MAC address are similar result in similar ip address
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: MAC address are similar result in similar ip address

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    140

    MAC address are similar result in similar ip address

    By using "a-change MAC address V5.0", I did a test within same LAN, I have got two laptop A and B with Nortel Acess Point.

    These laptop are getting IP address form Nortel AP automatically. Type of ip address is 10.70.72.x/24.

    IP address for laptop A is 10.70.72.93/24 , and MAC is 00-91-4C-2A-2B-2C.

    IP address for laptop B is 10.70.72.141/24, and MAC is 01-80-4C-29-22-29.

    I changed the MAC address for laptop B to be same to laptop A (i.e. form 01-80-4C-29-22-29 to 00-91-4C-2A-2B-2C ).

    When I changed the MAC address , ip address for B has been changed to be same to the ip address for A as well,,,,,Why ? What is concept ? does it related to ARP protocol ?

    I have not received notification message telling me that the are conflict in the ip addresses.

    If laptop A tries to access the net first , then Laptop B can not access.

    And if laptop B tries to access the net first , then laptop A can not access the net.

    I tried to change ip addresses for one of the laptop , and keep MAC address similar for both of them, by configure laptop A manually with existing any ip address within the same LAN (i.e 10.70.72.141/25 has not been assigned to other PC within LAN) ),,,,,result still same I can not

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    The MAC address has to be unique on the local network. It is the address that computers, routers, switches etc. use to communicate locally, (The IP address is not really used locally). Thus if you change the MAC address of Laptop B to match that of Laptop A the router will only send packets to the last known MAC address because it registers the MAC address to a given port on itself.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    Because of what Tiger Shark said, in your scenario the result is that the IP addresses are the same due to both devices having the same MAC address.

    The router assigns unique IP addresses to devices that have unique MAC addresses and when two devices share a MAC address, then they both get a similar IP address from DHCP BUT communication is *fought* over by each device, due to each device trying to answer the data frames/ethernet packets which bear the same MAC ID/IP address.

    Believe it or not, there have been a case I've heard of where the MAC address was the same for a couple devices right out of the factory. It wasn't easy solving that problem if you are not looking for it.
    ZT3000
    Beta tester of "0"s and "1"s"

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Along with what ZT3000 and TigerShark said...

    What you've effectively done is called an arp spoof. You've taken over another machine's physical address. This attack is a layer 2 attack and you've "corrupted" the MAC tables of the switch. (router if you're router has a built in switch). You tricked the DHCP server (doesn't HAVE to be a router) into thinking you're one machine and stolen the ip address for it. (Similar to if someone gets a fake id for identity theft.)

    Note: Historically, the router operates at layer 3 and doesn't care about physical address. Now-adays, the lines are blurring between what is a router and a switch. I have layer 3 swtiches (have routing functionality built in) and routers with switches built in!

    If you want to play around with some more "arp spoofing" check out tools like Cain and Abel, Ettercap and dsniff. Just make sure you do it on a test network and not a production network. I've accidentally knocked everyone off my production network when trying to sniff traffic between the gateway and a host! ooops! Don't tell anyone... I didn't.

    What I *should* have done was span the ports on the switch so I could have seen that hosts traffic. However, I didn't know any better at the time. This was several years ago when I was just learning about this stuff.

    <begin phone call>

    user: Hi, everyone just seemed to get kicked off the system.
    me: <thinking> oh sh17, oh sh17!
    me: um... I'm looking into it... ah, yes. here it is. wait about min and and try again.

    <end phone call>

    I had to stop spoofing and let the switch tables update.

    Another place you're likely to see this type of attack is when you're trying to access a secured wireless access point or any switch that has MAC filtering enabled.

