Penetration Testing mailing list archives
Re: MAC address spoofing - conflict?
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Mon, 21 Aug 2006 18:31:29 +0200
Le lundi 21 août 2006 à 10:22 +0200, Lubos Kolouch a écrit :
Yes, but what will happen then? Data will be sent to that MAC address.
Yes.
If it is switched network, I can imagine the switch will maybe send it to the correct port from which the response came?
We're speaking of WiFi networks here, that are shared medium. Ethernet switches split ethernet networks into different collision domains, working at layer 2 and thus reading MAC addresses and acting on them. MAC spoofing should not be applicable to thoses environments as it causes the switch to face a MAC address conflict, the same one address appearing on two different ports. Depending on switch behaviour, you may end up with a wide range of different situation that differs between different models and even configurations.
If there is a hub though, the packet will be delivered to which network card?
If there's a hub, the situation is identical to what's happening on a WiFi network, as it is a layer 1 share medium too. Question you should ask yourself: if you can listen to the whole network traffic on a ethernet hub by just putting your card into promisc mode, why shouldn't you we able to see all the frames destined to any specific MAC address and thus being able to spoof it ? Same question for 802.11 traffic in monitor mode... Acting on layer 1, it will deliver electric signal to all plugged stations whatever their MAC address. It will then be up to each station to filter out frames not destined to them at ethernet driver level. Thus, if two stations are using the same MAC address on a hubed ethernet network, they will both receive frames destined to this very MAC address. Then frame payload will be sent to upper layer, say IP stack. As long as stations are configured with different IP addresses, you won't have any conflict. Each IP stack will silently drop paquets destined to an IP address that does not belong to it, unless it's configured to route, but you usually don't want to spoof gateway MAC address... -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- MAC address spoofing - conflict? penetrationtestmail (Aug 13)
- R: MAC address spoofing - conflict? Sebastian Zdrojewski (Aug 14)
- Re: MAC address spoofing - conflict? Pieter Danhieux (Aug 14)
- Re: MAC address spoofing - conflict? Tonnerre Lombard (Aug 15)
- Re: MAC address spoofing - conflict? Morning Wood (Aug 14)
- <Possible follow-ups>
- Re: MAC address spoofing - conflict? penetrationtestmail (Aug 15)
- Re: MAC address spoofing - conflict? Lubos Kolouch (Aug 16)
- Re: MAC address spoofing - conflict? Cedric Blancher (Aug 17)
- Re: MAC address spoofing - conflict? Lubos Kolouch (Aug 21)
- Re: MAC address spoofing - conflict? Michael Dieroff (Aug 21)
- Re: MAC address spoofing - conflict? Cedric Blancher (Aug 21)
- Re: MAC address spoofing - conflict? dogten (Aug 21)
- R: MAC address spoofing - conflict? Sebastian Zdrojewski (Aug 21)
- RE: MAC address spoofing - conflict? Upadhyaya, Vijay (Aug 23)
- Re: MAC address spoofing - conflict? Lubos Kolouch (Aug 16)
- Re: MAC address spoofing - conflict? Gavin White (Aug 21)
- Re: MAC address spoofing - conflict? Fabio Nigi (Aug 28)
- Re: MAC address spoofing - conflict? Cedric Blancher (Aug 29)