Re: MAC address spoofing - conflict?

From: dogten@d3fcon.org
Date: Mon Aug 21 2006 - 12:55:14 EDT


In general a hub represents multiple physical ports on a single
collision domain. That being the case I would think that all network
cards on that collision domain would get the packet.
-Scott

Lubos Kolouch wrote:
> Yes, but what will happen then? Data will be sent to that MAC address.
>
> If it is switched network, I can imagine the switch will maybe send it
> to the correct port from which the response came?
>
> If there is a hub though, the packet will be delivered to which network
> card?
>
> Lubos Kolouch
>
> Cedric Blancher píše v Čt 17. 08. 2006 v 08:56 +0200:
>
>> Le mercredi 16 août 2006 à 10:26 +0200, Lubos Kolouch a écrit :
>>
>>> I think it does matter. Because there will be more than host replying to
>>> ARP broadcasts and the question is what will happen.
>>>
>> Nope it does not matter, because you won't have multiple answers...
>>
>> ARP asks for an _IP_ address, not a MAC one. Therefore, if MAC addresses
>> are identical, but IP addresses are different, an ARP request for one
>> given IP address will get one answer only. In the end, you will end up
>> with two entries in ARP cache with the same MAC address, but there's not
>> problem out there.
>>
>> And if, in case of some wierd and unexplained behaviour (aka awful bug),
>> both hosts were replying, they would reply with the same MAC address to
>> the same request, so you would not have problem either.
>>
>> Le jeudi 17 août 2006 à 01:03 +0000, penetrationtestmail@gmail.com a
>> écrit :
>>
>>> And if anyone knows the exact answer, that would be most helpful ;)
>>>
>> The exact answer is: you can seamless spoof MAC addresses on WLAN as
>> long as you use a different IP address than spoofed host, so you don't
>> have TCP RST problems and stuff like this. Tested in lab and real life
>> for pentests.
>>
>> It's a classical technic (among others[1]) for bypassing some cheap, but
>> still widespread, WLAN captive portal that only track authenticated
>> clients with their MAC address.
>>
>>
>> [1] http://sid.rstack.org/pres/0602_ESW_CaptiveBypass.pdf
>>
>>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
>
>
>

-- 
Scott Davidson, CISSP, SCSP, CCNA
scott@d3fcon.org - dogtentx on Yahoo IM
MOB	214-632-6191
FAX	440-658-6191
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:46 EDT