[SATLUG] MAC Address Spoofing

Kase Saylor h_oudini at hotmail.com
Tue Dec 11 13:00:48 CST 2007

Kase Saylor wrote:
> Brad Knowles wrote:
>> On 12/10/07, Alan Lesmerises wrote:
>>>  I don't really know any of the details about this particular topic,
>>>  but couldn't you build a database of pre-built messages (with the
>>>  MAC addresses generated and encoded as required) ahead of time, and
>>>  when it comes time to run the test, use a script of some kind to
>>>  retrieve and send the messages with all the encoding already
>>>  embedded in them?
>> Network drivers are not designed to let any other application have 
>> direct unfiltered access to the wire.
>> With standard drivers that I know of, you can't just pre-compute all 
>> possible answers and then hand everything off to the driver -- it 
>> expects you to use the standard high-level interfaces, then the 
>> network layer library routines build the IP packets, and then the 
>> network library routines pass those on to the interface-specific 
>> driver to construct the MAC-layer packets.  At each stage, lots of 
>> checks are made to ensure that no weird stuff is going on within the 
>> packets and that everything is constructed in a safe and appropriate 
>> manner.
>> If you write your own IP level network library routines, you can 
>> bypass all that high-level stuff and put whatever you want into the IP 
>> protocol level.  I believe that a number of utilities do this sort of 
>> thing, metasploit included.
>> However, to get full control over the MAC layer, I don't know what 
>> additional work would be required.  I don't know if you'd have to 
>> write your own interface-specific driver, or if you could take 
>> something written by someone else and just make minor modifications.
>> And you're unlikely to be able to use any existing "standard" method 
>> of changing the MAC layer address, at least on any kind of real-time 
>> basis.  Doing so would certainly play havoc with any other traffic on 
>> the box (including your ssh session), since the new MAC address would 
>> be used for all traffic after the time you changed it, and since you'd 
>> be changing it hundreds, thousands, or millions of times in a short 
>> period then none of the normal traffic could effectively occur.
>> Moreover, it's likely to take a surprisingly long period of time to go 
>> through the standard routines to change the MAC address, since you 
>> have to go all the way down into the interface driver and then back up 
>> again.  Sure, on a single-shot basis, this amount of time would be 
>> marginal.  But try doing that a few million times in a short span, and 
>> I imagine you would definitely notice.
>> This is why you really want to be able to have direct raw access to 
>> the MAC layer packets, so that you don't have to change your MAC 
>> address itself, you just generate whatever packets you want with 
>> whatever addresses you want, and then you put them on the wire.
> I just wanted to thank everyone for all the great suggestions. I'll take 
> a look at the packages that were suggested and see if which one works 
> best for me. Now does anyone know of any good penny stocks that need to 
> be sold ;-)
> -Kase
The dnsniff was exactly what I needed. It comes with a MAC flooding app 
and I was able to do the testing that I needed.


Get the power of Windows + Web with the new Windows Live.

More information about the SATLUG mailing list