[SATLUG] MAC Address Spoofing

Brad Knowles brad at shub-internet.org
Mon Dec 10 16:28:44 CST 2007


On 12/10/07, Kase Saylor wrote:

>  I have an interesting problem. I would like to send out a bunch of UDP
>  messages with spoofed IP addresses, but also with spoofed MAC addresses.
>  I need to fool a switch into thinking that it is receiving a bunch of
>  messages from a lot of machines (but without using a lot of machines).
>  Anybody have any ideas on how to do this? Will I have to modify the NIC
>  driver? Or perhaps there's somewhere else I can make this happen? Thanks
>  for any help.

The kinds of security testing tools I know of that have spoofing 
capabilities do things like take the NIC driver(s), hack them to 
allow the additional spoofing capabilities that would not otherwise 
be allowed, and then swap out the standard driver for the modified 
one.

Or they effectively do the same and use the same lowest-level kernel 
interfaces to put the packets on the wire, thus requiring that they 
be run as root or setuid root.

Enough tools have been developed that need these kinds of 
capabilities that they've actually developed their own library 
routines to handle all this kind of stuff, and those libraries should 
be able to be separated from the project where they were originally 
created.


Take a look at tools like nmap, dsniff, metasploit, etc....  I would 
think that dsniff and metasploit would be particularly good tools to 
look at.  I say dsniff because it fools poorly configured switches 
into setting up spanning ports that allow it to see all incoming and 
outgoing traffic on that switch -- that's got to involve some pretty 
deep magic at the MAC layer.  I mention Metasploit just because the 
tool can do so damn many things and my understanding is that they 
completely re-implemented the entire communication stack to let them 
tweak and do all sorts of supposedly "impossible" things, which might 
also include the MAC-level drivers.

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>


More information about the SATLUG mailing list