Home page logo

pen-test logo Penetration Testing mailing list archives

Re: MAC address spoofing - conflict?
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Mon, 21 Aug 2006 18:31:29 +0200

Le lundi 21 août 2006 à 10:22 +0200, Lubos Kolouch a écrit :
Yes, but what will happen then? Data will be sent to that MAC address.


If it is switched network, I can imagine the switch will maybe send it
to the correct port from which the response came?

We're speaking of WiFi networks here, that are shared medium.

Ethernet switches split ethernet networks into different collision
domains, working at layer 2 and thus reading MAC addresses and acting on
MAC spoofing should not be applicable to thoses environments as it
causes the switch to face a MAC address conflict, the same one address
appearing on two different ports. Depending on switch behaviour, you may
end up with a wide range of different situation that differs between
different models and even configurations.

If there is a hub though, the packet will be delivered to which network

If there's a hub, the situation is identical to what's happening on a
WiFi network, as it is a layer 1 share medium too.
Question you should ask yourself: if you can listen to the whole network
traffic on a ethernet hub by just putting your card into promisc mode,
why shouldn't you we able to see all the frames destined to any specific
MAC address and thus being able to spoof it ? Same question for 802.11
traffic in monitor mode...

Acting on layer 1, it will deliver electric signal to all plugged
stations whatever their MAC address. It will then be up to each station
to filter out frames not destined to them at ethernet driver level.
Thus, if two stations are using the same MAC address on a hubed ethernet
network, they will both receive frames destined to this very MAC

Then frame payload will be sent to upper layer, say IP stack. As long as
stations are configured with different IP addresses, you won't have any
conflict. Each IP stack will silently drop paquets destined to an IP
address that does not belong to it, unless it's configured to route, but
you usually don't want to spoof gateway MAC address...

PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]