MAC: Difference between revisions
No edit summary |
No edit summary |
||
Line 6: | Line 6: | ||
To see the MAC addresses of the machines on your subnet: | To see the MAC addresses of the machines on your subnet: | ||
arp -a | $ arp -a | ||
== MAC address spoofing == | == MAC address/arp spoofing == | ||
There are a few reasons one might be concerned, or interested about such spoofing: | |||
#To get past MAC address filtering on a router. | |||
#Sniffing other connections on the subnet. | |||
#If someone is using a spoofed MAC address, then the real, burned in MAC address will not show up in IDS/system logs. | |||
#[[DoS]] (pretending to be the gateway of the subnet, for example). | |||
[http://slagheap.net/etherspoof/ MacOSX] | [http://slagheap.net/etherspoof/ MacOSX] | ||
[http://www.klcconsulting.net/Change_MAC_w98.htm Win98] | [http://www.klcconsulting.net/Change_MAC_w98.htm Win98] | ||
[http://ntsecurity.nu/toolbox/etherchange/ Win2000/WinXP] | |||
[http://www.bsdatwork.com/2004/06/19/mac_spoofing_on_freebsd/ FreeBSD using netgraph] | [http://www.bsdatwork.com/2004/06/19/mac_spoofing_on_freebsd/ FreeBSD using netgraph] | ||
[http://whoozoo.co.uk/mac-spoof-linux.htm Linux] | [http://whoozoo.co.uk/mac-spoof-linux.htm Linux] | ||
Software: | |||
[http://ettercap.sourceforge.net/ ettercap] is used for man in the middle attacks on LAN. | |||
[http://www.monkey.org/~dugsong/dsniff/ dsniff] includes arpspoof, dnsspoof, and macof. |
Latest revision as of 10:53, 4 December 2005
MAC stands for Media Access Control. An Ethernet card has a MAC address to identify it which is identified in the OSI layer 2 frame that it outputs to speak on the LAN. This is a 48 bit number which makes the address space larger than the Internet's address space. The first 24 bits are registered with the IEEE, and thus you can identify what Ethernet card maker is by its address (and possibly what model of card as well).
A MAC address with all bits sets (also known as FF:FF:FF:FF:FF:FF) is a special address and means that it is a broadcast (all stations on a LAN are addressed). A MAC address where the first bit is set indicates that this address is a multicast address. Since the bitorder of Ethernet is little-endian meaning the least significant bit is first it really is the very first bit as the address is read through the Ethernet.
To see the MAC addresses of the machines on your subnet:
$ arp -a
MAC address/arp spoofing
There are a few reasons one might be concerned, or interested about such spoofing:
- To get past MAC address filtering on a router.
- Sniffing other connections on the subnet.
- If someone is using a spoofed MAC address, then the real, burned in MAC address will not show up in IDS/system logs.
- DoS (pretending to be the gateway of the subnet, for example).
Software:
ettercap is used for man in the middle attacks on LAN.
dsniff includes arpspoof, dnsspoof, and macof.