LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-10-2007, 03:53 PM   #1
zillah
Member
 
Registered: Oct 2004
Posts: 532

Rep: Reputation: 30
MAC spoof concept


I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc


They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

Last edited by zillah; 04-10-2007 at 10:59 PM.
 
Old 04-10-2007, 04:27 PM   #2
x_terminat_or_3
Member
 
Registered: Mar 2007
Location: Plymouth, UK
Distribution: Fedora Core, RHEL, Arch
Posts: 342

Rep: Reputation: 38
Usually mac address spoofing is done to gain the same IP address as the victim would have, when using DHCP. One can also do this with static IP address provided it knows that too.

Since there may not be duplicate IPs on the same subnet, it is a bit random who will be able to actually use it, plus many OS will warn about IP conflicts, and that should tip you as to what is going on.

At work, we have a Cable connection with Telewest, and a static IP address. This static IP address is part of a three-tier authentication process for our delicate pages, and one day, our IP address had changed, and it turned out to be a guy doing mac address spoofing.

He did not actually gain access to the content, but neither could we and we lost half a day of employee wages because we couldn't access our own login.
 
Old 04-10-2007, 09:43 PM   #3
zillah
Member
 
Registered: Oct 2004
Posts: 532

Original Poster
Rep: Reputation: 30
Thanks terminator

In my simple scenario as you can see I do not have DHCP server, i.e. I assigned ip address statically

Regards
 
Old 04-10-2007, 09:45 PM   #4
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 476
Blog Entries: 108

Rep: Reputation: 74
Quote:
Originally Posted by zillah
If PC2 sends traffic to PC3 (Destination) , PC2 will try to masquerades as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?
If I'm not mistaken, the issue lies within the routing being used (not Cisco in particular, mind you...I mean routing in general).

The router knows the MAC address of each machine it's connected to. It also knows what ip addresses are where. When a non-connection oriented attack is made, such as a ping or the like, the packets WILL go to PC1. This can be used to spam out pings from PC2 to any machines on the network, which will effectively flood PC3 with ping responses.

If you're dealing with connection-oriented attacks, however, the routing mechanism knows that a connection was made...and doesn't look much further than that! For instance, I attacked a friend's home router once to discover that by spoofing my ip address to be a local address (I was on the WAN side), the router happily responded by connecting me to his machine...no routing table lookup or anything. Once the connection is made (and if the routing machines are not using 1/2 assed secure rules), then it's possible to spoof either MAC or ip address and the router will shuffle packets back and forth based on the *connection*, not the ip address or MAC address...and the problem is worse if you're talking about attacks from within your own network because the router doesn't need to do WAN checks.

Hope this clears things up a bit.
 
Old 04-11-2007, 05:57 AM   #6
DotHQ
Member
 
Registered: Mar 2006
Location: Ohio, USA
Distribution: Red Hat, Fedora, Knoppix,
Posts: 542

Rep: Reputation: 33
Good info guys! Thanks!
 
Old 04-11-2007, 08:40 AM   #7
zillah
Member
 
Registered: Oct 2004
Posts: 532

Original Poster
Rep: Reputation: 30
Thanks nx5000 for these links
Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't spoof MAC using madwifi drivers. Linux.tar.gz Linux - Wireless Networking 2 08-09-2006 10:26 AM
subnetting vs Class address......concept not clear. b0nd Linux - Networking 8 01-18-2006 06:43 AM
How do people spoof your name and IP address? veeruk101 Linux - Newbie 6 04-06-2005 09:03 PM
how to get ip address, broadcast address, mac address of a machine sumeshstar Programming 2 03-12-2005 04:33 AM
How do I spoof a MAC address? ptp Linux - Networking 7 02-25-2004 07:15 PM


All times are GMT -5. The time now is 05:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration