Re: MAC address spoofing - conflict?

From: Cedric Blancher (blancher@cartel-securite.fr)
Date: Tue Aug 29 2006 - 02:38:25 EDT

• Next message: Hirsch, Adam: "RE: Packet Payload"
• Previous message: Danny: "R0LEX: Genuine Class"
• In reply to: Fabio Nigi: "Re: MAC address spoofing - conflict?"
• Next in thread: nokia1@gmail.com: "Re: Re: MAC address spoofing - conflict?"
• Maybe reply: nokia1@gmail.com: "Re: Re: MAC address spoofing - conflict?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Le lundi 28 août 2006 à 13:06 +0200, Fabio Nigi a écrit :
> i think that the routing table of the switch is being taken on the MAC
> address until the disconnection of host1.

Ethernet switches do not have routing tables. Routing tables are for
routers, as for routing IP packets. Ethernet switches do not know about
IP. Ethernet switches have CAM tables, that basicly are MAC/port
associations tables.

> For example, let's take MAC1 (connected) and Attacker. If Attacker
> spoof the MAC address of MAC1, he can try to change it with
> macchanger, but he will not be really connected until the other client
> will be connected to the AP. So Attacker need to use some
> disconnection-tool (aircrack for example) and before that MAC1 try to
> reconnect, must connect to the AP with his MAC address.

What does aircrack have to do with ethernet switches ?!

By the way, if you're speaking of WiFi, then no, no and no, there's no
need of anything particular in order to spoof a MAC address as explained
multiple times before (read entire thread).

If MAC1 associate to the AP, then attacker can spoof MAC1 as well
without need of associating himself because MAC1 is already associated.
If attacker associates himself, then it's no big deal. AP will indeed
reassociate MAC1 and no problem. Again, an AP does not work like a
switch, it works like a hub. And on a hub, you can seamlessly spoof MAC
addresses. Just test! See for yourself! Find a cheap AP or hub and do
it.

Having to deassociate a client in order to spoof its MAC address is
urban legend. Period.

[1] Not speaking of Layer3 switches that have routing capabilities and
    are more alike ethernet switch _and_ router...

-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Hirsch, Adam: "RE: Packet Payload"
• Previous message: Danny: "R0LEX: Genuine Class"
• In reply to: Fabio Nigi: "Re: MAC address spoofing - conflict?"
• Next in thread: nokia1@gmail.com: "Re: Re: MAC address spoofing - conflict?"
• Maybe reply: nokia1@gmail.com: "Re: Re: MAC address spoofing - conflict?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:51 EDT