Vulnerability Development mailing list archives
RE: mac duplication
From: "Boyer, G. T. IT2 ISSM Office" <boyerg () enterprise navy mil>
Date: Sun, 14 Dec 2003 07:10:40 -0500
http://www.klcconsulting.net/Change_MAC_w2k.htm with a simple "spoof mac address" search on google. FYI more reading at the bottom of the linked page above. -----Original Message----- From: Jimi Thompson [mailto:jimit () myrealbox com] Sent: Saturday, December 13, 2003 7:34 PM To: vuln-dev () securityfocus com Subject: Re: mac duplication Dev, You seem to need some clarification about how Ethernet actually works. I'm going to try to toss out a 50,000 foot view. Anyone can feel free to add to this or correct me. Host names map to IP addresses via DNS. IP address map to MAC addresses via router tables. Just as your IP address has to be unique in order to be routable, so does your MAC address. MAC addresses are purchased in blocks by the people who make network devices and blown on to what amount to EPROMS and attached to network cards, switch ports, etc. No two ethernet cards on the planet should have the same MAC address (emphasis on SHOULD because I've run into cards with duplicated MAC's and you won't believe the havoc this wreaks). This is used as a physical layer address by things like ARP. If you want to sniff traffic to a particular machine, get yourself a hub (NOT a switch) and plug the switch into the uplink on the hub and your sniffer and sniff-ee into the hub ports. This will A) let you see everything and B) not cause any serious problems for your switch. I hope that no one was using the machine you were trying to sniff because chances are you are causing a DOS situation by duplicating the MAC address. Jimi Dev wrote:
hi ppl, please redirect me to a different mailing list if this is not the
appropriate list to post to.
I did the following experiment: I have a switched ethernet network in my university. I wanted to capture packets meant for a certain machine on a different port
of a Dlink switch. I thought that arp poisoning would be too noisy - arpwatch can catch it, & its too bulky for the MITM machine (in case we are poisoning a heavily loaded server machine.)
& So i duplicated the mac of the victim machine on my own machine. What i saw was this: ping packet drop rate for any of the two machines from a third machine
varied from 40 to almost 80 %. Also say telnet sessions to any of the two machines (which had now the same mac addresses) worked with notable 4-5 second lockups.
Further i could not ping the other machine from one of the duplicated
machines. (the last one is okay - it makes a lot of sense)
My premise is that the problem in connectivity is coming becoz the OS does
not fall back to half duplex mode when two machines take up the same mac address??
can anyone plz tell me about the behaviour. How do i set up mac duplication
in that case so that i can sniff data.
I dont want to hurt network performance. & so dont want to do mac flooding.
Anyways i m not even sure the switches we have here would resort to broadcast mode in case of mac flooding.
Last but not the least its my second message to the list, & people were
really helpful in discussing about my queries in my first message.
Mailing lists rock.. Devrat
Current thread:
- RE: mac duplication, (continued)
- RE: mac duplication Peter Moody (Dec 15)
- RE: mac duplication Burton M. Strauss III (Dec 15)
- Re: mac duplication Valdis . Kletnieks (Dec 15)
- Re: mac duplication dreamwvr () dreamwvr com (Dec 15)
- RE: mac duplication Peter Moody (Dec 15)
- Re: mac duplication Sam Baskinger (Dec 12)
- Re: mac duplication Jimi Thompson (Dec 13)
- Re: mac duplication fooler (Dec 15)
- RE: mac duplication David Gillett (Dec 15)
- RE: mac duplication Dom De Vitto (Dec 15)
- Re: mac duplication Peter Moody (Dec 15)
- RE: mac duplication Boyer, G. T. IT2 ISSM Office (Dec 15)
- RE: mac duplication Demar, Jeremy D CTM1 (CCDG12 Aug) (Dec 15)
- RE: mac duplication Glenn_Everhart (Dec 15)
- RE: mac duplication Michael Wojcik (Dec 15)