Penetration Testing mailing list archives

Re: [PEN-TEST] Change MAC Address

From: "Lydick, Adam" <awlydick () BULLDOG UNCA EDU>
Date: Fri, 8 Dec 2000 00:01:23 -0500

Standard disclaimers apply. I'm certainly not an expert.
But here is what I know about the topic:

Having the target system broadcast to the whole network is,
IMOHO noisy and messy. This also limits the bandwidth of the
other hosts on the network, and is much more likely to be noticed.

My suggestion:

(case 1 -- you just are sniffing for passwords / outgoing connections)
Simply ARP-spoof the victim, so that they are convinced to route through
your machine.

IE:

ARP reply DEST==TargetMachine IP/MAC SRC==Router'sIP / YourMAC

This will force all of their traffic through you, so you can log it,
or do man-in-the-middle or whatever. All returning traffic will go
directly to them via. the router. (Saving the load on your machine)
[most traffic tends to be incoming, on a webbrowsing computer]

(case 2 -- you need to monitor *all* of the traffic)
Spoof both target and router.
[Note, I had a bit of trouble this one, but could easily
be my error.]
-------------------------------------------------

Anyone know a good fix for this? I have some ideas, but i duno if it'd
break anything:

1) Block ARP replies with the HW address that matches the router's?
(Is this easy to accomplish? I'm not a router geek :-/)

(For spoofing the host to the router, I don't have any ideas. Oh well.)

--Adam Lydick


On Wed, Dec 06, 2000 at 11:55:29AM +0000, N Catlow wrote:

have you tried sending windows an arp request with an source mac of ff's this
should update the target arp table (in preparation for sending you back
traffic). As far as I can remember windows only takes it's reply mac address
from the arp request/reply frame and not the ethernet frame so you get a
broadcasted reply (doh) which unfortunately corrects many other (Already
poisoned) arp caches. (intresting side effect is you can identify windows
boxen this way).

You can poison windows arp caches in this manner but if I remember windows
re-arps when authenticating which can cause problems.

BTW poisoning all arp caches on a subnet to be ff's is also a good way to
sniff switched networks. Hunt can do this I think.

regards,

Nathan.

Current thread:

[PEN-TEST] Change MAC Address Pain Soul (Dec 05)
- Re: [PEN-TEST] Change MAC Address Bill Weiss (Dec 05)
  - Re: [PEN-TEST] Change MAC Address Bill Weiss (Dec 06)
    - Re: [PEN-TEST] Change MAC Address Crist Clark (Dec 06)
    - Re: [PEN-TEST] Change MAC Address N Catlow (Dec 07)
    - Re: [PEN-TEST] Change MAC Address Lydick, Adam (Dec 10)
  - Re: [PEN-TEST] Change MAC Address Arturo Busleiman (Dec 07)
- Re: [PEN-TEST] Change MAC Address Chris Winter (Dec 05)
- Re: [PEN-TEST] Change MAC Address Bruno Taranto Alvim (Dec 05)
- Re: [PEN-TEST] Change MAC Address Alex Butcher (Dec 06)
- <Possible follow-ups>
- Re: [PEN-TEST] Change MAC Address Dunker, Noah (Dec 05)
  - Re: [PEN-TEST] Change MAC Address Jose Nazario (Dec 05)
- Re: [PEN-TEST] Change MAC Address Jonathan Johnson (Dec 05)
  - Re: [PEN-TEST] Change MAC Address Jason Poley (Dec 05)
- Re: [PEN-TEST] Change MAC Address Marin, Marvin (Dec 06)
  - Re: [PEN-TEST] Change MAC Address Ryan Permeh (Dec 06)

(Thread continues...)