    At a local LUG I attend, I'm not a registerd student on the campus that hosts it. So, I couldn't access their wireless network to play along with everyone else. One of the LUGGers let me "borrow" a MAC he has registerd with network services for a spare wifi card he has.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    The MAC address has to be unique on the local network. It is the address that computers, routers, switches etc. use to communicate locally, (The IP address is not really used locally).
    Yes you are right.
    Cisco curriculum CCNA2 V3.2 9.1.4 says:
    A data link layer address is necessary because delivery within the network is determined by the address in the Layer 2 frame header.
    and in other article, it says:
    Layer 2 switching takes place within the LAN. Layer 3 routing move traffic between broadcast domain

    Thus if you change the MAC address of Laptop B to match that of Laptop A the router will only send packets to the last known MAC address
    By "last known MAC" here you meant laptop A,,,didn't you ?

    because it (router) registers the MAC address to a given port on itself..
    In order to clarify my confusion , you have mentioned port number and MAC address , then you meant to say switch not router because :
    "A switch dynamically builds and maintains a content-addressable memory (CAM) table, which holds all of the necessary MAC information for each port". And "Router dynamically build ARP table which holds MAC address and IP address".

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    Believe it or not, there have been a case I've heard of where the MAC address was the same for a couple devices right out of the factory. It wasn't easy solving that problem if you are not looking for it.
    The author for these two books Agree with what you have seen

    The author for these agree with what you have seen:

    1- "Data Communications and Networking" by Behrouz A. Forouzan, Ed3, Chapter 20, page 512 :
    A MAC address is a local address. Its jurisdiction is a local network. It should be unique locally, but not necessarily universally
    2- He mentioned in another book “TCP/!P Protocol Suite” , E3, Chapter 7,
    Section 7.3 RARP, page173 :
    The machine can get its physical address (by reading its NIC, for example), which is unique locally
    .

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    What you've effectively done is called an arp spoof. You've taken over another machine's physical address. This attack is a layer 2 attack and you've "corrupted" the MAC tables of the switch. (router if you're router has a built in switch)
    Do you mean if the CAM table for the switch has got two identical MAC addresses it will be corrupted ?

    You tricked the DHCP server (doesn't HAVE to be a router) into thinking you're one machine and stolen the ip address for it. (Similar to if someone gets a fake id for identity theft.)
    Since I am doing this test at work, and the Nortel AP is connected to a switch (guessing not sure), and since the CAM table for a switch is corrupted; why I am getting same ip address if the CAM table is corrupted ?


    What I *should* have done was span the ports on the switch so I could have seen that hosts traffic.
    You meant Promiscuous mode.

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Since I am doing this test at work, and the Nortel AP is connected to a switch (guessing not sure),
    and since the CAM table for a switch is corrupted; why I am getting same ip address if the CAM table
    is corrupted ?
    This has nothing to do with the switch. As phishphreek80 stated, the DHCP server thought
    that Laptop B is Laptop A and thus served Laptop A's IP number to Laptop B. The reason for
    this is that the DHCP server maintains a Lease-table: MAC address <-> IP number. Usually,
    a Lease is valid for a certain time, and thus Laptop B, which identified itself with the MAC
    address of Laptop A, got the IP number previously assigned to Laptop A.

    You meant Promiscuous mode.
    No, he did not mean Promiscuous mode per se. While it is true that a NIC in promiscuous
    mode will allow to "sniff all packets", these packets first has to come to the NIC.
    A switch will send a packet (or rather frame since we are talking layer 2) only along the
    relevant physical line, at which end the NIC with the target MAC address is present. A
    spanning port configures the switch to behave like a hub for [a] specific port[s]. Hence,
    you effectively copy the traffic from all ports to a single port, which allows you to analyse
    all traffic even in a switched network.

    Cheers.
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  9. #9
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    No, he did not mean Promiscuous mode per se
    Thanks for this correction. yes he meant Switch Port Analyzer (SPAN), which i used to configure it on a cisco switch.

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    140
    If laptop A tries to access the net first , then Laptop B can not access.

    And if laptop B tries to access the net first , then laptop A can not access the net.
    Now since we have two laptop with same MACs and same IPs (we knew, why they have got the same IPs),,if we have been asked why when one laptop access the internet first the second can not,,,,what should be the answer ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •