Re: [PEN-TEST] Change MAC Address

[N Catlow <n.catlow () ERIS DERA GOV UK>]

> I just saw this the other day. I do not really know if it is a bug or
> feature. Windows (no idea which Win flavors) seems to ignore ARP replies
> that tell it a MAC address is ff:ff:ff:ff:ff:ff, the broadcast address.
> I guess that could be seen as a security feature. If you can convince a
> machine that an IP address (or how about all local IPs) are associated
> with the data-layer broadcast address, you can sniff the traffic without
> putting an interface on another machine into promiscuous mode. That
> could be quite useful for an intruder.

have you tried sending windows an arp request with an source mac of ff's this
should update the target arp table (in preparation for sending you back
traffic). As far as I can remember windows only takes it's reply mac address
from the arp request/reply frame and not the ethernet frame so you get a
broadcasted reply (doh) which unfortunately corrects many other (Already
poisoned) arp caches. (intresting side effect is you can identify windows
boxen this way).

You can poison windows arp caches in this manner but if I remember windows
re-arps when authenticating which can cause problems.

BTW poisoning all arp caches on a subnet to be ff's is also a good way to
sniff switched networks. Hunt can do this I think.

regards,

Nathan.
--
N.Catlow () eris dera gov uk |  All opinions  | IT Security, DERA,
                          | are my own and | WWB009, St Andrews Rd,
                          |   not DERA's   | Malvern, Worcs, England.
*I'd love to give my 0.02 worth - Have you got change for a dollar?*