Security Basics mailing list archives
RE: MAC spoof concept
From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 16 Apr 2007 11:17:27 -0700
Switches learn what port a MAC address is on by watching the source addresses in packets. So when PC2 sends a packet spoofing PC1's MAC as the source, the switch learns to send all traffic for PC1's MAC address to PC2's port -- at least until PC1 sends another packet. [This behaviour can be modified by non-default security features on the switch....] Generally, ARP poisoning works better than MAC spoofing -- PC2 convinces PC3 that PC1's MAC address is really 0000.ffff.bbbb, and so when PC3 sends PC1's traffic to PC2, the switch is none the wiser. Of course, PC2 must play the same trick on PC1, and must forward the intercepted traffic to its intended recipient (if it is to escape detection for long...). David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of zillah Sent: Friday, April 13, 2007 7:47 AM To: security-basics () securityfocus com Subject: MAC spoof concept I have got these three PCs : PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1) PC1 mac address is : 0000.ffff.aaaa PC2 mac address is : 0000.ffff.bbbb PC3 mac address is : 0000.ffff.cccc They are connected to cisco switch 3550 The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1. If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ? Note: 1- In this simple scenario I do not have DHCP server , I assigned ip address statically. 2- I am aware of ip spoofing. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Current thread:
- MAC spoof concept zillah (Apr 15)
- Re: MAC spoof concept Deian Stefan (Apr 16)
- RE: MAC spoof concept David Gillett (Apr 16)
- Re: MAC spoof concept Shreyas Zare (Apr 16)
- <Possible follow-ups>
- Re: MAC spoof concept krymson (Apr 16)