Results 1 to 6 of 6

Thread: MAC Address and ARP Spoofing v1.3 by stevecronin

  1. #1
    Junior Member
    Join Date
    Dec 2004

    MAC Address and ARP Spoofing v1.3 by stevecronin

    MAC Address and ARP Spoofing v1.3
    By Steve Cronin

    What's new in v1.3?
    -Revised Windows MAC Address Spoofing Section
    -Revised Format (Layout/Order)
    -Added CAM Table Info
    -Added TCPDump Info

    MAC - Media Access Control (AKA BIA - Burned In Address)

    Referenced to: OSI Model Layer Two - The Data Link Layer

    The data link later encodes and decodes transmitting packets on a network into bits. The second layer has all the protocol information that is included in the first layer. The data link layer has two sub layers, MAC (Media Access Control) and LLC (Logical Link Layer.) The MAC sublayer controls computer data transmission authentication, and the LLC sublayer controls error checking.

    MAC addresses identify each computer (node) on a network. They differ from IP addresses because IP addresses can be user assigned and maintained, while MAC addresses cannot. MAC addresses are stored (actually burned) in network cards, this is why they are also referred to as a hardware address. You cannot change your MAC address, unless you exploit your card and solder on new data. MAC addresses are presented as 48 bit hex numbers, which are assigned by the manufacturer of the card. (Total 12 digits.) The first 6 digits represent the manufacturer ID, while the last 6 digits are a serial number assigned by the manufacturer.


    MAC address - 0D602F3A07BC
    First 6 digits - 0D602F (Manufacturer ID)
    Last 6 digits - 3A07BC (Manufacturer Serial Number)

    While you cannot physically change your MAC address through your operating system, you can "spoof" the address. (Tricking the computer into sending/ storing a fake address.) There are free downloadable programs that do this for you, such as "MAC Makeup" (that come with cool features), however you can also do this through the Linux shell/ Windows registry.

    To spoof your MAC address in Linux:

    Access your shell and type:

    "ifconfig eth0 down hw ether 00:00:00:00:00:00"

    "ifconfig eth0 up"

    (00:00:00:00:00:00" being your new MAC address)

    To spoof your MAC address in Windows:

    Method 1:

    Some network cards have a "spoof MAC configuration" built in, if yours happens to have this, then use this method.

    1. Go to the Control Panel and double click on Network and Dial-up Connections.

    2. Right click on your card and click on "properties"

    3. Click on the configure button under the general tab

    4. Click on the "Advanced" tab

    5. Under the Property section, click on "Network Address" (or "Locally
    Administered Address")

    6. Under "Value", (on the right side) type in the New MAC address you want to assign to your card.

    7. Run an "ipconfig /all" or "net config rdr" to confirm the changes.

    8. Reboot

    Method 2:

    Windows 2000/XP

    1. Start the registry editor (Run - regedt32)

    2. Go to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1
    -08002BE10318}". Double click on it to expand the tree. The subkeys are 4-digit numbers,
    which represent particular network adapters. You should see it starts with 0000, then 0001,
    0002, 0003 and so on.

    3. Find the interface you want by searching for the proper "DriverDesc" key.

    4. Edit, or add, the string key "NetworkAddress" (has the data type "REG_SZ") to contain
    the new MAC address.

    5. Disable then re-enable the network interface that you changed (or reboot the system).

    For WIN9x

    Use the Windows 2000/XP method, except go to the registry key: "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net"
    When done, you must restart.

    About ARP (Address Resolution Protocol)

    Referenced to: OSI Model Layer Three - The Network Layer

    The network layer is in charge of IP addressing and routing. Tables are built to identify addresses on switches and computers for any network related devices.

    The ARP matches and stores MAC and IP addresses for each node for Ethernet communication. When any packet is sent through a gateway, such as a router, the gateway uses ARP to identify the initial send node's MAC/ IP address and stores it in the packet header sending to the destination node. The IP/ MAC address matches for each node are stored (cached) in an ARP table. During MAC address packet transmission, the matches are stored in both client and host nodes.

    Potentially, if a mischievous wardriver were to perform malicious actions on a network, their MAC address would be stored in the ARP table (because it stores in both client and host machines) and the network admin could find the manufacturer of the wireless card you used to hack their network. The manufacturer could then match their serial ID of the MAC address and match it to a company, and then customer, it was sold to. In other words you would get owned! (This is why it's best to buy a NIC off ebay and use that for hacking.)

    If a hacker obtained control of an ARP table (physically or remotely), he could potentially change the IP to MAC address maps and use them to his advantage, such as rerouting network traffic to a computer of choice or taking down the entire network!

    Note: Pinging a computer counts as sending/ receiving packets, thus updating the ARP table for the client/ host address.
    Viewing BIAs in the ARP Table

    Linux: type "arp" at the shell
    Windows: type "arp -a" at the command prompt

    Deleting ARP Table entries (Covering your tracks!)

    Linux: type "arp -d <computer hostname>" at the shell
    Windows: type "arp -d *" at the command prompt (removes all entries)

    NOTE: Gateways also have the ability to store the MAC Address/ IP Address linkup. If you did not spoof your MAC Address, even if you clear the ARP table entries, there are still records of your MAC Address. Gateways, such as a switch, store these IP/ MAC linkups in what is called a CAM (Content Addressable Memory) table. These CAM tables look at each device that is connected to the switch. A switch is different than a hub because each port creates a collision domain, like it's own network. The same "learning process" makes CAM tables as ARP tables. Normally, whenever a computer is rebooted, it's ARP table is cleared. Whenever a switch is rebooted, it's CAM table is cleared.

