Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)
PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc
They are connected to cisco switch 3550
The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.
If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?
Usually mac address spoofing is done to gain the same IP address as the victim would have, when using DHCP. One can also do this with static IP address provided it knows that too.
Since there may not be duplicate IPs on the same subnet, it is a bit random who will be able to actually use it, plus many OS will warn about IP conflicts, and that should tip you as to what is going on.
At work, we have a Cable connection with Telewest, and a static IP address. This static IP address is part of a three-tier authentication process for our delicate pages, and one day, our IP address had changed, and it turned out to be a guy doing mac address spoofing.
He did not actually gain access to the content, but neither could we and we lost half a day of employee wages because we couldn't access our own login.
If PC2 sends traffic to PC3 (Destination) , PC2 will try to masquerades as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?
If I'm not mistaken, the issue lies within the routing being used (not Cisco in particular, mind you...I mean routing in general).
The router knows the MAC address of each machine it's connected to. It also knows what ip addresses are where. When a non-connection oriented attack is made, such as a ping or the like, the packets WILL go to PC1. This can be used to spam out pings from PC2 to any machines on the network, which will effectively flood PC3 with ping responses.
If you're dealing with connection-oriented attacks, however, the routing mechanism knows that a connection was made...and doesn't look much further than that! For instance, I attacked a friend's home router once to discover that by spoofing my ip address to be a local address (I was on the WAN side), the router happily responded by connecting me to his machine...no routing table lookup or anything. Once the connection is made (and if the routing machines are not using 1/2 assed secure rules), then it's possible to spoof either MAC or ip address and the router will shuffle packets back and forth based on the *connection*, not the ip address or MAC address...and the problem is worse if you're talking about attacks from within your own network because the router doesn't need to do WAN checks.