[SATLUG] MAC Address Spoofing

Brad Knowles brad at shub-internet.org
Tue Dec 11 01:16:20 CST 2007

On 12/10/07, Alan Lesmerises wrote:

>  I don't really know any of the details about this particular topic,
>  but couldn't you build a database of pre-built messages (with the
>  MAC addresses generated and encoded as required) ahead of time, and
>  when it comes time to run the test, use a script of some kind to
>  retrieve and send the messages with all the encoding already
>  embedded in them?

Network drivers are not designed to let any other application have 
direct unfiltered access to the wire.

With standard drivers that I know of, you can't just pre-compute all 
possible answers and then hand everything off to the driver -- it 
expects you to use the standard high-level interfaces, then the 
network layer library routines build the IP packets, and then the 
network library routines pass those on to the interface-specific 
driver to construct the MAC-layer packets.  At each stage, lots of 
checks are made to ensure that no weird stuff is going on within the 
packets and that everything is constructed in a safe and appropriate 

If you write your own IP level network library routines, you can 
bypass all that high-level stuff and put whatever you want into the 
IP protocol level.  I believe that a number of utilities do this sort 
of thing, metasploit included.

However, to get full control over the MAC layer, I don't know what 
additional work would be required.  I don't know if you'd have to 
write your own interface-specific driver, or if you could take 
something written by someone else and just make minor modifications.

And you're unlikely to be able to use any existing "standard" method 
of changing the MAC layer address, at least on any kind of real-time 
basis.  Doing so would certainly play havoc with any other traffic on 
the box (including your ssh session), since the new MAC address would 
be used for all traffic after the time you changed it, and since 
you'd be changing it hundreds, thousands, or millions of times in a 
short period then none of the normal traffic could effectively occur.

Moreover, it's likely to take a surprisingly long period of time to 
go through the standard routines to change the MAC address, since you 
have to go all the way down into the interface driver and then back 
up again.  Sure, on a single-shot basis, this amount of time would be 
marginal.  But try doing that a few million times in a short span, 
and I imagine you would definitely notice.

This is why you really want to be able to have direct raw access to 
the MAC layer packets, so that you don't have to change your MAC 
address itself, you just generate whatever packets you want with 
whatever addresses you want, and then you put them on the wire.

Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>

More information about the SATLUG mailing list