[SATLUG] MAC Address Spoofing
h_oudini at hotmail.com
Tue Dec 11 13:00:48 CST 2007
Kase Saylor wrote:
> Brad Knowles wrote:
>> On 12/10/07, Alan Lesmerises wrote:
>>> I don't really know any of the details about this particular topic,
>>> but couldn't you build a database of pre-built messages (with the
>>> MAC addresses generated and encoded as required) ahead of time, and
>>> when it comes time to run the test, use a script of some kind to
>>> retrieve and send the messages with all the encoding already
>>> embedded in them?
>> Network drivers are not designed to let any other application have
>> direct unfiltered access to the wire.
>> With standard drivers that I know of, you can't just pre-compute all
>> possible answers and then hand everything off to the driver -- it
>> expects you to use the standard high-level interfaces, then the
>> network layer library routines build the IP packets, and then the
>> network library routines pass those on to the interface-specific
>> driver to construct the MAC-layer packets. At each stage, lots of
>> checks are made to ensure that no weird stuff is going on within the
>> packets and that everything is constructed in a safe and appropriate
>> If you write your own IP level network library routines, you can
>> bypass all that high-level stuff and put whatever you want into the IP
>> protocol level. I believe that a number of utilities do this sort of
>> thing, metasploit included.
>> However, to get full control over the MAC layer, I don't know what
>> additional work would be required. I don't know if you'd have to
>> write your own interface-specific driver, or if you could take
>> something written by someone else and just make minor modifications.
>> And you're unlikely to be able to use any existing "standard" method
>> of changing the MAC layer address, at least on any kind of real-time
>> basis. Doing so would certainly play havoc with any other traffic on
>> the box (including your ssh session), since the new MAC address would
>> be used for all traffic after the time you changed it, and since you'd
>> be changing it hundreds, thousands, or millions of times in a short
>> period then none of the normal traffic could effectively occur.
>> Moreover, it's likely to take a surprisingly long period of time to go
>> through the standard routines to change the MAC address, since you
>> have to go all the way down into the interface driver and then back up
>> again. Sure, on a single-shot basis, this amount of time would be
>> marginal. But try doing that a few million times in a short span, and
>> I imagine you would definitely notice.
>> This is why you really want to be able to have direct raw access to
>> the MAC layer packets, so that you don't have to change your MAC
>> address itself, you just generate whatever packets you want with
>> whatever addresses you want, and then you put them on the wire.
> I just wanted to thank everyone for all the great suggestions. I'll take
> a look at the packages that were suggested and see if which one works
> best for me. Now does anyone know of any good penny stocks that need to
> be sold ;-)
The dnsniff was exactly what I needed. It comes with a MAC flooding app
and I was able to do the testing that I needed.
Get the power of Windows + Web with the new Windows Live.
More information about the SATLUG