2

Security lessons force us to use limited users (Standard User) on Windows networks.

I found that an administrator account can change his MAC address from Control Panel\Network and Internet\Network Connections ------> [adapter] ---rclick---> Properties ------> Configure ------> Advanced ------> Network Address ------> Value. This can most likely be done programmatically too.

Using this technique is it possible for an attacker to impersonate another computer on the network?

Would this essentially make the attacker invisible within the network? If not, why?

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
Tayyebi
  • 53
  • 1
  • 1
  • 6
  • 1
    Are you sure that this can be performed by Standard Users? From what I can tell this requires write access to the registry which shouldn't be granted to a "standard user" – RoraΖ Feb 24 '15 at 12:34
  • Ooo. Excuse me. It was problem with my English. I will update that. @raz – Tayyebi Feb 24 '15 at 12:39
  • I know in the computer labs at my old university, they would associate an Ethernet port with the MAC address of the lab computer connected to it. If you tried to connect your laptop computer instead, then you wouldn't get any network access. But, if you changed the MAC address to match that of the lab computer, then it would work. So to answer your first question, YES it is possible to impersonate another computer on the network, but it is going to depend on the configuration of the network. – EarlCrapstone Feb 24 '15 at 16:19
  • Yes, but there are a lot of other things which identify a machine, and which aren't so easy to steal. – peterh Feb 24 '15 at 19:37

2 Answers2

1

It certainly possible that someone will change their MAC address as part of an attack.

If a system is using the MAC address for identification (e.g., Wi-Fi access), then impersonating the MAC address may allow the attacker to impersonate a real user or at least gain basic access. Additional meaures such as 802.1X, NAC, etc. should be used in such cases.

Within a local network, the MAC address is used to direct network traffic, so impersonating the MAC address of a valid machine may be used in an attack, though it is often not necessary to for eavesdropping and Man in the middle attacks based on the attacker's location on the network.

Also, there are tools one can use to send out arbitrary data packets where the address is just spoofed in the packet.

Changing the MAC would not make a computer "invisible". If a system wants to be invisible, then it has to emit no network traffic. Window's machines by default are always sending out traffic if you just let them sit there, but other operating systems or configurations may not emit any automated network traffic.

If one changes his/her MAC address, and there is another system with the same MAC address, it may be difficult for systems to determine if the traffic is coming from the real or impersonated system. Note that for network security, you would want to test for other factors and fingerprints to distinguish if a system is legitimate, as well as possibly using a VPN, 802.1X, etc.

A more likely scenario is that an attacker will continually change his MAC address to make it more difficult to track activity over time if the MAC address is being used to correlate log activity.

Eric G
  • 9,691
  • 4
  • 31
  • 58
0

ARP-spoofing is a specific situation where one takes over the MAC of a known system and redirects all traffic. It provides invisibility from a functional perspective (but not at the packet level - it's very 'noisy') and is required for MitM attacks in a switched environment.

But it all depends on your perspective on 'invisibility'. To be truly invisible on a network, you must never send a packet (you just listen). But if you mean 'masquerade', then yes, MAC spoofing can be used to accomplish that.

It must also be said that MAC spoofing can be defeated by employing mitigation methods (system fingerprinting, NAC, certificate-based network access, etc.), but it is still a viable method.

schroeder
  • 123,438
  • 55
  • 284
  • 319