Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Identical MAC addresses on the same network


ghost's Avatar
0 0

I always assumed that this would produce a conflict on the network by violating the one one correspondence between the IP address and the MAC in the arp table, but then I learned it was a form of wireless session stealing. Why doesn't it produce a conflict between two different network sessions?


dami3n's Avatar
Member
0 0

I didn't even think that was possible.


AldarHawk's Avatar
The Manager
0 0

The second person is coming in spoofing the MAC address, thus changing the location of the packet delivery. there is nothing out of the ordinary here. They will doubtfully have a different IP either ;)


stealth-'s Avatar
Ninja Extreme
0 0

This is also used in wireless networks for bypassing Mac filtering.

Client A is connected to AP B Attacker X tries to connect to AP B AP B rejects connection because Attacker X's MAC does not match the allowed list Rather than spamming MAC attempts, Attacker X searches for connected clients. Attacker X sees Client A Attacker X knows Client A must have a legitimate MAC Attacker X sends a de-authentication packet to Client A, with AP B's MAC address spoofed as the source (The next steps are a race condition) Attacker X sets his mac address to match Client A's Attacker X connects to AP B AP B sees the legitimate MAC and a connection is established Client A tries to connect AP B rejects Client A

There is different ways to hijack sessions through MAC addresses, but this is the most common.


ghost's Avatar
0 0

stealth, your attack will allow only one MAC to be present in the network at one time. I'm not interested in that case, because it's normal - just that you've 'stolen' the MAC. I'm talking about two identical MACs being simultaneously present in the network.

AldarHawk wrote: The second person is coming in spoofing the MAC address, thus changing the location of the packet delivery. there is nothing out of the ordinary here. They will doubtfully have a different IP either ;)

I'm assuming you've got the MAC by sniffing around you i.e. most likely from the same router, so the location of the packet delivery hasn't changed, since every device in the vicinity receives everyone's packets but drops the ones that doesn't correspond to their MAC. But even if that's not the case, I'm sure a centralized MAC table is maintained to ensure that IPs are not allocated from amongst those that are already allocated.

It makes perfect sense from the ARP table's point of view if you're not only going to use the victim MAC, but his IP too. Is that what you're suggesting?

If that's the case, how will the computer respond to traffic sent from the other computer. I would expect them to close each other's TCP connections since the sequence numbers, source etc. would be something that they did not expect, forcing RST (reset)


AldarHawk's Avatar
The Manager
0 0

do you have a screen shot of the offending MAC addresses with separate IP addresses? What Router are you using? What Wireless standard is your base? What encryption method are you using?

Please let me know any of these and I will help you out a bit more. Your question is a bit of an anomaly and I would like to dig into it further for you.


ghost's Avatar
0 0

It's a theoretical question, so I don't have details. The scenario is an unencrypted connection. I'm not sure why you need the wireless standard.

I would have tested it if I had a network, but unfortunately I don't.

This is how I would simulate it:

Set the router to accept only authorised MAC id. Setup a connection between the router and the computer using that MAC. Make another computer spoof its MAC. Try to connect and see if the DHCP hands you another IP. If it does, does the internet work without any problems? If it doesn't hand you another IP, spoof your IP to match the first computer's IP. Does the internet work without any problems?

Thank you for your interest.


AldarHawk's Avatar
The Manager
0 0

gregorian wrote: It's a theoretical question, so I don't have details. The scenario is an unencrypted connection. I'm not sure why you need the wireless standard.

So where did you get the information regarding this attack that does not hiccup the victims connection?

This is how I would simulate it: Set the router to accept only authorised MAC id. Setup a connection between the router and the computer using that MAC. Make another computer spoof its MAC. Try to connect and see if the DHCP hands you another IP. If it does, does the internet work without any problems? If it doesn't hand you another IP, spoof your IP to match the first computer's IP. Does the internet work without any problems?

This is nothing but a standard MAC spoof attack. There is nothing different with what you are attempting to explain. Unless you are looking more complex and making this a double attack, being a MAC Spoof and a Man In The Middle. Where as you steal the connection from the Victim and then all the packets are filtered through you. Then you pass the relevant information on with changes where needed, allowing you to control the victims connection.

Any more thoughts here?


ghost's Avatar
0 0

I saw a video a very long time ago in which an ARP table had two entries with identical MACs and it worked. I'm sorry, but I can't find it right now.

I understand the Mitm attack. But you don't duplicate MACs in that, do you? It's just that you replace the original entry with your own. That is still normal operation.


stealth-'s Avatar
Ninja Extreme
0 0

gregorian wrote: stealth, your attack will allow only one MAC to be present in the network at one time. I'm not interested in that case, because it's normal - just that you've 'stolen' the MAC. I'm talking about two identical MACs being simultaneously present in the network.

I thought Aldarhawk had answered you question, I was just stating how MAC stealing is usually done.

For your question, though, I've never heard of anything like this. Wouldn't it be a much more ideal situation to just Hijack their session (like in my example above) and then just Mitm them like Aldarhawk was saying? It would probably even be better to just have a second wifi card and completely take the target client out of the target network and Mitm that way, in my opinion. I understand this takes to wireless cards, but the situation you're explaining doesn't sound anything like a very ideal one, or even one that would work.

I'd be very interested to see the video on this.


ghost's Avatar
0 0

I don't understand how the mitm attack will work in a wireless network where the targets are close to each other. Let's assume that you're using ARP poisoning. I forgot the detailed mechanism of the ARP, but it's a broadcast that is responded to by one computer. I'm assuming that response is recorded by all computers in the vicinity. (If this assumption is incorrect, ignore the entire paragraph). That makes all computers update their ARP table, and the mitm will not work because both computers will have only the second arp response in their arp table.

Regarding your technique, it definitely makes more sense, but that's not what I saw in the video. I expected some kind of anomaly, but instead I saw a working solution. I'm interested in knowing why there wasn't any kind of anomalous behaviour.


stealth-'s Avatar
Ninja Extreme
0 0

gregorian wrote: I forgot the detailed mechanism of the ARP, but it's a broadcast that is responded to by one computer. I'm assuming that response is recorded by all computers in the vicinity. (If this assumption is incorrect, ignore the entire paragraph).

Every client can see the broadcasts, but only the broadcasting client can see the response.

Regarding your technique, it definitely makes more sense, but that's not what I saw in the video. I expected some kind of anomaly, but instead I saw a working solution. I'm interested in knowing why there wasn't any kind of anomalous behaviour.

Me too. I did a little googling and couldn't find anything, unfortunately :(


ghost's Avatar
0 0

stealth- wrote: Every client can see the broadcasts, but only the broadcasting client can see the response. I must have confused it with IP routing then. Anyway, thank you for clearing it up for me though it was an aside from my main query.

Me too. I did a little googling and couldn't find anything, unfortunately :( Unsurprising, since I saw it several years ago, when encryption wasn't widely used.


AldarHawk's Avatar
The Manager
0 0

if you can find out the location of this video I know there are a bunch of people who would love to see it.

My guess…Spoof Video with False results ;)


ghost's Avatar
0 0

AldarHawk wrote: if you can find out the location of this video I know there are a bunch of people who would love to see it.

My guess…Spoof Video with False results ;) I'm sure that wasn't a spoof video. There were several videos on that website which allowed comments and I never saw any negative comments. Regardless of the video's authenticity, what do you expect to happen?


AldarHawk's Avatar
The Manager
0 0

Again, I would need to view the video to get the exact details you are talking about. Please scrounge and see if you can remember where it is :evil:


ghost's Avatar
0 0

That sucks.

Here's a post that says that duplicate MAC addresses will work although I don't understand the explanation of why it will work: http://www.linuxsa.org.au/pipermail/linuxsa/1999-April/006005.html

If you understand this mechanism, it's the answer to my question.

Does it mean MAC/ IP entries can be identical as long as they function on a different interface? Cool, but I'm pretty sure that a computer with a wireless network card has only one interface i.e. itself [we're only considering wireless networks]. In an ethernet router, the device on the other end of each cable will be an interface. What about a wireless router? There's no cable, and no particular device. Fuck, I'm so confused.


AldarHawk's Avatar
The Manager
0 0

I think I know what you are talking about now with almost enough certainty to give you this answer.

You can have a network (for example 192.168.0.x) if this has a network mask of 255.255.255.128 you can then have another person with the same MAC address come in on 192.168.0.y. This is a separate sub net, thus enabling this. If you are using a network mask on your router other than 255.255.255.0 be careful of duplicate MACs ;)

I hope this helped. (note this works on ANY class of network be it A,B,C or D)


ghost's Avatar
0 0

Thanks, but I understand that. I've taken a networking course in college so I'm familiar with basic concepts: Routers connect different subnets. The routing protocol uses the IPs to direct traffic to the destination router, after which the data link layer uses the MACs and transmits it to all computers connected to the same port (i.e. the subnet at the end of that port). Depending on the configuration of the network card, frames are dropped or processed.