    Adding Static ARP entries

    Linux: type "arp -s <IP> <MAC>" at the shell
    Windows: type "arp -s <IP> <MAC>" at the command prompt

    Example: "arp -s 00-00-00-00-00-00"

    ARP Attacks using Linux

    Download the program "arpspoof"

    The goal of an ARP attack is to capture, monitor, and/or change data flow on a network.

    To start off, you'll need two NICs in your machine. On one card you will connect to the target machine, and on the other card you will connect to the gateway. IP fowarding needs to be enabled on your computer so traffic flows through your computer. To do this, type the following into the Linux shell:

    "echo 1 > /proc/sys/net/ipv4/ip_forward"

    then type

    "cat /proc/sys/net/ipv4/ip_forward"

    You should get a reply of "1".

    When you connect to the gateway on a network, for purposes such as connecting to the internet, your computer sends an ARP request to the target gateway requesting a MAC/ IP address pair up. The switch sees your request and broadcasts it to every single computer already on the network. The gateway receives your ARP request (from the switch) and replies with a MAC address. The gateway updates the MAC/ IP pair up within the ARP table for your computer within it's internal ARP table. The switch then receives the gateway's reply to your computer, and matches up your computer with a port number on the switch. Your computer receives the gateway's reply (containing the new ARP information) and updates its ARP table. Your computer can now send information to the gateway with its verified MAC address.

    ARP spoofing involves tricking the gateway and target computer on the network to reroute all data to your machine, this is done by running two sessions of "arpspoof" on your computer. With the first session you're going to trick the target computer into thinking that your computer has the MAC address of the gateway. With the second session you're going to trick the actual gateway into thinking that your computer is the target computer. This way, all data going in-between the gateway and target computer will be rerouted to pass through your machine.

    Note: If you did not enable IP forwarding, the target computer will lose connectivity.

    The arpspoof sessions might look something like this:

    "arpspoof -t <victim gateway>" (Changes your MAC Address to match that of the gateway, thus updating the ARP table fooling the victim computer will think that you are the gateway.)

    In another session (different NIC)

    "arpspoof -t <gateway victim>" (Changes your MAC Address to match that of the victim computer, thus updating the ARP table fooling the gateway into thinking that you are the victim computer.)

    Now you are able to see all the traffic going on between that computer and the gateway on the network. There are many ways to do this, (ex. Using 3rd party programs) but the simplest would be to do a tcpdump. Performing a tcpdump will pring out all currently passing data on your screen. There many different switches that can be used to define various parameters of the program. However a basic tcpdump session would look like this:

    "tcpdump <victim computer>"

    Preventing ARP Attacks

    1. Download "arpwatch" (Monitors ARP/ IP address matching and lets you know when changes are made)
    2. Encrypt all data transmission on your network. (Using methods such as WEP or WPA)

    That is all! Hope you enjoyed!

    Last edited by stevecronin; December 24th, 2007 at 09:49 AM.

  2. #2
    Junior Member
    Join Date
    Dec 2004
    nice work.... clear and easy undestanding tutorial.......
    looking forward to see more like spoof IP address or other identity......
    keep it up.... ^_^
    --=|2 be da happy children 0f da Mother Nature, 2 be da Best among da Best!|=--

    Any Sufficiently AdvanceD TechnologG is InDistinguishable from MagiC. - Arthur C. Clarke

  3. #3
    Senior Member
    Join Date
    Oct 2002
    A couple of corrections...

    It is possible to do this with only one NIC. The difficulty lies in sending the appropriate ARP replies to the appropriate hosts. A basic "change my mac address" will work only with two cards. The victim machines may still be responding to ARP requests, which presents other problems. If the victims react to unsolicited ARP replies, and theirs gets to the other victim last, you're out of luck. A more effective way is to simply send an unsolicited ARP reply to the victims. Most will simply update their tables. These packets can then be resent at regular intervals to prvent the table from defaulting back to its original state. Now if the victims do *not* respond to unsolicited ARP replies, the whole thing gets turned around. Now you've got to be the first one to send the reply to the victim, after waiting for a request. This can sometimes be tricky depending on network architecture and layout. Your attack may also be intermittent if the correct replies (i.e, not yours) get to the victims from time to time.

    Also, tcpdump will by default only capture the first 96 bytes of packets it sees, which is enough for TCP header information. To tell tcpdump to capture the entire packets, specify the -S 0 option on the command line. This will set the snaplength (normaly the number of bytes per packet to capture) to 0, which tcpdump interprets as "capture the whole thing".

    Otherwise, it was a very good tutorial.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Junior Member
    Join Date
    Dec 2004
    hey thanks angus, i tried to make it as clear as possible to understand. also i tried to give as much background information and explain exactly how everything works, instead of a "hey here's how to hack this but you won't know why" kind of approach.

    Striek, always love it when people add to my work! thanks!

  5. #5
    Join Date
    Oct 2002
    The manufacturer could then match their serial ID of the MAC address and match it to a company, and then customer, it was sold to.
    How is this possible? When you purchase a nic card you dont register it with the company. The only way i can think that they can trace it back to you is when you install it and it asks you to register it. Even then i'm not sure if it sends the mac address in, because you dont always have to register online, you can send in a post card.

    Please correct me if i'm wrong.


  6. #6
    Senior Member
    Join Date
    Apr 2004
    But the company has it registered who THEY sold their product to, the company that sold it to the customer may be required by their own policies to keep records of such transactions, and hence may be able to trace a CCN or check used to buy the NIC card.
    [H]ard|OCP <--Best hardware/gaming news out there--| <--Gamers will love this one --|
    Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts