Re: mac duplication

From: fooler (fooler_at_skyinet.net)
Date: 12/14/03

  • Next message: Demar, Jeremy D CTM1 (CCDG12 Aug): "RE: mac duplication"
    To: "Jimi Thompson" <jimit@myrealbox.com>, <vuln-dev@securityfocus.com>
    Date: Sun, 14 Dec 2003 17:17:29 +0800
    
    

    ----- Original Message -----
    From: "Jimi Thompson" <jimit@myrealbox.com>
    To: <vuln-dev@securityfocus.com>
    Sent: Sunday, December 14, 2003 8:33 AM
    Subject: Re: mac duplication

    > Dev,
    >
    > You seem to need some clarification about how Ethernet actually works.
    > I'm going to try to toss out a 50,000 foot view. Anyone can feel free
    > to add to this or correct me.

    hi jimi, i would like to add and correct some of your statement....

    > Host names map to IP addresses via DNS.

    correct

    > IP address map to MAC addresses via router tables.

    it is most appropriate to say ip addresses map to mac address via arp table

    > Just as your IP
    > address has to be unique in order to be routable, so does your MAC
    > address.

    every network device that is using ethernet has a mac address and should be
    unique too.... unlike with ip address which is routable, mac address is
    not....

    > MAC addresses are purchased in blocks by the people who make
    > network devices and blown on to what amount to EPROMS and attached to
    > network cards, switch ports, etc.
    >
    > No two ethernet cards on the planet should have the same MAC address
    > (emphasis on SHOULD because I've run into cards with duplicated MAC's
    > and you won't believe the havoc this wreaks). This is used as a
    > physical layer address by things like ARP.

    two the same mac address is bad if they advertise it on the same time but
    two the same mac address advertise one at a time is considered good... this
    is usually happen for highly availability and reliability active-standby
    setup where the standby network device takes over the mac address of the
    active device when the active device fails....

    > If you want to sniff traffic to a particular machine, get yourself a hub
    > (NOT a switch) and plug the switch into the uplink on the hub and your
    > sniffer and sniff-ee into the hub ports.
    >
    > This will A) let you see everything and B) not cause any serious
    > problems for your switch. I hope that no one was using the machine you
    > were trying to sniff because chances are you are causing a DOS situation
    > by duplicating the MAC address.

    no need for a hub and most specially if you dont have the full control of
    the network premise...

    the most common technique to sniff between two hosts under the switch
    environment is the man in the middle attack technique... gratuitios arp is
    your friend here for arp poisoning....

    > Dev wrote:
    > >& So i duplicated the mac of the victim machine on my own machine.

    dont do that and you will easily catch for that....

    > >What i saw was this:
    > >
    > >ping packet drop rate for any of the two machines from a third machine
    varied from 40 to almost 80 %. Also say telnet sessions to any of the two
    machines (which had now the same mac addresses) worked with notable 4-5
    second lockups.
    > >
    > >Further i could not ping the other machine from one of the duplicated
    machines. (the last one is okay - it makes a lot of sense)
    > >
    > >My premise is that the problem in connectivity is coming becoz the OS
    does not fall back to half duplex mode when two machines take up the same
    mac address??
    > >
    > >can anyone plz tell me about the behaviour. How do i set up mac
    duplication in that case so that i can sniff data.

    it is pretty obvious that you dont understand how the communication of
    ethernet works.... so here it is...

    when a sender sends a data where the destination address is within its
    network segment, it is the mac address matters most... but when a sender
    sends a data where the destination address is outside its network segment,
    it is the ip address matters most...

    sending a data within its network segment takes only to know the mac address
    of the receiver... this is where address resolution protocol comes in...
    read the arp rfc... learn how the switch forward the ethernet frames if
    there are two or more the same mac address on different ports of a switch...
    and learn how the tcp/ip stack of a particular OS respond to multiple
    ethernet frames coming from the same mac address hosts...

    fooler.


  • Next message: Demar, Jeremy D CTM1 (CCDG12 Aug): "RE: mac duplication"

    Relevant Pages

    • Re: Transferring files from windows xp to mac os x with an ethernet cable
      ... for example, when i go to network connections on the windows machine it always says that the "1394 Connection" is connected, even when there's no ethernet cable plugged in.. ... i have to use the usb connection to connect my modem to the windows machine; when i connect the same modem to my mac i just use the ethernet jack and it works right away.. ...
      (comp.sys.mac.system)
    • Re: Transferring files from windows xp to mac os x with an ethernet cable
      ... to network connections on the windows machine it always says that the "1394 Connection" is connected, even when there's no ethernet cable plugged in.. ... i have to use the usb connection to connect my modem to the windows machine; when i connect the same modem to my mac i just use the ethernet jack and it works right away.. ...
      (comp.sys.mac.system)
    • Re: ARP - IP but why?
      ... Resolution Protocol and it matches up network addresses with hardware ... If you have a static IP address on an Ethernet network, ... ever need to translate the IP address to a MAC address? ... It sends out an ARP packet asking "who's got 192.168.0.1?", and the router replies with its MAC address. ...
      (comp.os.linux.networking)
    • Re: MAC address spoofing - conflict?
      ... Ethernet switches split ethernet networks into different collision ... MAC spoofing should not be applicable to thoses environments as it ... Depending on switch behaviour, you may ... WiFi network, as it is a layer 1 share medium too. ...
      (Pen-Test)
    • Re: NAT implementation in an IM driver
      ... Just translate the addresses and ... media types and packet formats). ... but the packet format between WANARP and NDISWAN is fake Ethernet ... (with some fake data in MAC addresses fields), so you can plug an Ethernet IM ...
      (microsoft.public.development.device.drivers)