MAC spoof concept

I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc


They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

Note:
1- In this simple scenario I do not have DHCP server , I assigned ip address statically.

2- I am aware of ip spoofing.

Interesting Question, here some thoughts on it;

MAC spoofing is something that is sometimes done to get around access controls. For example, if you have a wireless access point and have setup security on a MAC level, then if you know the MAC address (or systematically go through them) you can then get around that.

Another thing is in getting around Switches. An attack on a switch could be to fill the CAM table with MAC - Port entries in order to try and revert the switch back to a single collision domain, this would then in affect turn the switch into a hub as it doesn't have mappings to know whats on which port and therefore floods the traffic to all ports.

If the attack isn't a connection attack (such as TCP), then the return traffic isn't necessarily important since it may not have any return traffic.

Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up ), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?

As you can imagine, with the question above, traffic may still get to both machines ? Or, if you were to launch such an attack you may want to do some sort of DoS on PC1 to ensure you receive all the traffic.

Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up ), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?

A unicast MAC can only be assigned to one switch port. The last port on which the source MAC has been seen by the switch will receive the traffic. To build a successful attack, PC2 need to send repeatedly dummies frames (usually broadcast to reach all switches) with PC1's MAC. Otherwise, as soon as PC1 will send a legal frame, the attack would be stopped.

Fortunately, on high end switches (at least 4500 and 6500) you can detect MAC address move by configuring "mac-address-table notification mac-move" command.

You can also protect your network with feature like port-security but it is really hard to manage if you have lots of legal moves in your network (ie. user with laptop).

Cheers Kirk, thats what i thought but since i wasn't 100% sure i thought i would ask the question

If you want to play with this sort of thing practically, download Cain and Abel ( www.oxid.it/cain.html ). Among other things it contains the tools you need to practically spoof a MAC adress and perform a man-in-the-middle interception

ettercap is also good for man-in-the-middle attack. :lol: