Penetration Testing mailing list archives
Re: [PEN-TEST] Change MAC Address
From: "Lydick, Adam" <awlydick () BULLDOG UNCA EDU>
Date: Fri, 8 Dec 2000 00:01:23 -0500
Standard disclaimers apply. I'm certainly not an expert. But here is what I know about the topic: Having the target system broadcast to the whole network is, IMOHO noisy and messy. This also limits the bandwidth of the other hosts on the network, and is much more likely to be noticed. My suggestion: (case 1 -- you just are sniffing for passwords / outgoing connections) Simply ARP-spoof the victim, so that they are convinced to route through your machine. IE: ARP reply DEST==TargetMachine IP/MAC SRC==Router'sIP / YourMAC This will force all of their traffic through you, so you can log it, or do man-in-the-middle or whatever. All returning traffic will go directly to them via. the router. (Saving the load on your machine) [most traffic tends to be incoming, on a webbrowsing computer] (case 2 -- you need to monitor *all* of the traffic) Spoof both target and router. [Note, I had a bit of trouble this one, but could easily be my error.] ------------------------------------------------- Anyone know a good fix for this? I have some ideas, but i duno if it'd break anything: 1) Block ARP replies with the HW address that matches the router's? (Is this easy to accomplish? I'm not a router geek :-/) (For spoofing the host to the router, I don't have any ideas. Oh well.) --Adam Lydick On Wed, Dec 06, 2000 at 11:55:29AM +0000, N Catlow wrote:
have you tried sending windows an arp request with an source mac of ff's this should update the target arp table (in preparation for sending you back traffic). As far as I can remember windows only takes it's reply mac address from the arp request/reply frame and not the ethernet frame so you get a broadcasted reply (doh) which unfortunately corrects many other (Already poisoned) arp caches. (intresting side effect is you can identify windows boxen this way). You can poison windows arp caches in this manner but if I remember windows re-arps when authenticating which can cause problems. BTW poisoning all arp caches on a subnet to be ff's is also a good way to sniff switched networks. Hunt can do this I think. regards, Nathan.
Current thread:
- [PEN-TEST] Change MAC Address Pain Soul (Dec 05)
- Re: [PEN-TEST] Change MAC Address Bill Weiss (Dec 05)
- Re: [PEN-TEST] Change MAC Address Bill Weiss (Dec 06)
- Re: [PEN-TEST] Change MAC Address Crist Clark (Dec 06)
- Re: [PEN-TEST] Change MAC Address N Catlow (Dec 07)
- Re: [PEN-TEST] Change MAC Address Lydick, Adam (Dec 10)
- Re: [PEN-TEST] Change MAC Address Bill Weiss (Dec 06)
- Re: [PEN-TEST] Change MAC Address Bill Weiss (Dec 05)
- Re: [PEN-TEST] Change MAC Address Arturo Busleiman (Dec 07)
- <Possible follow-ups>
- Re: [PEN-TEST] Change MAC Address Dunker, Noah (Dec 05)
- Re: [PEN-TEST] Change MAC Address Jose Nazario (Dec 05)
- Re: [PEN-TEST] Change MAC Address Jonathan Johnson (Dec 05)
- Re: [PEN-TEST] Change MAC Address Jason Poley (Dec 05)
- Re: [PEN-TEST] Change MAC Address Marin, Marvin (Dec 06)
- Re: [PEN-TEST] Change MAC Address Ryan Permeh (Dec 06)