MAC spoof concept
Results 1 to 9 of 9

Thread: MAC spoof concept

  1. #1
    Senior Member
    Join Date
    Dec 2004
    Posts
    138

    MAC spoof concept

    I have got these three PCs :

    PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


    PC1 mac address is : 0000.ffff.aaaa
    PC2 mac address is : 0000.ffff.bbbb
    PC3 mac address is : 0000.ffff.cccc


    They are connected to cisco switch 3550

    The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

    If PC2 sends traffic to PC3 (Destination) , PC2 will try to masquerades as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

    In this simple scenario I do not have DHCP server , I assigned ip address statically
    Last edited by zillah; April 11th, 2007 at 04:59 AM.

  2. #2
    Junior Member
    Join Date
    Mar 2007
    Location
    Bay Area
    Posts
    17
    I didnt completely understand what you wanted to know but ill give it a shot

    If PC1 was recieving all the traffic coming back from PC3, that was initiated from PC2, there would not be a huge benefit for PC2.

    It could possibly cause some network performance issues with PC1, given enough incoming traffic... It could also be used to conceal the identity of PC2.

    There is a lot more involved though...



  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    PC2 is attacker ,,,,When he sends Frame to PC3 , he tries to hide his MAC address (source) ,,,,what will he do ? , he will change his MAC address to be: 0000.ffff.aaaa, instead of 0000.ffff.bbbb, and he will use 0000.ffff.cccc as a destination's mac address ,,,,Is it ok ?

    Now if PC3 responded to the traffic (with these mac address 0000.ffff.aaaa as source , and 0000.ffff.cccc as destination) coming from PC2 , he will forward the frames (0000.ffff.cccc as source , and 0000.ffff.aaaa as destinationto) PC1 not PC2,,,,,Is it ok ?

    If this is the case what would the benefit be of spoofing MAC address ?

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    I think you maybe confusing bits of MAC spoofing and ARP spoofing/poisoning.

    What is your goal?

    If you wanted to hide on a network normally then you would spoof your MAC adress so when any logs are viewed nothing will immediatley lead back you your PC - however you would use a MAC that does not already exist on the network.

    If you wanted to try and drop yourself into a flow of traffic to fool someone into sending data to you then you would normally try and corrupt an ARP cache on the taget machine to fool it into sending you all the data and vice versa.

    You may need to give a better idea of what you want to acheive.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  5. #5
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    What is your goal?
    You may need to give a better idea of what you want to acheive.
    This is what I have read in cisco document and I tried to interpret that :
    MAC Spoofing Attack
    MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker.
    By sending a single frame with the other host's source Ethernet address,the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic it will not receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once more so that it moves back to the original port.
    Last edited by zillah; April 11th, 2007 at 12:51 PM.

  6. #6
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    Assume

    Host A = Workstation

    Host B = Server

    Host C = Attacker

    Basically the Cisco document is saying that if Host C wants to intercept the traffic that Host A is sending to Host B, then he overwrites the CAM table with his mac address.

  7. #7
    Member
    Join Date
    Dec 2006
    Posts
    33
    Let's try this another way:

    Wireless network that requires you login first before getting access, on an unencrypted connection:

    Host A = Access Point

    Host B = legitimate user

    Host C = leecher

    With no encryption on the wireless link, sniffing all traffic is easy. C gets B's mac address, and changes his mac address to the same as B's address. On most wireless networks, C gets B's access, and A forwards all receiving packets back to both B and C, but since only C has initiated the connections, and since B doesn't know the sequence number on C's receiving packets, nor has even initiated any connections C has (and vice versa), B drops all packets going to sockets it hasn't opened, and if the socket is opened, the bad sequence number causes the packets to get dropped anyways. Same with B's receiving packets going to C. They're all dropped. So it is very possible for both B and C to initiate normal access, both using B's mac address.

  8. #8
    Senior Member
    Join Date
    Dec 2004
    Posts
    138
    Basically the Cisco document is saying that if Host C wants to intercept the traffic that Host A is sending to Host B, then he overwrites the CAM table with his mac address.
    Ok

    Assume

    Host A = Workstation

    Host B = Server

    Host C = Attacker
    Let us look at what Cisco says :
    http://www.cisco.com/en/US/netsol/ns...html#wp1002312

    Supoose the switch has learned that Host A (workstation) is on port 1, Host B (server) is on port 2, and Host C (attacker) is on port 3.
    Host C sends out a packet identifying itself as Host A's MAC address. This traffic causes the frame to move the location of Host A in its CAM table from port 1 to port 3. Traffic from Host B destined to Host A is now visible to Host C.

    If the traffic (from B to A, source mac for B, and destination mac for A) is visible to host C, Will C accept that traffic or deny it ? because the traffic does not have the mac address of C
    Last edited by zillah; April 13th, 2007 at 04:37 AM.

  9. #9
    Senior Member HackerzMaster's Avatar
    Join Date
    Feb 2006
    Posts
    114
    Quote Originally Posted by zillah

    If the traffic (from B to A, source mac for B, and destination mac for A) is visible to host C, Will C accept that traffic or deny it ? because the traffic does not have the mac address of C
    it will reject it (i mean C), but the point of this attack is that C is probably having his interface in promiscouos mode, so it sniffs traffic not intended for it.
    The second step on the way to become a hacker is to run GNU/Linux. (first step is to buy a computer)
    My old skewl http://www.skoz.nl/spelevaert/

Similar Threads

  1. Windows ANI File Parsing Proof Of Concept (MS05-002)
    By STeRoiD in forum Microsoft Security Discussions
    Replies: 0
    Last Post: January 12th, 2005, 09:59 PM
  2. The Script-To-Macro Viral Concept
    By sain2rion in forum AntiVirus Discussions
    Replies: 2
    Last Post: January 3rd, 2005, 05:11 PM
  3. Spoof Attack
    By AngelicKnight in forum Firewall & Honeypot Discussions
    Replies: 6
    Last Post: May 5th, 2004, 04:50 PM
  4. Logs show spoof
    By the19man in forum Firewall & Honeypot Discussions
    Replies: 16
    Last Post: August 29th, 2003, 12:45 AM
  5. exploit)Apache & PHP Proof of Concept
    By E5C4P3 in forum Web Security
    Replies: 0
    Last Post: March 6th, 2002, 03:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides