In the PC world (along with rest of it too) MAC spoofing does not
require any genius, just a little knowledge. In order to understand
why MAC spoofing is so easy, here's a little background on how an
Ethernet card works.
First 99% of all ethernet cards are stupid, ie they have no processing
capability in and of themselves. The Ethernet device basically only
performs the functions of the first layer of the ISO model,
specifically the physical layer stuff. It does the transmitting on
the wire, receiving, collision detection and CRC checks. The
formatting of the actual packet, and examination of destination
addresses is done by software, i.e. the kernel device driver on UNIX
systems, or the ODI driver/packet driver (Clarkson aka Crynwr)/NDIS
driver on a PC. So what does this mean, it means that every packet
that is sent on the wire, is examined by this software driver. Now
before everyone out there starts sending flame mail that this is
impossible, that a PC or even some UNIX systems are incapable of
examining every packet on the busy network, please read on. The first
function of the driver is to determine if the packet's destination
address matches the address assigned to this device. To do this, only
the first 7 bytes of the packet need to be examined by the driver (1
byte Start of Frame and the 6 byte destination address). This
comparison can be done on most machines in about 20 CPU instructions.
If the destination address doesn't match the rest of packet is
ignored. This driver is also responsible for formatting the packets
to be transmitted on the wire.
The next question is where does the driver get this address. It gets
the address when the driver initializes the ethernet device. Part of
the initialization routine queries the device for the address that is
burned in on the address ROM. This address is normally stored as the
address for the device. The address is so easy to change (i.e.
ifconfig on most UNIX systems) because it is nothing more than stored
variable, just like the IP address used at the IP layer.
In order to change the MAC address in UNIX you need root access to use
ifconfig, in the PC world you need a driver that allows you to select
the MAC address of the card (locally administered addresses) so that
this address is used instead of the one burned on the card. No
"hacked" copy of anything is required for those drivers that
inplement locally administerd addresses. Another method is to have
the source code for the driver (available for all of the Clarkson aka
Crynwr packet drivers) and modify the initialization routine to use a
specific address (your "hacked driver"). Anybody who is even slightly
competent in assembly language could do this without a problem. A
more sophisticated (although easier) approch would be to write a
program to search the entire memory space of the PC to find the six
byte address of the card (find the location of the address in the
drivers data area) and change it while the PC is running (kinda like
doing an ifconfig on a DOS machine!) The explosion of PC based
protocol analyzers is due the implementation, in most driver specs, of
promiscuous mode where the driver passes up all packets regardless of
destination address. Which is really a form of address spoofing.
Now regarding your question about two devices with the same MAC
address on the same network. The same thing that happens if you have
two devices on the same network with the same IP address. Weird
things start happening to both devices.
How do you gaurd against this. Some hub manufactures have created
"secure" hubs, where only specified devices are allowed to be
connected to specific ports. If "unknown" source MAC address appear
on the port, the hub disables the port. This way, no "unknown" MAC
address are allowed into the network. The only way to get in is to
attached your device to network cable plant, using a "good" MAC
address on the port you are attached to. The only way to prevent this
from happening is to make sure your cable plant is physically secure.
MAC based authentication is really very worthless in the real-world
because MAC addresses are easily changed on just about any Ethernet
(or Token Ring) device.
______________________________ Reply Separator _________________________________
Subject: Concerns about MAC spoofing
Author: Rich=Gautier%SP-23DC%DRC @
com at INTERNET
Date: 11/2/94 7:43 AM
I have a few questions about MAC spoofing. First off, how difficult would it
be to spoof a MAC address in a non-TCP/IP environment (i.e. IPX/SPX?).
Without an IFCONFIG, wouldn't the user require a hacked copy of the MLID to
Secondly, what happens if two cards exist with same MAC address on a network?
Does it lock up both cards, or do the two cards start sending garbage onto
the Ethernet and locking up the entire network?
What we want to do is provide single-user login from single MAC address, but
we are worried about the possibility of someone punching down a connection
and spoofing an address on the net.