Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: MAC spoof concept

MAC spoof concept 9 years 7 months ago #20797

  • zillah
  • zillah's Avatar
  • Offline
  • Frequent Member
  • Posts: 79
  • Karma: 0
I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc


They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

Note:
1- In this simple scenario I do not have DHCP server , I assigned ip address statically.

2- I am aware of ip spoofing.
The administrator has disabled public write access.

Re: MAC spoof concept 9 years 7 months ago #20830

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Interesting Question, here some thoughts on it;

MAC spoofing is something that is sometimes done to get around access controls. For example, if you have a wireless access point and have setup security on a MAC level, then if you know the MAC address (or systematically go through them) you can then get around that.

Another thing is in getting around Switches. An attack on a switch could be to fill the CAM table with MAC - Port entries in order to try and revert the switch back to a single collision domain, this would then in affect turn the switch into a hub as it doesn't have mappings to know whats on which port and therefore floods the traffic to all ports.

If the attack isn't a connection attack (such as TCP), then the return traffic isn't necessarily important since it may not have any return traffic.

Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up :)), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?

As you can imagine, with the question above, traffic may still get to both machines ? Or, if you were to launch such an attack you may want to do some sort of DoS on PC1 to ensure you receive all the traffic.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: MAC spoof concept 9 years 7 months ago #20856

  • krik
  • krik's Avatar
  • Offline
  • Frequent Member
  • Posts: 69
  • Karma: 0
Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up :)), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?

A unicast MAC can only be assigned to one switch port. The last port on which the source MAC has been seen by the switch will receive the traffic. To build a successful attack, PC2 need to send repeatedly dummies frames (usually broadcast to reach all switches) with PC1's MAC. Otherwise, as soon as PC1 will send a legal frame, the attack would be stopped.

Fortunately, on high end switches (at least 4500 and 6500) you can detect MAC address move by configuring "mac-address-table notification mac-move" command.

You can also protect your network with feature like port-security but it is really hard to manage if you have lots of legal moves in your network (ie. user with laptop).
Christophe Lemaire
www.exp-networks.be/blog/
The administrator has disabled public write access.

Re: MAC spoof concept 9 years 7 months ago #20860

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Cheers Kirk, thats what i thought but since i wasn't 100% sure i thought i would ask the question :)
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: MAC spoof concept 9 years 7 months ago #20866

  • TheBishop
  • TheBishop's Avatar
  • Offline
  • Moderator
  • Posts: 1719
  • Thank you received: 8
  • Karma: 5
If you want to play with this sort of thing practically, download Cain and Abel (www.oxid.it/cain.html). Among other things it contains the tools you need to practically spoof a MAC adress and perform a man-in-the-middle interception
The administrator has disabled public write access.

Re: MAC spoof concept 9 years 7 months ago #20881

  • krik
  • krik's Avatar
  • Offline
  • Frequent Member
  • Posts: 69
  • Karma: 0
ettercap is also good for man-in-the-middle attack. :lol:
Christophe Lemaire
www.exp-networks.be/blog/
The administrator has disabled public write access.
Time to create page: 0.086 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup