| Author |
Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
I always assumed that this would produce a conflict on the network by violating the one one correspondence between the IP address and the MAC in the arp table, but then I learned it was a form of wireless session stealing. Why doesn't it produce a conflict between two different network sessions?
Edited by gregorian on 13-07-10 17:45 |
|
| Author |
RE: Identical MAC addresses on the same network |
dami3n
Member
Posts: 47
Location: Leeds
Joined: 28.06.05
Rank: Hacker Level 1 |
|
|
I didn't even think that was possible. |
 
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
The second person is coming in spoofing the MAC address, thus changing the location of the packet delivery. there is nothing out of the ordinary here. They will doubtfully have a different IP either 
|
 
|
| Author |
RE: Identical MAC addresses on the same network |
stealth-
Member
Posts: 998
Location: Eh?
Joined: 10.04.09
Rank: God |
|
This is also used in wireless networks for bypassing Mac filtering.
Client A is connected to AP B
Attacker X tries to connect to AP B
AP B rejects connection because Attacker X's MAC does not match the allowed list
Rather than spamming MAC attempts, Attacker X searches for connected clients.
Attacker X sees Client A
Attacker X knows Client A must have a legitimate MAC
Attacker X sends a de-authentication packet to Client A, with AP B's MAC address spoofed as the source
(The next steps are a race condition)
Attacker X sets his mac address to match Client A's
Attacker X connects to AP B
AP B sees the legitimate MAC and a connection is established
Client A tries to connect
AP B rejects Client A
There is different ways to hijack sessions through MAC addresses, but this is the most common.
The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealth-x.com |
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
stealth, your attack will allow only one MAC to be present in the network at one time. I'm not interested in that case, because it's normal - just that you've 'stolen' the MAC. I'm talking about two identical MACs being simultaneously present in the network.
AldarHawk wrote:
The second person is coming in spoofing the MAC address, thus changing the location of the packet delivery. there is nothing out of the ordinary here. They will doubtfully have a different IP either
I'm assuming you've got the MAC by sniffing around you i.e. most likely from the same router, so the location of the packet delivery hasn't changed, since every device in the vicinity receives everyone's packets but drops the ones that doesn't correspond to their MAC. But even if that's not the case, I'm sure a centralized MAC table is maintained to ensure that IPs are not allocated from amongst those that are already allocated.
It makes perfect sense from the ARP table's point of view if you're not only going to use the victim MAC, but his IP too. Is that what you're suggesting?
If that's the case, how will the computer respond to traffic sent from the other computer. I would expect them to close each other's TCP connections since the sequence numbers, source etc. would be something that they did not expect, forcing RST (reset)
|
|
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
do you have a screen shot of the offending MAC addresses with separate IP addresses?
What Router are you using?
What Wireless standard is your base?
What encryption method are you using?
Please let me know any of these and I will help you out a bit more. Your question is a bit of an anomaly and I would like to dig into it further for you.
|
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
It's a theoretical question, so I don't have details. The scenario is an unencrypted connection. I'm not sure why you need the wireless standard.
I would have tested it if I had a network, but unfortunately I don't.
This is how I would simulate it:
Set the router to accept only authorised MAC id. Setup a connection between the router and the computer using that MAC. Make another computer spoof its MAC. Try to connect and see if the DHCP hands you another IP. If it does, does the internet work without any problems? If it doesn't hand you another IP, spoof your IP to match the first computer's IP. Does the internet work without any problems?
Thank you for your interest.
Edited by gregorian on 14-07-10 12:32 |
|
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
|
gregorian wrote:
It's a theoretical question, so I don't have details. The scenario is an unencrypted connection. I'm not sure why you need the wireless standard.
So where did you get the information regarding this attack that does not hiccup the victims connection?
This is how I would simulate it:
Set the router to accept only authorised MAC id. Setup a connection between the router and the computer using that MAC. Make another computer spoof its MAC. Try to connect and see if the DHCP hands you another IP. If it does, does the internet work without any problems? If it doesn't hand you another IP, spoof your IP to match the first computer's IP. Does the internet work without any problems?
This is nothing but a standard MAC spoof attack. There is nothing different with what you are attempting to explain. Unless you are looking more complex and making this a double attack, being a MAC Spoof and a Man In The Middle. Where as you steal the connection from the Victim and then all the packets are filtered through you. Then you pass the relevant information on with changes where needed, allowing you to control the victims connection.
Any more thoughts here?
|
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
I saw a video a very long time ago in which an ARP table had two entries with identical MACs and it worked. I'm sorry, but I can't find it right now.
I understand the Mitm attack. But you don't duplicate MACs in that, do you? It's just that you replace the original entry with your own. That is still normal operation. |
|
|
| Author |
RE: Identical MAC addresses on the same network |
stealth-
Member
Posts: 998
Location: Eh?
Joined: 10.04.09
Rank: God |
|
|
gregorian wrote:
stealth, your attack will allow only one MAC to be present in the network at one time. I'm not interested in that case, because it's normal - just that you've 'stolen' the MAC. I'm talking about two identical MACs being simultaneously present in the network.
