RE: mac duplication

From: Dom De Vitto (dom_at_DeVitto.com)
Date: 12/14/03

  • Next message: John Madden: "IE Remote"
    To: <vuln-dev@securityfocus.com>
    Date: Sun, 14 Dec 2003 11:15:20 -0000
    
    

    The easiest way to get what you want is to:
    1) For every *other* box on that LAN (including gateways) send rarp
    reply to that box's MAC saying the server has a MAC of broadcast
    (ff-ff-ff-ff-ff-ff).
    2) for every *other* box on that LAN (including gatways) send an rarp
    reply to the server, saying that the other box has a broadcast MAC.

    repeat 1 & 2 every 5 seconds.
    Now traffic from any box on that LAN, and the gateways on that LAN
    will be broadcast to all boxes (including yours).
    In effect you have made the LAN behave like a hub.

    It's important that you don't send a spoofed rarp reply to the actual
    real machine, as this will get logged.

    This kind of 'rarp storm' attack can cause trouble with *your*
    switchport, as you're spoofing MACs, so it looks like your port has
    all the machines on it :-(

    Try getting a copy of 'sterm' as this does various kinds of spoofing
    to enable connections from a to b, but as if the connections are coming
    from c. cute.

    Dom
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Dom De Vitto Tel. 07855 805 271
    http://www.devitto.com mailto:dom@devitto.com
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    -----Original Message-----
    From: Jimi Thompson [mailto:jimit@myrealbox.com]
    Sent: Sunday, December 14, 2003 12:34 AM
    To: vuln-dev@securityfocus.com
    Subject: Re: mac duplication

    Dev,

    You seem to need some clarification about how Ethernet actually works.
    I'm going to try to toss out a 50,000 foot view. Anyone can feel free to
    add to this or correct me. Host names map to IP addresses via DNS.
    IP address map to MAC addresses via router tables. Just as your IP address
    has to be unique in order to be routable, so does your MAC
    address. MAC addresses are purchased in blocks by the people who make
    network devices and blown on to what amount to EPROMS and attached to
    network cards, switch ports, etc.

    No two ethernet cards on the planet should have the same MAC address
    (emphasis on SHOULD because I've run into cards with duplicated MAC's and
    you won't believe the havoc this wreaks). This is used as a physical layer
    address by things like ARP.
    If you want to sniff traffic to a particular machine, get yourself a hub
    (NOT a switch) and plug the switch into the uplink on the hub and your
    sniffer and sniff-ee into the hub ports.

    This will A) let you see everything and B) not cause any serious
    problems for your switch. I hope that no one was using the machine you were
    trying to sniff because chances are you are causing a DOS situation by
    duplicating the MAC address.

    Jimi

    Dev wrote:

    >hi ppl, please redirect me to a different mailing list if this is not the
    appropriate list to post to.
    >
    >I did the following experiment:
    >
    >I have a switched ethernet network in my university.
    >I wanted to capture packets meant for a certain machine on a different
    >port of a Dlink switch. I thought that arp poisoning would be too noisy
    >- arpwatch can catch it, & its too bulky for the MITM machine (in case
    >we are poisoning a heavily loaded server
     machine.)
    >& So i duplicated the mac of the victim machine on my own machine.
    >
    >What i saw was this:
    >
    >ping packet drop rate for any of the two machines from a third machine
    varied from 40 to almost 80 %. Also say telnet sessions to any of the two
    machines (which had now the same mac addresses) worked with notable 4-5
    second lockups.
    >
    >Further i could not ping the other machine from one of the duplicated
    >machines. (the last one is okay - it makes a lot of sense)
    >
    >My premise is that the problem in connectivity is coming becoz the OS does
    not fall back to half duplex mode when two machines take up the same mac
    address??
    >
    >can anyone plz tell me about the behaviour. How do i set up mac duplication
    in that case so that i can sniff data.
    >
    >I dont want to hurt network performance. & so dont want to do mac flooding.
    Anyways i m not even sure the switches we have here would resort to
    broadcast mode in case of mac flooding.
    >
    >Last but not the least its my second message to the list, & people were
    really helpful in discussing about my queries in my first message.
    >
    >Mailing lists rock..
    >
    >Devrat
    >
    >
    >
    >


  • Next message: John Madden: "IE Remote"

    Relevant Pages

    • Re: LAN failover
      ... Your DS25 LAN interfaces are probably connected to LAN switches, ... that the MAC ... The first ethernet packet being sent from the DS25 via the new LAN ... device should teach the switch which port this MAC ...
      (comp.os.vms)
    • Re: MAC layer for a switch and a router
      ... If you have an 802.3 switch it is not interconnecting LANs. ... can be used to implement a single LAN. ... Preservation of the MAC Service ... A Bridge is not directly addressed by communicating end stations, ...
      (comp.dcom.lans.ethernet)
    • Re: LAN with MAC and PC
      ... You don't need a file server to share files, ... Why a switch? ... the MAC has to give it's address to the PC.. ... What if the LAN is 2 PC's ...
      (microsoft.public.windowsxp.network_web)
    • Re: MAC layer for a switch and a router
      ... MAC DA of an incoming frame to determine to which port that frame ... MAC address. ... The MAC address associated with a port just tells the switch ... Ambiguous if you take the LAN definition in 802.3. ...
      (comp.dcom.lans.ethernet)
    • RE: Exploit code for IP Smart Spoofing
      ... If there is a MAC violation, this is logged and the port is ... traffic of one other host on the switch. ... but there is no way to protect against ...
      (Bugtraq)