[TriLUG] spoofing mac addresses

Aaron S. Joyner aaron at joyner.ws
Thu Aug 12 06:45:55 EDT 2004


Tanner Lovelace wrote:

> Aaron S. Joyner said the following on 8/3/04 2:17 PM:
>
>> The kicker here isn't getting it to respond to multiple MACs, or even 
>> redirect MACs as Ryan suggested, but to *associate* a particular MAC 
>> address with a particular address.  You'd need some way, at the 
>> kernel level, to tell the OS that if a packet has a certain source 
>> address to send it with a certain Ethernet header.  When you're 
>> composing individual packets and stuffing them in at the driver layer 
>> (how various arp poisoning attacks like Ryan describe do their dirty 
>> work), it's not so difficult to do.  But you want to make a more 
>> large-scale modification to the way the OS is determining what MAC 
>> address to use when sending out packets.  I did some cursory googling 
>> around to find a way to accomplish this task, but to no avail.  I 
>> think this would be neat functionality to see in iptables or the 
>> iproute2 tools (or some derivative) in the future, but presently I 
>> just don't think Linux is capable of doing what you have in mind, in 
>> a wholesale manner.
>
>
> Isn't this what proxy arp is for?  Or does no one use that anymore?
>
> Tanner (back in town and catching up on TriLUG messages...)
>
Proxy ARP is used for making a bridge out of a Linux box, and still 
allowing it to do layer2 firewalling, etc - but I'm not quite sure what 
you would attach the "other" MAC addresses to.  Perhaps you could setup 
another virtual interface, assign it the appropriate MAC, and then use 
Proxy ARP on the real Ethernet interface - the question becomes, what 
type of virtual interface can you assign a MAC address to?  I suspect if 
you had an Ethernet card for each of the machines you wanted the machine 
to actually appear as, you could handle it that way, but then you'd just 
use a device I like to usually refer to as "a switch" and save some 
trouble.  :) 

I don't mean to rule out the possibility, because I admittedly haven't 
used Proxy ARP much under linux - is there such an interface as I 
describe above, that's "virtual" in the sense it's not associated w/ 
hardware, and that you can assign a MAC address too, so traffic will be 
generated w/ that MAC, and then proxy'd out the single Ethernet 
interface by the kernel?

Aaron J.



More information about the TriLUG mailing list