SMTP which is a mail transfer protocol?

Also, you may be able to help me out on this one... You say the modems are being interrogated? I always was under the impression that brute forcing was sending fake packets to the CMTS to see what the response was as opposed to the modems being interrogated. IE: Brute force sniffer sends the MAC to the CMTS and then listens for the response from the CMTS whether it be a DHCP offer, or just a simple "no!".

[/24]

Quote:

Originally Posted by cockneysean

Also, you may be able to help me out on this one... You say the modems are being interrogated? I always was under the impression that brute forcing was sending fake packets to the CMTS to see what the response was as opposed to the modems being interrogated. IE: Brute force sniffer sends the MAC to the CMTS and then listens for the response from the CMTS whether it be a DHCP offer, or just a simple "no!".

brute forcing sends spoofed dhcp discover packets with different mac addresses in them starting frome the base mac and listens to the dhcp reply to see what boot file is specified if you use wireshark while running this you will see why its a bad idea to leave this going for any amount of time. There is also another program I came accross a while ago I can't remember what it was called but it was on the sbh forums which queries and interogates other modems using SNMP I didnt look to much into it though.