(Sometimes known as MAC spoofing)
First let me explain a few things about MAC addresses. MAC stands for Media Access Control and in a sense the MAC address is a computer's true name on a LAN. An Ethernet MAC address is a six byte number, usually expressed as a twelve digit hexadecimal number (Example: 1AB4C234AB1F).
IPs are translated to MAC address by a protocol called ARP (Address Resolution Protocol). Let's say a computer with and IP of 192.168.1.1 wants to send information to another computer on the LAN that has an IP of 192.168.1.2 . First 192.168.1.1 will send out a broadcast to all stations on the LAN asking who has the IP 192.168.1.2. Then the box that has 192.168.1.2 will respond to 192.168.1.1 with it's MAC address which is cached in 192.168.1.1's ARP table for later use. To put this in Socratic Dialog form (with just a touch of Stallone):
Host 1 (192.168.1.1): Yo everyone on the LAN (FF:FF:FF:FF:FF:FF), who has the IP 192.168.1.2? My MAC is DE:AD:BE:EF:CA:FE so you can respond back to me.
Host 2 (192.168.1.2): Hello DE:AD:BE:EF:CA:FE, I have IP 192.168.1.2 and my MAC address is 12:34:56:78:90:12 so you can send your IP packets to me.
You can see the ARP table of a box by dropping out to a command prompt and typing "arp –a" in Windows or just "arp" in Linux. ARP can also work the other way by a host on the LAN sending its MAC address to another machine on the LAN for preemptive caching unless the host is configured to not accept un-requested ARP replies.
A person might want to change the MAC address of a NIC for many reasons:
- To get past MAC address filtering on a router. Valid MAC addresses can be found by sniffing them and then the deviant user could assume the MAC of a valid host. Having two hosts on the same network can cause some network stability problems, but much of the time it's workable. This is one of the reasons why MIC Address filtering on a wireless router is pointless. An attacker can just sniff the MAC address out of the air while in monitor mode and set his WiFi NIC to use it. Interestingly, a lot of hotels use MAC filtering in their "pay to surf" schemes, so this method can be an instant in for cheap skate road warriors.
- Sniffing other connections on the network. By assuming another host's MAC as their own they may receive packets not meant for them. However, ARP poisoning is generally a better method than MAC spoofing to accomplish this task.
- So as to keep their burned in MAC address out of IDS and security logs, thus keeping deviant behavior from being connected to their hardware. For example, two of the main things a DHCP server logs when it leases an IP to a client is the MAC address and host name. If you have a wireless router look around on it's web interface for where it logs this info. Luckily there are tools to randomize this information (MadMACs).
- To pull off a denial of service attack, for instance assuming the MAC of the gateway to a sub net might cause traffic problems. Also, a lot of WiFi routers will lock up if a client tries to connect with the same MAC as the router's BSSID.
Linux
To change your MAC address in Linux (and most *nix system) is easy as pie. All it takes is two easy to script commands:
ifconfig eth0 down hw ether 00:00:00:00:00:01
ifconfig eth0 up
These two little commands would set your eth0 interface to use the MAC 00:00:00:00:00:01. Just plug in the NIC you want to set and the MAC address you want to use into the commands above and your done. Changing your MAC address is one of those things that is much easier to do in Linux then under Windows.
Hi vaseem this is a good info dude..
ReplyDeleteI got one doubt, What happens if 2 systems on same network have same MAC address ?
I think, ARP will work and nyting requiring RARP will fail
ReplyDelete/*
IF u get question what is ARP ?
-- ARP is the process of mapping an IP to MAC to allow machines to communicate. If you do not have an IP mapped in the first place then that NIC will not be used.
and The ARP process will prodcast an ARP request, all machine on that network segment will see that request and the machine with that IP Address will answer with its MAC address in a UniCast reply. This process works regardless of a single NIC or multiple NICs. Also, if multiple IP Addresses are bound to the same NIC, the process will still work the same, just multiple IP Addresses will have the same MAC address.
If U r xperimenting U can carry on u will see unxpected results
and if u r in situation where u need to do this u can go for nic teaming
again Nic teaming means---A NIC Team is known by a single MAC address to clients in the network. This MAC address is only used as the source MAC address by the Primary adapter in the Team. Secondary adapters in the team use their own MAC address as the source address. This MUST be done by NIC Teaming to be compliant with IEEE standards.
For TLB, when a client ARP's for the Team's MAC address using the Team's IP address, the Team will respond with the Team's MAC address (used by the Primary adapter). So, all traffic is received by the Primary adapter. Traffic transmitted out of the Primary adapter has a source address of the Team. Traffic transmitted out of the Secondary adapters use their own MAC address (not the same as the Team MAC address). Since clients with a proper TCP/IP stack implementation should ONLY update their ARP table based on data received in ARP request or replies, receiving data with a different source MAC from a secondary adapter will not affect clients with a complient TCP/IP stack.
Some implementations of the TCP/IP stack in clients are picky in that they require the source MAC address to match the MAC address in the ARP cache.*\
If u need to xperiment go for vmware.com and better xperiment all things within vmware workstation with ur Virtual Machines :-)
ReplyDeleteGirish If u are trying this on linux distros ur machines will fail in fetching IP u will get mesg like system failed to determine IP
ReplyDeleteAnd U tell me by experimenting the same with XP or ny Windows OS :-)
Thanxz in advance :-)