[SATLUG] MAC Address Spoofing

Kase Saylor h_oudini at hotmail.com
Tue Dec 11 08:46:31 CST 2007

Brad Knowles wrote:
> On 12/10/07, Alan Lesmerises wrote:
>>  I don't really know any of the details about this particular topic,
>>  but couldn't you build a database of pre-built messages (with the
>>  MAC addresses generated and encoded as required) ahead of time, and
>>  when it comes time to run the test, use a script of some kind to
>>  retrieve and send the messages with all the encoding already
>>  embedded in them?
> Network drivers are not designed to let any other application have 
> direct unfiltered access to the wire.
> With standard drivers that I know of, you can't just pre-compute all 
> possible answers and then hand everything off to the driver -- it 
> expects you to use the standard high-level interfaces, then the 
> network layer library routines build the IP packets, and then the 
> network library routines pass those on to the interface-specific 
> driver to construct the MAC-layer packets.  At each stage, lots of 
> checks are made to ensure that no weird stuff is going on within the 
> packets and that everything is constructed in a safe and appropriate 
> manner.
> If you write your own IP level network library routines, you can 
> bypass all that high-level stuff and put whatever you want into the IP 
> protocol level.  I believe that a number of utilities do this sort of 
> thing, metasploit included.
> However, to get full control over the MAC layer, I don't know what 
> additional work would be required.  I don't know if you'd have to 
> write your own interface-specific driver, or if you could take 
> something written by someone else and just make minor modifications.
> And you're unlikely to be able to use any existing "standard" method 
> of changing the MAC layer address, at least on any kind of real-time 
> basis.  Doing so would certainly play havoc with any other traffic on 
> the box (including your ssh session), since the new MAC address would 
> be used for all traffic after the time you changed it, and since you'd 
> be changing it hundreds, thousands, or millions of times in a short 
> period then none of the normal traffic could effectively occur.
> Moreover, it's likely to take a surprisingly long period of time to go 
> through the standard routines to change the MAC address, since you 
> have to go all the way down into the interface driver and then back up 
> again.  Sure, on a single-shot basis, this amount of time would be 
> marginal.  But try doing that a few million times in a short span, and 
> I imagine you would definitely notice.
> This is why you really want to be able to have direct raw access to 
> the MAC layer packets, so that you don't have to change your MAC 
> address itself, you just generate whatever packets you want with 
> whatever addresses you want, and then you put them on the wire.
I just wanted to thank everyone for all the great suggestions. I'll take 
a look at the packages that were suggested and see if which one works 
best for me. Now does anyone know of any good penny stocks that need to 
be sold ;-)


Get the power of Windows + Web with the new Windows Live.

More information about the SATLUG mailing list