4

Looks like nmap could fake source IP address, and getting a valid response, but only in LAN environment. I'm not sure how it works, here's my thought,

You created a packet with fake IP address and a fake MAC address (associated with the fake IP), so that you both spoofed the packet source and being able to get the response data.

But it's unlikely to work in a switched-based LAN environment or with VLAN enabled.

So, anyone know about that?

daisy
  • 1,735
  • 3
  • 25
  • 39
  • Obviously although rare in production now, any hub-based network would be particularly vulnerable to this as you could just listen for any replies to your spoofed address. – NULLZ Aug 15 '13 at 01:44
  • I think you might be looking for something like ARP poisoning, I wrote a blog post that covers it in details and sounds like it does what you need: http://scotthel.me/advsesshijack – Scott Helme Aug 15 '13 at 11:47

2 Answers2

6

A network switch works by inspecting packets as they come and go. When a switch sees that a packet arrives on a given port, bearing the source MAC address X, then the switch remembers that the machine with MAC address X lies at some point beyond that port, and packets destined to the MAC address X will be sent to that port. Note that switches don't care about IP addresses (well, some switches double as traffic inspectors and know what IP addresses are, but the switch behaviour occurs at the ethernet level and deals with MAC addresses, not IP addresses).

If the attacker is sending packets with X as source address, and expects responses which are destined to address X, then, by any reasonable definition, X is not a "fake address": it is the address that the attacker is assuming, and, from a network point of view, it is very real.

The real trouble comes when the attacker tries to steal an IP address. The attacker observes that there is an active machine, with some IP address U and MAC address Y, and the attacker wants to emit packets which will look as if they come from that machine, and also see the response from another machine V. The attacker has two possible ways:

  • The attacker may try to use an address X distinct from Y, but yet steal address U. The trouble is that the machine V is aware that the genuine machine U has MAC address Y; this awareness comes from the ARP protocol. To achieve his goals, the attacker will have to spam machine V with fake ARP responses so that V becomes convinced that the MAC address for address U is X. This is known as ARP spoofing or "ARP poisoning".

    Note that the switch sees only MAC addresses Y and X, duly distinct from each other, and has no impact here. The attacker has nothing special to do to fool the switch if he chooses this way.

  • The attacker may try to use both the IP address U and the MAC address X. The good point of this method is that there is nothing to do with regards to machine V: that machine remembers that U maps to X, and, as far as the attacker is concerned, this is fine. On the other hand, the switch becomes a problem: that switch has already seen some packets with source address X, coming from a port other than the one used by the attacker. The attacker may not see the response.

    To counter that, the attacker will first spam the switch with thousands of packets, full of random junk, allegedly coming from thousands of random MAC addresses. The switch has only limited RAM to remember all the mappings of MAC addresses to ports, so the spamming onslaught will make it forget where address X is. At that point, given a packet with destination address X, the switch will degrade to hub mode and broadcast the packet on all ports -- including the one leading to the attacker.

The situation can be made more complex with modern switches which employ more complex routing algorithms to support redundant networks. The base principle is still that the MAC addresses are unknown to the switches, who discover them dynamically by observing packets in transit. A countermeasure which can be employed with some switches is ton configure them, statically, with known associations of MAC addresses with ports. This loses in flexibility (a specific machine will be rejected if not plugged on the right port), but can make switches more robust against such attacks.

(Not letting evil people connect directly to your switch would be better, though.)

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
3

I think what you are looking for is ARP poisoning attack. This attack causes your MAC address to be associated with a different IP address so any packets directed at the IP address gets sent to your machine.