MAC spoof concept

I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc


They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 will try to masquerades as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

In this simple scenario I do not have DHCP server , I assigned ip address statically

I didnt completely understand what you wanted to know but ill give it a shot ;)

If PC1 was recieving all the traffic coming back from PC3, that was initiated from PC2, there would not be a huge benefit for PC2.

It could possibly cause some network performance issues with PC1, given enough incoming traffic... It could also be used to conceal the identity of PC2.

There is a lot more involved though...


:drink:

PC2 is attacker ,,,,When he sends Frame to PC3 , he tries to hide his MAC address (source) ,,,,what will he do ? , he will change his MAC address to be: 0000.ffff.aaaa, instead of 0000.ffff.bbbb, and he will use 0000.ffff.cccc as a destination's mac address ,,,,Is it ok ?

Now if PC3 responded to the traffic (with these mac address 0000.ffff.aaaa as source , and 0000.ffff.cccc as destination) coming from PC2 , he will forward the frames (0000.ffff.cccc as source , and 0000.ffff.aaaa as destinationto) PC1 not PC2,,,,,Is it ok ?

If this is the case what would the benefit be of spoofing MAC address ?

I think you maybe confusing bits of MAC spoofing and ARP spoofing/poisoning.

What is your goal?

If you wanted to hide on a network normally then you would spoof your MAC adress so when any logs are viewed nothing will immediatley lead back you your PC - however you would use a MAC that does not already exist on the network.

If you wanted to try and drop yourself into a flow of traffic to fool someone into sending data to you then you would normally try and corrupt an ARP cache on the taget machine to fool it into sending you all the data and vice versa.

You may need to give a better idea of what you want to acheive.

Quote:

---

What is your goal?

---

Quote:

---

You may need to give a better idea of what you want to acheive.

---

This is what I have read in cisco document and I tried to interpret that :

Quote:

---

MAC Spoofing Attack
MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker.
By sending a single frame with the other host's source Ethernet address,the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic it will not receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once more so that it moves back to the original port.

---

Assume

Host A = Workstation

Host B = Server

Host C = Attacker

Basically the Cisco document is saying that if Host C wants to intercept the traffic that Host A is sending to Host B, then he overwrites the CAM table with his mac address.

Let's try this another way:

Wireless network that requires you login first before getting access, on an unencrypted connection:

Host A = Access Point

Host B = legitimate user

Host C = leecher

With no encryption on the wireless link, sniffing all traffic is easy. C gets B's mac address, and changes his mac address to the same as B's address. On most wireless networks, C gets B's access, and A forwards all receiving packets back to both B and C, but since only C has initiated the connections, and since B doesn't know the sequence number on C's receiving packets, nor has even initiated any connections C has (and vice versa), B drops all packets going to sockets it hasn't opened, and if the socket is opened, the bad sequence number causes the packets to get dropped anyways. Same with B's receiving packets going to C. They're all dropped. So it is very possible for both B and C to initiate normal access, both using B's mac address.

Quote:

---

Basically the Cisco document is saying that if Host C wants to intercept the traffic that Host A is sending to Host B, then he overwrites the CAM table with his mac address.

---

Ok

Quote:

---

Assume

Host A = Workstation

Host B = Server

Host C = Attacker

---

Let us look at what Cisco says :
http://www.cisco.com/en/US/netsol/ns...html#wp1002312

Supoose the switch has learned that Host A (workstation) is on port 1, Host B (server) is on port 2, and Host C (attacker) is on port 3.
Host C sends out a packet identifying itself as Host A's MAC address. This traffic causes the frame to move the location of Host A in its CAM table from port 1 to port 3. Traffic from Host B destined to Host A is now visible to Host C.

If the traffic (from B to A, source mac for B, and destination mac for A) is visible to host C, Will C accept that traffic or deny it ? because the traffic does not have the mac address of C

Quote:

---

Originally Posted by zillah

If the traffic (from B to A, source mac for B, and destination mac for A) is visible to host C, Will C accept that traffic or deny it ? because the traffic does not have the mac address of C

---

it will reject it (i mean C), but the point of this attack is that C is probably having his interface in promiscouos mode, so it sniffs traffic not intended for it.