Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MAC address spoofing - conflict?

from [Cedric Blancher] Network Security [Permanent Link]
Subject: Re: MAC address spoofing - conflict?
Date: Mon, 21 Aug 2006 18:31:29 +0200 
Le lundi 21 août 2006 à 10:22 +0200, Lubos Kolouch a écrit :

Yes, but what will happen then? Data will be sent to that MAC address.


Yes.


If it is switched network, I can imagine the switch will maybe send it
to the correct port from which the response came?


We're speaking of WiFi networks here, that are shared medium.

Ethernet switches split ethernet networks into different collision
domains, working at layer 2 and thus reading MAC addresses and acting on
them.
MAC spoofing should not be applicable to thoses environments as it
causes the switch to face a MAC address conflict, the same one address
appearing on two different ports. Depending on switch behaviour, you may
end up with a wide range of different situation that differs between
different models and even configurations.


If there is a hub though, the packet will be delivered to which network
card?


If there's a hub, the situation is identical to what's happening on a
WiFi network, as it is a layer 1 share medium too.
Question you should ask yourself: if you can listen to the whole network
traffic on a ethernet hub by just putting your card into promisc mode,
why shouldn't you we able to see all the frames destined to any specific
MAC address and thus being able to spoof it ? Same question for 802.11
traffic in monitor mode...

Acting on layer 1, it will deliver electric signal to all plugged
stations whatever their MAC address. It will then be up to each station
to filter out frames not destined to them at ethernet driver level.
Thus, if two stations are using the same MAC address on a hubed ethernet
network, they will both receive frames destined to this very MAC
address.


Then frame payload will be sent to upper layer, say IP stack. As long as
stations are configured with different IP addresses, you won't have any
conflict. Each IP stack will silently drop paquets destined to an IP
address that does not belong to it, unless it's configured to route, but
you usually don't want to spoof gateway MAC address...


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MAC address spoofing - conflict?, dogten
Next by Date:  Bluetooth Pentesting?, steven
Previous by Thread:  Re: MAC address spoofing - conflict?, dogten
Next by Thread:  R: MAC address spoofing - conflict?, Sebastian Zdrojewski
Indexes:  [Date] [Thread] [Top] [All Lists]