Question on being traced by your local ip.

[gandalf]

Hey everyone,

so i always had this thought, but i could never get a solid answer. My question is...say you were running a pentest on an access point that you were connected to. In order to protect yourself you spoof your mac. What about the internal ip that you were assigned by the router? Can you be traced by that? If yes, is there any way around that to stay protected on a lan? I always thought that your mac is an identifying factor when on a lan, but if you spoof it, you protect yourself. Any input is appreciated. Thank you!

[digininja]

Depends what you mean by being traced, what are you trying to defend against?

[digip]

MAC address is a layer 2 protocol, meaning and applies to the physical NIC's identifier. If you were say, on a corporate lan and attached to a switch(which some of security per port), even spoofed, most likely they could find where you are(if wired) if plugged into the network. If wireless, it's a bit harder and most likely not something most office techs will know what to do with, but law enforcement and other security professional would probably have some sort of wireless tools for triangulating where you are or at least the vicinity, but which they would then scour the area they beleive you to be in and work from there.

Here is the thing. If on a "pentest" as you put it, you more than likely have permission to use the network, and as such, probably signed an NDA and other contractual agreement to enter their network, premises, etc. The need to hide yourself, unless something specific in scope is part of your contract, would probably NOT be something you have to worry about, and if you did, you're probably breaking the law and not on a real penetration test.

[gandalf]

Digininja and digip, thank you for the quick replies. This is all completely hypothetical. Just for the sake of educating myself. For example, im sure you remember not long ago the webrtc leak issue with VPNs? From what i understand that leaked your local ip. So why exactly would that be an issue when a local ip couldnt be plugged into an ip tracker and get an approximate location? Basically what i am trying to do is understand what exactly the dangers would be to letting your local Ip be known, whether that be an acciental leak or not. Thanks again

[digip]

There are a few things to understand. LAN Ip and WAN Ip. LAN IP's are local to your internal network, WAN IP, is your external, Internet facing IP address, which can be traced back to you through your ISP, not to mention, if anything is exposed on the edge of your network. A change of the MAC address only spoofs your hardware ID on the local network, which you would probably want to do over wifi since wired, someone can trace the port back to the device on the network from the switch/router in use. Home networks, you're not really helping with anything other than possibly bypassing MAC address filtering on an access point, while at a hotspot, it helps sort of keep your identity a bit off radar since once you reboot(if using a random mac change, vs preserved settings) your mac will go back to the default hardware ID. IP addresses are part of your lease, which is also tied to the MAC address for the duration of the lease and renews until the MAC is no longer seen unless port security is on for things like sticky bits, which if you connect, disconnect, then reconnect with a second MAC on the same switched port, it will lock you out.

Pentesting needs and privacy for surfing needs are two different things though. Attacking a network and trying to stay off radar requires a whole host of steps to take for which most of which will still lead back to you if you're in one place long enough. Random guy on the internet who constantly spoofs his location and hardware, while not bringing attention oneself, probably doesn;t have to worry so long as you're not logging in as your normal self or communicating with the outside world, strictly in surf mode from some location other than home and off the grid so to speak.