Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Friday, April 18, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 17
Guests Online: 17
Members Online: 0

Registered Members: 82822
Newest Member: TheBunter
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Page 1 of 2 1 2 >
Author

Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-07-10 17:44
I always assumed that this would produce a conflict on the network by violating the one one correspondence between the IP address and the MAC in the arp table, but then I learned it was a form of wireless session stealing. Why doesn't it produce a conflict between two different network sessions?

Edited by on 13-07-10 17:45
Author

RE: Identical MAC addresses on the same network

dami3n
Member

Your avatar

Posts: 104
Location: Manchester
Joined: 28.06.05
Rank:
Apprentice
Warn Level: 5
Posted on 13-07-10 18:47
I didn't even think that was possible.
soulboundsecurity.wordpress.com
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 13-07-10 19:21
The second person is coming in spoofing the MAC address, thus changing the location of the packet delivery. there is nothing out of the ordinary here. They will doubtfully have a different IP either Wink


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Identical MAC addresses on the same network

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 13-07-10 19:43
This is also used in wireless networks for bypassing Mac filtering.

Client A is connected to AP B
Attacker X tries to connect to AP B
AP B rejects connection because Attacker X's MAC does not match the allowed list
Rather than spamming MAC attempts, Attacker X searches for connected clients.
Attacker X sees Client A
Attacker X knows Client A must have a legitimate MAC
Attacker X sends a de-authentication packet to Client A, with AP B's MAC address spoofed as the source
(The next steps are a race condition)
Attacker X sets his mac address to match Client A's
Attacker X connects to AP B
AP B sees the legitimate MAC and a connection is established
Client A tries to connect
AP B rejects Client A

There is different ways to hijack sessions through MAC addresses, but this is the most common.


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-07-10 21:14
stealth, your attack will allow only one MAC to be present in the network at one time. I'm not interested in that case, because it's normal - just that you've 'stolen' the MAC. I'm talking about two identical MACs being simultaneously present in the network.

AldarHawk wrote:
The second person is coming in spoofing the MAC address, thus changing the location of the packet delivery. there is nothing out of the ordinary here. They will doubtfully have a different IP either Wink


I'm assuming you've got the MAC by sniffing around you i.e. most likely from the same router, so the location of the packet delivery hasn't changed, since every device in the vicinity receives everyone's packets but drops the ones that doesn't correspond to their MAC. But even if that's not the case, I'm sure a centralized MAC table is maintained to ensure that IPs are not allocated from amongst those that are already allocated.

It makes perfect sense from the ARP table's point of view if you're not only going to use the victim MAC, but his IP too. Is that what you're suggesting?

If that's the case, how will the computer respond to traffic sent from the other computer. I would expect them to close each other's TCP connections since the sequence numbers, source etc. would be something that they did not expect, forcing RST (reset)
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 14-07-10 12:17
do you have a screen shot of the offending MAC addresses with separate IP addresses?
What Router are you using?
What Wireless standard is your base?
What encryption method are you using?

Please let me know any of these and I will help you out a bit more. Your question is a bit of an anomaly and I would like to dig into it further for you.


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-07-10 12:26
It's a theoretical question, so I don't have details. The scenario is an unencrypted connection. I'm not sure why you need the wireless standard.

I would have tested it if I had a network, but unfortunately I don't.

This is how I would simulate it:

Set the router to accept only authorised MAC id. Setup a connection between the router and the computer using that MAC. Make another computer spoof its MAC. Try to connect and see if the DHCP hands you another IP. If it does, does the internet work without any problems? If it doesn't hand you another IP, spoof your IP to match the first computer's IP. Does the internet work without any problems?

Thank you for your interest.

Edited by on 14-07-10 12:32
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 14-07-10 12:43
gregorian wrote:
It's a theoretical question, so I don't have details. The scenario is an unencrypted connection. I'm not sure why you need the wireless standard.

So where did you get the information regarding this attack that does not hiccup the victims connection?


This is how I would simulate it:
Set the router to accept only authorised MAC id. Setup a connection between the router and the computer using that MAC. Make another computer spoof its MAC. Try to connect and see if the DHCP hands you another IP. If it does, does the internet work without any problems? If it doesn't hand you another IP, spoof your IP to match the first computer's IP. Does the internet work without any problems?

This is nothing but a standard MAC spoof attack. There is nothing different with what you are attempting to explain. Unless you are looking more complex and making this a double attack, being a MAC Spoof and a Man In The Middle. Where as you steal the connection from the Victim and then all the packets are filtered through you. Then you pass the relevant information on with changes where needed, allowing you to control the victims connection.

Any more thoughts here?


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-07-10 13:02
I saw a video a very long time ago in which an ARP table had two entries with identical MACs and it worked. I'm sorry, but I can't find it right now.

I understand the Mitm attack. But you don't duplicate MACs in that, do you? It's just that you replace the original entry with your own. That is still normal operation.
Author

RE: Identical MAC addresses on the same network

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 14-07-10 19:25
gregorian wrote:
stealth, your attack will allow only one MAC to be present in the network at one time. I'm not interested in that case, because it's normal - just that you've 'stolen' the MAC. I'm talking about two identical MACs being simultaneously present in the network.


