MAC Address Spoofing ManintheMiddle Attacks

MAC spoofing involves the use of a known MAC address of another host that is authorized to access the network. The attacker attempts to make the target switch forward frames destined for the actual host to the attacker device instead. This is done by sending a frame with the other host's source Ethernet address with the objective to overwrite the CAM table entry. After the CAM is overwritten, all the packets destined for the actual host will be diverted to the attacker. If the original host sends out traffic, the CAM table will be rewritten again, moving the traffic back to the original host port. Figure 14-5 shows how MAC spoofing works.

Figure 14-5. MAC Spoofing Attack

[View full size image]

Tire Switch Has Learned Ttiat Host A 16 on- Fort 1. H mi B Is ort port 2. and Höst C Is «1 Pgn a,

Mösl C- Ativefltwrnerii Causes ttie Frame lo Moire Itie LOCâliDrï a! HMI A in Its CAM Tatte from Por i to Port 3

Switch Port

1

2

3

Hasi

A

B

C

Switch Port

i

2

3

Host

B

A,C

Figure 14-5. MAC Spoofing Attack

[View full size image]

TraMic from Host C& Deslined to Host A Is Now Visible Husi C.

h es; C Stricte Oui a

Packet lilenli Vr9 Usait

As Hûsl C IP Adtfr^Si 6U1 win Host A S MAC Address.

TraMic from Host C& Deslined to Host A Is Now Visible Husi C.

h es; C Stricte Oui a

Packet lilenli Vr9 Usait

As Hûsl C IP Adtfr^Si 6U1 win Host A S MAC Address.

Another method of spoofing MAC addresses is to use Address Resolution Protocol (ARP), which is used to map IP addressing to MAC addresses residing on one LAN segment. When a host sends out a broadcast ARP request to find a MAC address of a particular host, an ARP response comes from the host whose address matches the request. The ARP response is cached by the requesting host. ARP protocol also has another method of identifying host IP-to-MAC associations, which is called Gratuitous ARP (GARP), which is a broadcast packet used by hosts to announce their IP address to the LAN to avoid duplicate IP addresses on the network. GARP can be exploited maliciously by an attacker to spoof the identity of an IP address on a LAN segment. This is typically used to spoof the identity between two hosts or all traffic to and from the default gateway.

One of the tools used to spoof ARP entries is called Arpspoof and is part of a collection of tools known as Dsniff .

0 0

Post a comment