Security Basics mailing list archives

RE: MAC spoof concept

From: "David Gillett" <gillettdavid () fhda edu>
Date: Mon, 16 Apr 2007 11:17:27 -0700

  Switches learn what port a MAC address is on by watching the
source addresses in packets.  So when PC2 sends a packet spoofing
PC1's MAC as the source, the switch learns to send all traffic for
PC1's MAC address to PC2's port -- at least until PC1 sends another
packet.
  [This behaviour can be modified by non-default security features 
on the switch....]

  Generally, ARP poisoning works better than MAC spoofing -- PC2
convinces PC3 that PC1's MAC address is really 0000.ffff.bbbb, and so
when PC3 sends PC1's traffic to PC2, the switch is none the wiser.
Of course, PC2 must play the same trick on PC1, and must forward the
intercepted traffic to its intended recipient (if it is to escape 
detection for long...).

David Gillett

-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of zillah
Sent: Friday, April 13, 2007 7:47 AM
To: security-basics () securityfocus com
Subject: MAC spoof concept

I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target),
PC2 attacker (imporsonate idintity of PC1)

PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc

They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged 
(spoofed) source MAC address (our case 0000.ffff.aaaa ) with 
the purpose to conceal the identity of the sender (our case 
PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 would 
masquerade as PC1 by falsifying its MAC address to be 
0000.ffff.aaaa, if this the case what would the benefit be 
for PC2 (attacker), if all the traffic (as a response to 
initiated connection from PC2) coming back from PC3 go to PC1 
instead of PC2 ?

Note:
1- In this simple scenario I do not have DHCP server , I 
assigned ip address statically.

2- I am aware of ip spoofing.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection 
around http://mail.yahoo.com

Current thread:

MAC spoof concept zillah (Apr 15)
- Re: MAC spoof concept Deian Stefan (Apr 16)
- RE: MAC spoof concept David Gillett (Apr 16)
- Re: MAC spoof concept Shreyas Zare (Apr 16)
- <Possible follow-ups>
- Re: MAC spoof concept krymson (Apr 16)