[SATLUG] MAC Address Spoofing
brad at shub-internet.org
Mon Dec 10 16:28:44 CST 2007
On 12/10/07, Kase Saylor wrote:
> I have an interesting problem. I would like to send out a bunch of UDP
> messages with spoofed IP addresses, but also with spoofed MAC addresses.
> I need to fool a switch into thinking that it is receiving a bunch of
> messages from a lot of machines (but without using a lot of machines).
> Anybody have any ideas on how to do this? Will I have to modify the NIC
> driver? Or perhaps there's somewhere else I can make this happen? Thanks
> for any help.
The kinds of security testing tools I know of that have spoofing
capabilities do things like take the NIC driver(s), hack them to
allow the additional spoofing capabilities that would not otherwise
be allowed, and then swap out the standard driver for the modified
Or they effectively do the same and use the same lowest-level kernel
interfaces to put the packets on the wire, thus requiring that they
be run as root or setuid root.
Enough tools have been developed that need these kinds of
capabilities that they've actually developed their own library
routines to handle all this kind of stuff, and those libraries should
be able to be separated from the project where they were originally
Take a look at tools like nmap, dsniff, metasploit, etc.... I would
think that dsniff and metasploit would be particularly good tools to
look at. I say dsniff because it fools poorly configured switches
into setting up spanning ports that allow it to see all incoming and
outgoing traffic on that switch -- that's got to involve some pretty
deep magic at the MAC layer. I mention Metasploit just because the
tool can do so damn many things and my understanding is that they
completely re-implemented the entire communication stack to let them
tweak and do all sorts of supposedly "impossible" things, which might
also include the MAC-level drivers.
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
More information about the SATLUG