I thought Aldarhawk had answered you question, I was just stating how MAC stealing is usually done.
For your question, though, I've never heard of anything like this. Wouldn't it be a much more ideal situation to just Hijack their session (like in my example above) and then just Mitm them like Aldarhawk was saying? It would probably even be better to just have a second wifi card and completely take the target client out of the target network and Mitm that way, in my opinion. I understand this takes to wireless cards, but the situation you're explaining doesn't sound anything like a very ideal one, or even one that would work.
I'd be very interested to see the video on this.
The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealth-x.com
Edited by stealth- on 14-07-10 19:26 |
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
I don't understand how the mitm attack will work in a wireless network where the targets are close to each other. Let's assume that you're using ARP poisoning. I forgot the detailed mechanism of the ARP, but it's a broadcast that is responded to by one computer. I'm assuming that response is recorded by all computers in the vicinity. (If this assumption is incorrect, ignore the entire paragraph). That makes all computers update their ARP table, and the mitm will not work because both computers will have only the second arp response in their arp table.
Regarding your technique, it definitely makes more sense, but that's not what I saw in the video. I expected some kind of anomaly, but instead I saw a working solution. I'm interested in knowing why there wasn't any kind of anomalous behaviour. |
|
|
| Author |
RE: Identical MAC addresses on the same network |
stealth-
Member
Posts: 998
Location: Eh?
Joined: 10.04.09
Rank: God |
|
|
gregorian wrote:
I forgot the detailed mechanism of the ARP, but it's a broadcast that is responded to by one computer. I'm assuming that response is recorded by all computers in the vicinity. (If this assumption is incorrect, ignore the entire paragraph).
Every client can see the broadcasts, but only the broadcasting client can see the response.
Regarding your technique, it definitely makes more sense, but that's not what I saw in the video. I expected some kind of anomaly, but instead I saw a working solution. I'm interested in knowing why there wasn't any kind of anomalous behaviour.
Me too. I did a little googling and couldn't find anything, unfortunately 
The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealth-x.com |
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
|
stealth- wrote:
Every client can see the broadcasts, but only the broadcasting client can see the response.
I must have confused it with IP routing then. Anyway, thank you for clearing it up for me though it was an aside from my main query.
Me too. I did a little googling and couldn't find anything, unfortunately
Unsurprising, since I saw it several years ago, when encryption wasn't widely used.
Edited by gregorian on 14-07-10 20:52 |
|
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
if you can find out the location of this video I know there are a bunch of people who would love to see it.
My guess...Spoof Video with False results
|
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
AldarHawk wrote:
if you can find out the location of this video I know there are a bunch of people who would love to see it.
My guess...Spoof Video with False results
I'm sure that wasn't a spoof video. There were several videos on that website which allowed comments and I never saw any negative comments. Regardless of the video's authenticity, what do you expect to happen? |
|
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
Again, I would need to view the video to get the exact details you are talking about. Please scrounge and see if you can remember where it is 
|
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
That sucks.
Here's a post that says that duplicate MAC addresses will work although I don't understand the explanation of why it will work:
http://www.linuxsa.org.au/pipermail/linuxsa/1999-April/006005.html
If you understand this mechanism, it's the answer to my question.
Does it mean MAC/ IP entries can be identical as long as they function on a different interface? Cool, but I'm pretty sure that a computer with a wireless network card has only one interface i.e. itself [we're only considering wireless networks]. In an ethernet router, the device on the other end of each cable will be an interface. What about a wireless router? There's no cable, and no particular device. Fuck, I'm so confused.
Edited by gregorian on 15-07-10 20:43 |
|
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
I think I know what you are talking about now with almost enough certainty to give you this answer.
You can have a network (for example 192.168.0.x) if this has a network mask of 255.255.255.128 you can then have another person with the same MAC address come in on 192.168.0.y. This is a separate sub net, thus enabling this. If you are using a network mask on your router other than 255.255.255.0 be careful of duplicate MACs
I hope this helped. (note this works on ANY class of network be it A,B,C or D)
|
|
|
| Author |
RE: Identical MAC addresses on the same network |
gregorian
Member
Posts: 109
Location: India
Joined: 28.06.10
Rank: God |
|
Thanks, but I understand that. I've taken a networking course in college so I'm familiar with basic concepts: Routers connect different subnets. The routing protocol uses the IPs to direct traffic to the destination router, after which the data link layer uses the MACs and transmits it to all computers connected to the same port (i.e. the subnet at the end of that port). Depending on the configuration of the network card, frames are dropped or processed.
But my question is when the two MACs are in the same subnet (I expect it when I'm trying to hijack a wireless connection). Assume one router? |
|
|
| Author |
RE: Identical MAC addresses on the same network |
AldarHawk
The Manager
Posts: 1662
Location: Canada
Joined: 26.01.06
Rank: God |
|
Then the Arp table is poisoned. This will cause disconnects of the IP addresses. As far as I know you cannot have this. I have never come across this ever in my years of computing. Again, I do not know everything, however, I do know that without any proof of this I cannot claim it is possible.
|
|
|
Main:
