Re: mac duplication

["fooler" <fooler () skyinet net>]

----- Original Message -----
From: "Jimi Thompson" <jimit () myrealbox com>
To: <vuln-dev () securityfocus com>
Sent: Sunday, December 14, 2003 8:33 AM
Subject: Re: mac duplication


> Dev,
>
> You seem to need some clarification about how Ethernet actually works.
> I'm going to try to toss out a 50,000 foot view.  Anyone can feel free
> to add to this or correct me.

hi jimi, i would like to add and correct some of your statement....

> Host names map to IP addresses via DNS.

correct

> IP address map to MAC addresses via router tables.

it is most appropriate to say ip addresses map to mac address via arp table

> Just as your IP
> address has to be unique in order to be routable, so does your MAC
> address.

every network device that is using ethernet has a mac address and should be
unique too.... unlike with ip address which is routable, mac address is
not....

> MAC addresses are purchased in blocks by the people who make
> network devices and blown on to what amount to EPROMS and attached to
> network cards, switch ports, etc.
>
> No two ethernet cards on the planet should have the same MAC address
> (emphasis on SHOULD because I've run into cards with duplicated MAC's
> and you won't believe the havoc this wreaks).  This is used as a
> physical layer address by things like ARP.

two the same mac address is bad if they advertise it on the same time but
two the same mac address advertise one at a time is considered good... this
is usually happen for highly availability and reliability active-standby
setup where the standby network device takes over the mac address of the
active device when the active device fails....

> If you want to sniff traffic to a particular machine, get yourself a hub
> (NOT a switch) and plug the switch into the uplink on the hub and your
> sniffer and sniff-ee into the hub ports.
>
> This will A) let you see everything and B)   not cause any serious
> problems for your switch.  I hope that no one was using the machine you
> were trying to sniff because chances are you are causing a DOS situation
> by duplicating the MAC address.

no need for a hub and most specially if you dont have the full control of
the  network premise...

the most common technique to sniff between two hosts under the switch
environment  is the man in the middle attack technique... gratuitios arp is
your friend here for arp poisoning....

> Dev wrote:
> > & So i duplicated the mac of the victim machine on my own machine.

dont do that and you will easily catch for that....

> > What i saw was this:
> >
> > ping packet drop rate for any of the two machines from a third machine
varied from 40 to almost 80 %. Also say telnet sessions to any of the two
machines (which had now the same mac addresses) worked with notable 4-5
second lockups.
> > Further i could not ping the other machine from one of the duplicated
machines. (the last one is okay - it makes a lot of sense)
> > My premise is that the problem in connectivity is coming becoz the OS
does not fall back to half duplex mode when two machines take up the same
mac address??
> > can anyone plz tell me about the behaviour. How do i set up mac
duplication in that case so that i can sniff data.

it is pretty obvious that you dont understand how the communication of
ethernet works.... so here it is...

when a sender sends a data where the destination address is within its
network segment, it is the mac address matters most... but when a sender
sends a data where the destination address is outside its network segment,
it is the ip address matters most...

sending a data within its network segment takes only to know the mac address
of the receiver... this is where address resolution protocol comes in...
read the arp rfc... learn how the switch forward the ethernet frames if
there are two or more the same mac address on different ports of a switch...
and learn how the tcp/ip stack of a particular OS respond to multiple
ethernet frames coming from the same mac address hosts...

fooler.