[SATLUG] MAC Address Spoofing
h_oudini at hotmail.com
Tue Dec 11 08:46:31 CST 2007
Brad Knowles wrote:
> On 12/10/07, Alan Lesmerises wrote:
>> I don't really know any of the details about this particular topic,
>> but couldn't you build a database of pre-built messages (with the
>> MAC addresses generated and encoded as required) ahead of time, and
>> when it comes time to run the test, use a script of some kind to
>> retrieve and send the messages with all the encoding already
>> embedded in them?
> Network drivers are not designed to let any other application have
> direct unfiltered access to the wire.
> With standard drivers that I know of, you can't just pre-compute all
> possible answers and then hand everything off to the driver -- it
> expects you to use the standard high-level interfaces, then the
> network layer library routines build the IP packets, and then the
> network library routines pass those on to the interface-specific
> driver to construct the MAC-layer packets. At each stage, lots of
> checks are made to ensure that no weird stuff is going on within the
> packets and that everything is constructed in a safe and appropriate
> If you write your own IP level network library routines, you can
> bypass all that high-level stuff and put whatever you want into the IP
> protocol level. I believe that a number of utilities do this sort of
> thing, metasploit included.
> However, to get full control over the MAC layer, I don't know what
> additional work would be required. I don't know if you'd have to
> write your own interface-specific driver, or if you could take
> something written by someone else and just make minor modifications.
> And you're unlikely to be able to use any existing "standard" method
> of changing the MAC layer address, at least on any kind of real-time
> basis. Doing so would certainly play havoc with any other traffic on
> the box (including your ssh session), since the new MAC address would
> be used for all traffic after the time you changed it, and since you'd
> be changing it hundreds, thousands, or millions of times in a short
> period then none of the normal traffic could effectively occur.
> Moreover, it's likely to take a surprisingly long period of time to go
> through the standard routines to change the MAC address, since you
> have to go all the way down into the interface driver and then back up
> again. Sure, on a single-shot basis, this amount of time would be
> marginal. But try doing that a few million times in a short span, and
> I imagine you would definitely notice.
> This is why you really want to be able to have direct raw access to
> the MAC layer packets, so that you don't have to change your MAC
> address itself, you just generate whatever packets you want with
> whatever addresses you want, and then you put them on the wire.
I just wanted to thank everyone for all the great suggestions. I'll take
a look at the packages that were suggested and see if which one works
best for me. Now does anyone know of any good penny stocks that need to
be sold ;-)
Get the power of Windows + Web with the new Windows Live.
More information about the SATLUG