But my question is when the two MACs are in the same subnet (I expect it when I'm trying to hijack a wireless connection). Assume one router?


AldarHawk's Avatar
The Manager
0 0

Then the Arp table is poisoned. This will cause disconnects of the IP addresses. As far as I know you cannot have this. I have never come across this ever in my years of computing. Again, I do not know everything, however, I do know that without any proof of this I cannot claim it is possible.


ghost's Avatar
0 0

If you have free time and 3 wifi capable devices, you could test it. Unfortunately I don't have a wifi enabled phone otherwise I would have tested it.


AldarHawk's Avatar
The Manager
0 0

what's free time?


stealth-'s Avatar
Ninja Extreme
0 0

gregorian wrote: If you have free time and 3 wifi capable devices, you could test it. Unfortunately I don't have a wifi enabled phone otherwise I would have tested it.

Why would you need 3? Wouldn't two not work just as well? (Unless you are counting the routing device in there) The link you gave brings up a actually very interesting point, and logically, it makes sense that it would work with ethernet, so now I'm interested to see what would happen on Wifi devices.

I do have 2 wifi cards, however I don't have two machines around at the moment as I'm out of town. I could try this in a couple of days, though.


ghost's Avatar
0 0

stealth- wrote: [quote]gregorian wrote: If you have free time and 3 wifi capable devices, you could test it. Unfortunately I don't have a wifi enabled phone otherwise I would have tested it.

Why would you need 3? Wouldn't two not work just as well? (Unless you are counting the routing device in there) The link you gave brings up a actually very interesting point, and logically, it makes sense that it would work with ethernet, so now I'm interested to see what would happen on Wifi devices.

I do have 2 wifi cards, however I don't have two machines around at the moment as I'm out of town. I could try this in a couple of days, though.[/quote] Well, I want to know what the router does. I was thinking of setting up one computer in Infrastructure mode and looking at its routing table. The second point you mentioned is what I'm curious about too. Do you understand if it will work if both macs are on the same subnet? I'm curious to know what will happen. Will the second ARP replace the first one? Will both be there in the table and reject each other's connections?


stealth-'s Avatar
Ninja Extreme
0 0

gregorian wrote: [quote]stealth- wrote: [quote]gregorian wrote: If you have free time and 3 wifi capable devices, you could test it. Unfortunately I don't have a wifi enabled phone otherwise I would have tested it.

Why would you need 3? Wouldn't two not work just as well? (Unless you are counting the routing device in there) The link you gave brings up a actually very interesting point, and logically, it makes sense that it would work with ethernet, so now I'm interested to see what would happen on Wifi devices.

I do have 2 wifi cards, however I don't have two machines around at the moment as I'm out of town. I could try this in a couple of days, though.[/quote] Well, I want to know what the router does. I was thinking of setting up one computer in Infrastructure mode and looking at its routing table. The second point you mentioned is what I'm curious about too. Do you understand if it will work if both macs are on the same subnet? I'm curious to know what will happen. Will the second ARP replace the first one? Will both be there in the table and reject each other's connections?[/quote]

Well, what I got from the posted link was that the sender was convinced that, on a linux machine for instance, the arp table is stored with each interface also listed in the entry. Since every ethernet port on the router should technically be a separate interface, there should be no problems with the router. So, the arp table for a router with 4 ports might look like this:

(eth0, 192.168.1.2, 11:22:33:44:55:66) (eth1, 192.168.1.3, 22:33:44:55:66:77) (eth2, 192.168.1.4, 33:44:55:66:77:88) (eth3, 192.168.1.5, 11:22:33:44:55:66)

The idea presented is that there should be no problems because the router includes the interface in the arp entry so the entries would be different and the router can tell the difference between them. Because, say somebody asks to send a packet to 192.168.1.2, the router sees the equivalent MAC address, but it also sees the interface so it sends it along that interface and there is never a collision with the IP on eth3 because nothing ever goes along eth3, because it doesn't have to.

If you're talking about a situation where the IP's are the same, then that would cause an issue, though.

What's interesting is how this would be handled on a wireless device where there is only one interface. Unfortunately, I don't think I have 3 wireless devices around. I might, but I'd have to do some looking.


ghost's Avatar
0 0

If you're talking about a situation where the IP's are the same, then that would cause an issue, though. What I'm interested in knowing is if the DHCP would give you a new IP for an existing MAC. Is the DHCP MAC aware of does it simply pick one from the free pool? What's interesting is how this would be handled on a wireless device where there is only one interface.

That's true.