Morning Wood wrote:
>What happens? Do you kick the other client off
>
use aireplay to deauth the original client
Yes, but once they had been deauthed they would almost undoubtedly try to reconnect, so that would in turn kick me off Wouldn't it?
In addition to this, if I'm conducting a pen test (or attempting to), I want to be as conspicuous as possible, and minimise my effects on the productivity of the company's employees, however temporary.
Pieter Danhieux wrote:
if you spoof the MAC, there are several options:
- you ask IP through DHCP -dhcp server could refuse giving another IP if the MAC is still active. Depends on the implementation
- you set an IP -if you choose the SAME ip, this will cause problems
-if you choose another ip, you won't see any problems. All packets for the authorized client, are going to be discarded by your IP stack, and all your packets, by his IP stack.
Right. So it depends on whether a DHCP server is in place, and, if it is, how it is configured?
And if you choose another IP address (manually), it doesn't matter if you have the same MAC as the other client or not Doesn't this depend on what type of hardware it is? I suppose it depends on what is being used to route the packets, as (if I'm not mistaken) some do this by MAC and others by internal (NATed) IP?
So, if you are both connected to a wireless router, and you have decided upon a static IP address different to the other client's (even though you have the same MAC address), the packets should not go to the wrong clients, and all should be as if your MAC address weren't the same as the other client's anyway?
Thank you :)
Flail
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

penetrationtestmail (AT) gmail (DOT) com *e v t 15. 08. 2006 v 01:38 +0000:

Pieter Danhieux wrote:
if you spoof the MAC, there are several options:
- you ask IP through DHCP -dhcp server could refuse giving another IP if the MAC is still active. Depends on the implementation
- you set an IP -if you choose the SAME ip, this will cause problems
-if you choose another ip, you won't see any problems. All packets for the authorized client, are going to be discarded by your IP stack, and all your packets, by his IP stack.
Right. So it depends on whether a DHCP server is in place, and, if it is, how it is configured?

And if you choose another IP address (manually), it doesn't matter if you have the same MAC as the other client or not Doesn't this depend on what type of hardware it is? I suppose it depends on what is being used to route the packets, as (if I'm not mistaken) some do this by MAC and others by internal (NATed) IP?

I think it does matter. Because there will be more than host replying to
ARP broadcasts and the question is what will happen.

Lubos Kolouch

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Yes, but what will happen then? Data will be sent to that MAC address.

If it is switched network, I can imagine the switch will maybe send it
to the correct port from which the response came?

If there is a hub though, the packet will be delivered to which network
card?

Lubos Kolouch

Cedric Blancher *e v t 17. 08. 2006 v 08:56 +0200:
Le mercredi 16 t 2006 * 10:26 +0200, Lubos Kolouch a crit :
I think it does matter. Because there will be more than host replying to
ARP broadcasts and the question is what will happen.

Nope it does not matter, because you won't have multiple answers

ARP asks for an _IP_ address, not a MAC one. Therefore, if MAC addresses
are identical, but IP addresses are different, an ARP request for one
given IP address will get one answer only. In the end, you will end up
with two entries in ARP cache with the same MAC address, but there's not
problem out there.

And if, in case of some wierd and unexplained behaviour (aka awful bug),
both hosts were replying, they would reply with the same MAC address to
the same request, so you would not have problem either.

Le jeudi 17 t 2006 * 01:03 +0000, penetrationtestmail (AT) gmail (DOT) com a
crit :
And if anyone knows the exact answer, that would be most helpful ;)

The exact answer is: you can seamless spoof MAC addresses on WLAN as
long as you use a different IP address than spoofed host, so you don't
have TCP RST problems and stuff like this. Tested in lab and real life
for pentests.

It's a classical technic (among others[1]) for bypassing some cheap, but
still widespread, WLAN captive portal that only track authenticated
clients with their MAC address.

[1]

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Hi Lubos,

Think of layer 2 delivery as an "if it matches my address I will read it" -
This means if both stations have the same layer 2 (MAC) address both will
read the comm's. As the message escalates up the stack, the IP address will
need to match too though!!!

So this means, both stations get the comm's.

Hope this helps!

Regards,

Mike

Message
From: "Lubos Kolouch" <lubos.kolouch (AT) gmail (DOT) com>
To: <pen-test (AT) securityfocus (DOT) com>
Sent: Monday, August 21, 2006 9:22 AM
Subject: Re: MAC address spoofing - conflict?

Yes, but what will happen then? Data will be sent to that MAC address.

If it is switched network, I can imagine the switch will maybe send it
to the correct port from which the response came?

If there is a hub though, the packet will be delivered to which network
card?

Lubos Kolouch

Cedric Blancher *e v t 17. 08. 2006 v 08:56 +0200:
Le mercredi 16 t 2006 * 10:26 +0200, Lubos Kolouch a crit :
I think it does matter. Because there will be more than host replying to
ARP broadcasts and the question is what will happen.

Nope it does not matter, because you won't have multiple answers

ARP asks for an _IP_ address, not a MAC one. Therefore, if MAC addresses
are identical, but IP addresses are different, an ARP request for one
given IP address will get one answer only. In the end, you will end up
with two entries in ARP cache with the same MAC address, but there's not
problem out there.

And if, in case of some wierd and unexplained behaviour (aka awful bug),
both hosts were replying, they would reply with the same MAC address to
the same request, so you would not have problem either.

Le jeudi 17 t 2006 * 01:03 +0000, penetrationtestmail (AT) gmail (DOT) com a
crit :
And if anyone knows the exact answer, that would be most helpful ;)

The exact answer is: you can seamless spoof MAC addresses on WLAN as
long as you use a different IP address than spoofed host, so you don't
have TCP RST problems and stuff like this. Tested in lab and real life
for pentests.

It's a classical technic (among others[1]) for bypassing some cheap, but
still widespread, WLAN captive portal that only track authenticated
clients with their MAC address.
--
[1]

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.