I thought Aldarhawk had answered you question, I was just stating how MAC stealing is usually done.

For your question, though, I've never heard of anything like this. Wouldn't it be a much more ideal situation to just Hijack their session (like in my example above) and then just Mitm them like Aldarhawk was saying? It would probably even be better to just have a second wifi card and completely take the target client out of the target network and Mitm that way, in my opinion. I understand this takes to wireless cards, but the situation you're explaining doesn't sound anything like a very ideal one, or even one that would work.

I'd be very interested to see the video on this.


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .

Edited by stealth- on 14-07-10 19:26
http://www.stealth-x.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-07-10 19:48
I don't understand how the mitm attack will work in a wireless network where the targets are close to each other. Let's assume that you're using ARP poisoning. I forgot the detailed mechanism of the ARP, but it's a broadcast that is responded to by one computer. I'm assuming that response is recorded by all computers in the vicinity. (If this assumption is incorrect, ignore the entire paragraph). That makes all computers update their ARP table, and the mitm will not work because both computers will have only the second arp response in their arp table.

Regarding your technique, it definitely makes more sense, but that's not what I saw in the video. I expected some kind of anomaly, but instead I saw a working solution. I'm interested in knowing why there wasn't any kind of anomalous behaviour.
Author

RE: Identical MAC addresses on the same network

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 14-07-10 20:30
gregorian wrote:
I forgot the detailed mechanism of the ARP, but it's a broadcast that is responded to by one computer. I'm assuming that response is recorded by all computers in the vicinity. (If this assumption is incorrect, ignore the entire paragraph).


Every client can see the broadcasts, but only the broadcasting client can see the response.

Regarding your technique, it definitely makes more sense, but that's not what I saw in the video. I expected some kind of anomaly, but instead I saw a working solution. I'm interested in knowing why there wasn't any kind of anomalous behaviour.


Me too. I did a little googling and couldn't find anything, unfortunately Sad


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 14-07-10 20:51
stealth- wrote:
Every client can see the broadcasts, but only the broadcasting client can see the response.

I must have confused it with IP routing then. Anyway, thank you for clearing it up for me though it was an aside from my main query.


Me too. I did a little googling and couldn't find anything, unfortunately Sad

Unsurprising, since I saw it several years ago, when encryption wasn't widely used.

Edited by on 14-07-10 20:52
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 15-07-10 17:13
if you can find out the location of this video I know there are a bunch of people who would love to see it.

My guess...Spoof Video with False results Wink


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-07-10 19:48
AldarHawk wrote:
if you can find out the location of this video I know there are a bunch of people who would love to see it.

My guess...Spoof Video with False results Wink

I'm sure that wasn't a spoof video. There were several videos on that website which allowed comments and I never saw any negative comments. Regardless of the video's authenticity, what do you expect to happen?
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 15-07-10 20:05
Again, I would need to view the video to get the exact details you are talking about. Please scrounge and see if you can remember where it is :evil:


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-07-10 20:28
That sucks.

Here's a post that says that duplicate MAC addresses will work although I don't understand the explanation of why it will work:
http://www.linuxsa.org.au/pipermail/linuxsa/1999-April/006005.html

If you understand this mechanism, it's the answer to my question.

Does it mean MAC/ IP entries can be identical as long as they function on a different interface? Cool, but I'm pretty sure that a computer with a wireless network card has only one interface i.e. itself [we're only considering wireless networks]. In an ethernet router, the device on the other end of each cable will be an interface. What about a wireless router? There's no cable, and no particular device. Fuck, I'm so confused.

Edited by on 15-07-10 20:43
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 16-07-10 12:50
I think I know what you are talking about now with almost enough certainty to give you this answer.

You can have a network (for example 192.168.0.x) if this has a network mask of 255.255.255.128 you can then have another person with the same MAC address come in on 192.168.0.y. This is a separate sub net, thus enabling this. If you are using a network mask on your router other than 255.255.255.0 be careful of duplicate MACs Wink

I hope this helped. (note this works on ANY class of network be it A,B,C or D)


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Author

RE: Identical MAC addresses on the same network


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-07-10 15:35
Thanks, but I understand that. I've taken a networking course in college so I'm familiar with basic concepts: Routers connect different subnets. The routing protocol uses the IPs to direct traffic to the destination router, after which the data link layer uses the MACs and transmits it to all computers connected to the same port (i.e. the subnet at the end of that port). Depending on the configuration of the network card, frames are dropped or processed.

But my question is when the two MACs are in the same subnet (I expect it when I'm trying to hijack a wireless connection). Assume one router?
Author

RE: Identical MAC addresses on the same network

AldarHawk
Member



Posts: 1690
Location: Canada
Joined: 26.01.06
Rank:
Hacker Level 1
Posted on 16-07-10 16:23
Then the Arp table is poisoned. This will cause disconnects of the IP addresses. As far as I know you cannot have this. I have never come across this ever in my years of computing. Again, I do not know everything, however, I do know that without any proof of this I cannot claim it is possible.


Just ask Yahoo!Taboo! http://www.erikwestlake.com
Page 1 of 2 1 2 >