-
April 11th, 2007, 03:37 AM
#1
Senior Member
MAC spoof concept
I have got these three PCs :
PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)
PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc
They are connected to cisco switch 3550
The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.
If PC2 sends traffic to PC3 (Destination) , PC2 will try to masquerades as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?
In this simple scenario I do not have DHCP server , I assigned ip address statically
Last edited by zillah; April 11th, 2007 at 04:59 AM.
-
April 11th, 2007, 05:49 AM
#2
I didnt completely understand what you wanted to know but ill give it a shot
If PC1 was recieving all the traffic coming back from PC3, that was initiated from PC2, there would not be a huge benefit for PC2.
It could possibly cause some network performance issues with PC1, given enough incoming traffic... It could also be used to conceal the identity of PC2.
There is a lot more involved though...
-
April 11th, 2007, 06:03 AM
#3
Senior Member
PC2 is attacker ,,,,When he sends Frame to PC3 , he tries to hide his MAC address (source) ,,,,what will he do ? , he will change his MAC address to be: 0000.ffff.aaaa, instead of 0000.ffff.bbbb, and he will use 0000.ffff.cccc as a destination's mac address ,,,,Is it ok ?
Now if PC3 responded to the traffic (with these mac address 0000.ffff.aaaa as source , and 0000.ffff.cccc as destination) coming from PC2 , he will forward the frames (0000.ffff.cccc as source , and 0000.ffff.aaaa as destinationto) PC1 not PC2,,,,,Is it ok ?
If this is the case what would the benefit be of spoofing MAC address ?
-
April 11th, 2007, 11:18 AM
#4
I think you maybe confusing bits of MAC spoofing and ARP spoofing/poisoning.
What is your goal?
If you wanted to hide on a network normally then you would spoof your MAC adress so when any logs are viewed nothing will immediatley lead back you your PC - however you would use a MAC that does not already exist on the network.
If you wanted to try and drop yourself into a flow of traffic to fool someone into sending data to you then you would normally try and corrupt an ARP cache on the taget machine to fool it into sending you all the data and vice versa.
You may need to give a better idea of what you want to acheive.
-
April 11th, 2007, 12:43 PM
#5
Senior Member
You may need to give a better idea of what you want to acheive.
This is what I have read in cisco document and I tried to interpret that :
MAC Spoofing Attack
MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker.
By sending a single frame with the other host's source Ethernet address,the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic it will not receive any traffic. When the host sends out traffic, the CAM table entry is rewritten once more so that it moves back to the original port.
Last edited by zillah; April 11th, 2007 at 12:51 PM.
-
April 11th, 2007, 02:29 PM
#6
Assume
Host A = Workstation
Host B = Server
Host C = Attacker
Basically the Cisco document is saying that if Host C wants to intercept the traffic that Host A is sending to Host B, then he overwrites the CAM table with his mac address.
-
April 11th, 2007, 04:30 PM
#7
Let's try this another way:
Wireless network that requires you login first before getting access, on an unencrypted connection:
Host A = Access Point
Host B = legitimate user
Host C = leecher
With no encryption on the wireless link, sniffing all traffic is easy. C gets B's mac address, and changes his mac address to the same as B's address. On most wireless networks, C gets B's access, and A forwards all receiving packets back to both B and C, but since only C has initiated the connections, and since B doesn't know the sequence number on C's receiving packets, nor has even initiated any connections C has (and vice versa), B drops all packets going to sockets it hasn't opened, and if the socket is opened, the bad sequence number causes the packets to get dropped anyways. Same with B's receiving packets going to C. They're all dropped. So it is very possible for both B and C to initiate normal access, both using B's mac address.
-
April 13th, 2007, 04:34 AM
#8
Senior Member
Basically the Cisco document is saying that if Host C wants to intercept the traffic that Host A is sending to Host B, then he overwrites the CAM table with his mac address.
Ok
Assume
Host A = Workstation
Host B = Server
Host C = Attacker
Let us look at what Cisco says :
http://www.cisco.com/en/US/netsol/ns...html#wp1002312
Supoose the switch has learned that Host A (workstation) is on port 1, Host B (server) is on port 2, and Host C (attacker) is on port 3.
Host C sends out a packet identifying itself as Host A's MAC address. This traffic causes the frame to move the location of Host A in its CAM table from port 1 to port 3. Traffic from Host B destined to Host A is now visible to Host C.
If the traffic (from B to A, source mac for B, and destination mac for A) is visible to host C, Will C accept that traffic or deny it ? because the traffic does not have the mac address of C
Last edited by zillah; April 13th, 2007 at 04:37 AM.
-
May 7th, 2007, 07:22 PM
#9
Originally Posted by zillah
If the traffic (from B to A, source mac for B, and destination mac for A) is visible to host C, Will C accept that traffic or deny it ? because the traffic does not have the mac address of C
it will reject it (i mean C), but the point of this attack is that C is probably having his interface in promiscouos mode, so it sniffs traffic not intended for it.
Similar Threads
-
By STeRoiD in forum Microsoft Security Discussions
Replies: 0
Last Post: January 12th, 2005, 10:59 PM
-
By sain2rion in forum AntiVirus Discussions
Replies: 2
Last Post: January 3rd, 2005, 06:11 PM
-
By AngelicKnight in forum Firewall & Honeypot Discussions
Replies: 6
Last Post: May 5th, 2004, 04:50 PM
-
By the19man in forum Firewall & Honeypot Discussions
Replies: 16
Last Post: August 29th, 2003, 12:45 AM
-
By E5C4P3 in forum Web Security
Replies: 0
Last Post: March 6th, 2002, 04:51 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|