MAC spoof concept
 

I have got these three PCs :

PC1 source (victim) , and PC3 Destination (Target), PC2 attacker (imporsonate idintity of PC1)


PC1 mac address is : 0000.ffff.aaaa
PC2 mac address is : 0000.ffff.bbbb
PC3 mac address is : 0000.ffff.cccc


They are connected to cisco switch 3550

The term MAC spoofing is the creation of frame with a forged (spoofed) source MAC address (our case 0000.ffff.aaaa ) with the purpose to conceal the identity of the sender (our case PC2) and impersonate the identity of PC1.

If PC2 sends traffic to PC3 (Destination) , PC2 would masquerade as PC1 by falsifying its MAC address to be 0000.ffff.aaaa, if this the case what would the benefit be for PC2 (attacker), if all the traffic (as a response to initiated connection from PC2) coming back from PC3 go to PC1 instead of PC2 ?

Usually mac address spoofing is done to gain the same IP address as the victim would have, when using DHCP. One can also do this with static IP address provided it knows that too.

Since there may not be duplicate IPs on the same subnet, it is a bit random who will be able to actually use it, plus many OS will warn about IP conflicts, and that should tip you as to what is going on.

At work, we have a Cable connection with Telewest, and a static IP address. This static IP address is part of a three-tier authentication process for our delicate pages, and one day, our IP address had changed, and it turned out to be a guy doing mac address spoofing.

He did not actually gain access to the content, but neither could we and we lost half a day of employee wages because we couldn't access our own login.

Thanks terminator

In my simple scenario as you can see I do not have DHCP server, i.e. I assigned ip address statically

Regards

If I'm not mistaken, the issue lies within the routing being used (not Cisco in particular, mind you...I mean routing in general).

The router knows the MAC address of each machine it's connected to. It also knows what ip addresses are where. When a non-connection oriented attack is made, such as a ping or the like, the packets WILL go to PC1. This can be used to spam out pings from PC2 to any machines on the network, which will effectively flood PC3 with ping responses.

If you're dealing with connection-oriented attacks, however, the routing mechanism knows that a connection was made...and doesn't look much further than that! For instance, I attacked a friend's home router once to discover that by spoofing my ip address to be a local address (I was on the WAN side), the router happily responded by connecting me to his machine...no routing table lookup or anything. Once the connection is made (and if the routing machines are not using 1/2 assed secure rules), then it's possible to spoof either MAC or ip address and the router will shuffle packets back and forth based on the *connection*, not the ip address or MAC address...and the problem is worse if you're talking about attacks from within your own network because the router doesn't need to do WAN checks.

Hope this clears things up a bit.

A few links:
http://media.frnog.org/FRnOG_1/FRnOG_1-2.en.pdf
http://sid.rstack.org/arp-sk/
http://ettercap.sourceforge.net/foru...d73e2f2ea94c84

Good info guys! Thanks!

Thanks nx5000 for these links
Regards