Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me

TOPIC: MAC spoof concept

MAC spoof concept 11 years 3 months ago #20797

  • zillah
  • zillah's Avatar Topic Author
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 80
  • Thank you received: 0
I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc


They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

Note:
1- In this simple scenario I do not have DHCP server , I assigned ip address statically.

2- I am aware of ip spoofing.

Re: MAC spoof concept 11 years 3 months ago #20830

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
Interesting Question, here some thoughts on it;

MAC spoofing is something that is sometimes done to get around access controls. For example, if you have a wireless access point and have setup security on a MAC level, then if you know the MAC address (or systematically go through them) you can then get around that.

Another thing is in getting around Switches. An attack on a switch could be to fill the CAM table with MAC - Port entries in order to try and revert the switch back to a single collision domain, this would then in affect turn the switch into a hub as it doesn't have mappings to know whats on which port and therefore floods the traffic to all ports.

If the attack isn't a connection attack (such as TCP), then the return traffic isn't necessarily important since it may not have any return traffic.

Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up :)), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?

As you can imagine, with the question above, traffic may still get to both machines ? Or, if you were to launch such an attack you may want to do some sort of DoS on PC1 to ensure you receive all the traffic.

Re: MAC spoof concept 11 years 3 months ago #20856

  • krik
  • krik's Avatar
  • Offline
  • Frequent Member
  • Frequent Member
  • Posts: 69
  • Thank you received: 0

Now, i am not sure to the answer to this one (hopefully someone in here will know to save me looking it up :)), what happens if a MAC address is seen on two switchports ? Does the switch forward all traffic to both ports or does it get rid of the other MAC-Port entry ?


A unicast MAC can only be assigned to one switch port. The last port on which the source MAC has been seen by the switch will receive the traffic. To build a successful attack, PC2 need to send repeatedly dummies frames (usually broadcast to reach all switches) with PC1's MAC. Otherwise, as soon as PC1 will send a legal frame, the attack would be stopped.

Fortunately, on high end switches (at least 4500 and 6500) you can detect MAC address move by configuring "mac-address-table notification mac-move" command.

You can also protect your network with feature like port-security but it is really hard to manage if you have lots of legal moves in your network (ie. user with laptop).

Re: MAC spoof concept 11 years 3 months ago #20860

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
Cheers Kirk, thats what i thought but since i wasn't 100% sure i thought i would ask the question :)

Re: MAC spoof concept 11 years 3 months ago #20866

If you want to play with this sort of thing practically, download Cain and Abel ( www.oxid.it/cain.html ). Among other things it contains the tools you need to practically spoof a MAC adress and perform a man-in-the-middle interception

Re: MAC spoof concept 11 years 3 months ago #20881

  • krik
  • krik's Avatar
  • Offline
  • Frequent Member
  • Frequent Member
  • Posts: 69
  • Thank you received: 0
ettercap is also good for man-in-the-middle attack. :lol:
Time to create page: 0.152 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup