- Posts: 80
- Thank you received: 0
MAC spoof concept
17 years 7 months ago #20797
by zillah
MAC spoof concept was created by zillah
I have got these three PCs :
PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)
PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc
They are connected to cisco switch 3550
The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.
If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?
Note:
1- In this simple scenario I do not have DHCP server , I assigned ip address statically.
2- I am aware of ip spoofing.
PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)
PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc
They are connected to cisco switch 3550
The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.
If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?
Note:
1- In this simple scenario I do not have DHCP server , I assigned ip address statically.
2- I am aware of ip spoofing.
17 years 7 months ago #20830
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: MAC spoof concept
Interesting Question, here some thoughts on it;
MAC spoofing is something that is sometimes done to get around access controls. For example, if you have a wireless access point and have setup security on a MAC level, then if you know the MAC address (or systematically go through them) you can then get around that.
Another thing is in getting around Switches. An attack on a switch could be to fill the CAM table with MAC - Port entries in order to try and revert the switch back to a single collision domain, this would then in affect turn the switch into a hub as it doesn't have mappings to know whats on which port and therefore floods the traffic to all ports.
If the attack isn't a connection attack (such as TCP), then the return traffic isn't necessarily important since it may not have any return traffic.
Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up ), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?
As you can imagine, with the question above, traffic may still get to both machines ? Or, if you were to launch such an attack you may want to do some sort of DoS on PC1 to ensure you receive all the traffic.
MAC spoofing is something that is sometimes done to get around access controls. For example, if you have a wireless access point and have setup security on a MAC level, then if you know the MAC address (or systematically go through them) you can then get around that.
Another thing is in getting around Switches. An attack on a switch could be to fill the CAM table with MAC - Port entries in order to try and revert the switch back to a single collision domain, this would then in affect turn the switch into a hub as it doesn't have mappings to know whats on which port and therefore floods the traffic to all ports.
If the attack isn't a connection attack (such as TCP), then the return traffic isn't necessarily important since it may not have any return traffic.
Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up ), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?
As you can imagine, with the question above, traffic may still get to both machines ? Or, if you were to launch such an attack you may want to do some sort of DoS on PC1 to ensure you receive all the traffic.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 7 months ago #20856
by krik
A unicast MAC can only be assigned to one switch port. The last port on which the source MAC has been seen by the switch will receive the traffic. To build a successful attack, PC2 need to send repeatedly dummies frames (usually broadcast to reach all switches) with PC1's MAC. Otherwise, as soon as PC1 will send a legal frame, the attack would be stopped.
Fortunately, on high end switches (at least 4500 and 6500) you can detect MAC address move by configuring "mac-address-table notification mac-move" command.
You can also protect your network with feature like port-security but it is really hard to manage if you have lots of legal moves in your network (ie. user with laptop).
Christophe Lemaire
www.exp-networks.be/blog/
Replied by krik on topic Re: MAC spoof concept
Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up ), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?
A unicast MAC can only be assigned to one switch port. The last port on which the source MAC has been seen by the switch will receive the traffic. To build a successful attack, PC2 need to send repeatedly dummies frames (usually broadcast to reach all switches) with PC1's MAC. Otherwise, as soon as PC1 will send a legal frame, the attack would be stopped.
Fortunately, on high end switches (at least 4500 and 6500) you can detect MAC address move by configuring "mac-address-table notification mac-move" command.
You can also protect your network with feature like port-security but it is really hard to manage if you have lots of legal moves in your network (ie. user with laptop).
Christophe Lemaire
www.exp-networks.be/blog/
17 years 7 months ago #20860
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: MAC spoof concept
Cheers Kirk, thats what i thought but since i wasn't 100% sure i thought i would ask the question
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
17 years 7 months ago #20866
by TheBishop
Replied by TheBishop on topic Re: MAC spoof concept
If you want to play with this sort of thing practically, download Cain and Abel (
www.oxid.it/cain.html
). Among other things it contains the tools you need to practically spoof a MAC adress and perform a man-in-the-middle interception
17 years 7 months ago #20881
by krik
Christophe Lemaire
www.exp-networks.be/blog/
Replied by krik on topic Re: MAC spoof concept
ettercap
is also good for man-in-the-middle attack. :lol:
Christophe Lemaire
www.exp-networks.be/blog/
Time to create page: 0.137 seconds