MAC spoof concept

I have read the scenario in my thread in an article, then I discovered that the source for this article is from cisco.

As you can imagine, with the question above, traffic may still get to both machines ?

It gets to a port where there is two machines :
www.cisco.com/en/US/netsol/ns340/ns394/n...870f.shtml#wp1002312

Figure 7 shows how MAC spoofing works. In frame (i) the switch has learned that Host A is on port 1, Host B is on port 2, and Host C is on port 3.

Host B sends out a packet identifying itself as Host B's IP address but with Host A's MAC address or another packet with the same IP address and MAC address combination (ii). This traffic causes the frame to move the location of Host A in its CAM table from port 1 to port 2.

Traffic from Host C destined to Host A is now visible to Host B (iii). To correct this situation, Host A must send out traffic on the switch port for the switch to "relearn" the location of Host A's MAC address (iv).

If the traffic (from C to A, source mac address is C, and destination mac address is A) is visible to host B, Will B accept that traffic or deny it ? because that traffic does not have the destination mac address of B.

What I want to say does the visibility mean exposed ?

If you want to play with this sort of thing practically, download Cain and Abel ( www.oxid.it/cain.html ). Among other things it contains the tools you need to practically spoof a MAC adress and perform a man-in-the-middle interception

Thanks for this tip.

ettercapis also good for man-in-the-middle attack.

Thanks for this as well

If the traffic (from C to A, source mac address is C, and destination mac address is A) is visible to host B, Will B accept that traffic or deny it ? because that traffic does not have the destination mac address of B.

What I want to say does the visibility mean exposed ?

Its an interesting one which will depend on how the MAC spoofing took place. If you just crafted a packet especially then i would say that under normal circumstancies that the TCP/IP Stack would ignore it. Since Ethernet runs CSMA/CD, if you think the older days of hubs, each interface would receive the traffic and assess (via MAC) if it is destined for it or not, if it isn't it would drop the packet.

Now, not too sure if programs, such as the ones mentioned in this thread, can over come that within the TCP/IP stack itself.

The other thing is that the MAC address can be changed on the Machine. If thats done, then the above wouldn't be much of an issue.

I would say visability/exposed can go hand in hand. If its visable, then it is exposed to threats. As Kirk pointed out (and you have noticed in the Article), the CAM table will be continually changing to try and keep track of the MAC address from varying ports, this could produce a DoS attack since traffic will keep getting sent over the wrong port.

Now, not too sure if programs, such as the ones mentioned in this thread, can over come that within the TCP/IP stack itself.

They do that if you configure your NIC in promiscuous mode. Promiscuous mode tells to the NIC to forward every frames it see to the CPU even if the destination MAC address isn't matching its own MAC.

Promiscuous is natively available in the LINUX's TCP/IP stack, for Windows you must install WinPcap.

The other thing is that the MAC address can be changed on the Machine. If thats done, then the above wouldn't be much of an issue.

Yes. You are right , because here I meant changing a mac address in a frame (layer 2) itself, not a machine mac address