Breaking into the D-Link admin with mac/ip spoofing :(

In case it ever becomes useful to anyone for any reason, the admin interface of a D-Link 655 (and likely other dlinks) uses a host’s MAC/IP address to keep authentication.

This means, if someone logs in to a D-Link router you can spoof their ip/mac address to gain access to the admin without a username/password.

I noticed the D-link admin interface wasn’t setting any form of session cookies to keep track of me being logged in, and realized they had to be keeping track of authentication this way. I tested it on two of my laptops on the local network and low and behold, easy access to the admin.