Re: MAC address spoofing - conflict?

From: Lubos Kolouch (lubos.kolouch@gmail.com)
Date: Mon Aug 21 2006 - 04:22:36 EDT


Yes, but what will happen then? Data will be sent to that MAC address.

If it is switched network, I can imagine the switch will maybe send it
to the correct port from which the response came?

If there is a hub though, the packet will be delivered to which network
card?

Lubos Kolouch

Cedric Blancher píše v Čt 17. 08. 2006 v 08:56 +0200:
> Le mercredi 16 août 2006 à 10:26 +0200, Lubos Kolouch a écrit :
> > I think it does matter. Because there will be more than host replying to
> > ARP broadcasts and the question is what will happen.
>
> Nope it does not matter, because you won't have multiple answers...
>
> ARP asks for an _IP_ address, not a MAC one. Therefore, if MAC addresses
> are identical, but IP addresses are different, an ARP request for one
> given IP address will get one answer only. In the end, you will end up
> with two entries in ARP cache with the same MAC address, but there's not
> problem out there.
>
> And if, in case of some wierd and unexplained behaviour (aka awful bug),
> both hosts were replying, they would reply with the same MAC address to
> the same request, so you would not have problem either.
>
> Le jeudi 17 août 2006 à 01:03 +0000, penetrationtestmail@gmail.com a
> écrit :
> > And if anyone knows the exact answer, that would be most helpful ;)
>
> The exact answer is: you can seamless spoof MAC addresses on WLAN as
> long as you use a different IP address than spoofed host, so you don't
> have TCP RST problems and stuff like this. Tested in lab and real life
> for pentests.
>
> It's a classical technic (among others[1]) for bypassing some cheap, but
> still widespread, WLAN captive portal that only track authenticated
> clients with their MAC address.
>
>
> [1] http://sid.rstack.org/pres/0602_ESW_CaptiveBypass.pdf
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:46 EDT