Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: MAC address spoofing - conflict?
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Tue, 29 Aug 2006 13:38:25 +0700

Le lundi 28 août 2006 à 13:06 +0200, Fabio Nigi a écrit :
i think that the routing table of the switch is being taken on the MAC
address until the disconnection of host1.

Ethernet switches do not have routing tables. Routing tables are for
routers, as for routing IP packets. Ethernet switches do not know about
IP. Ethernet switches have CAM tables, that basicly are MAC/port
associations tables.

For example, let's take MAC1 (connected) and Attacker. If Attacker
spoof the MAC address of MAC1, he can try to change it with
macchanger, but he will not be really connected until the other client
will be connected to the AP. So Attacker need to use some
disconnection-tool (aircrack for example) and before that MAC1 try to
reconnect, must connect to the AP with his MAC address.

What does aircrack have to do with ethernet switches ?!

By the way, if you're speaking of WiFi, then no, no and no, there's no
need of anything particular in order to spoof a MAC address as explained
multiple times before (read entire thread).

If MAC1 associate to the AP, then attacker can spoof MAC1 as well
without need of associating himself because MAC1 is already associated.
If attacker associates himself, then it's no big deal. AP will indeed
reassociate MAC1 and no problem. Again, an AP does not work like a
switch, it works like a hub. And on a hub, you can seamlessly spoof MAC
addresses. Just test! See for yourself! Find a cheap AP or hub and do
it.

Having to deassociate a client in order to spoof its MAC address is
urban legend. Period.


[1] Not speaking of Layer3 switches that have routing capabilities and
    are more alike ethernet switch _and_ router...

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault