[TriLUG] spoofing mac addresses

Reginald Reed reginald.reed at gmail.com
Thu Aug 12 09:57:48 EDT 2004 

Another way to do this is for your code to "be the IP stack" bypassing
the kernel IP stack altogether.  Using libnet and libpcap, you
basically roll your own packets to send and anything received, you
filter based on what you're looking for (combo of IP address and
destination MAC, etc) and process accordingly.  This is pretty easy
for UDP, TCP adds a few challenges.  My team his written several
internal tools that use this method to scale traffic generation and
network simulation stuff using Python (with wrapped libnet and libpcap
functions).

--Reggie

On Thu, 12 Aug 2004 06:45:55 -0400, Aaron S. Joyner <aaron at joyner.ws> wrote:
> Tanner Lovelace wrote:
> 
> > Aaron S. Joyner said the following on 8/3/04 2:17 PM:
> >
> >> The kicker here isn't getting it to respond to multiple MACs, or even
> >> redirect MACs as Ryan suggested, but to *associate* a particular MAC
> >> address with a particular address.  You'd need some way, at the
> >> kernel level, to tell the OS that if a packet has a certain source
> >> address to send it with a certain Ethernet header.  When you're
> >> composing individual packets and stuffing them in at the driver layer
> >> (how various arp poisoning attacks like Ryan describe do their dirty
> >> work), it's not so difficult to do.  But you want to make a more
> >> large-scale modification to the way the OS is determining what MAC
> >> address to use when sending out packets.  I did some cursory googling
> >> around to find a way to accomplish this task, but to no avail.  I
> >> think this would be neat functionality to see in iptables or the
> >> iproute2 tools (or some derivative) in the future, but presently I
> >> just don't think Linux is capable of doing what you have in mind, in
> >> a wholesale manner.
> >
> >
> > Isn't this what proxy arp is for?  Or does no one use that anymore?
> >
> > Tanner (back in town and catching up on TriLUG messages...)
> >
> Proxy ARP is used for making a bridge out of a Linux box, and still
> allowing it to do layer2 firewalling, etc - but I'm not quite sure what
> you would attach the "other" MAC addresses to.  Perhaps you could setup
> another virtual interface, assign it the appropriate MAC, and then use
> Proxy ARP on the real Ethernet interface - the question becomes, what
> type of virtual interface can you assign a MAC address to?  I suspect if
> you had an Ethernet card for each of the machines you wanted the machine
> to actually appear as, you could handle it that way, but then you'd just
> use a device I like to usually refer to as "a switch" and save some
> trouble.  :)
> 
> I don't mean to rule out the possibility, because I admittedly haven't
> used Proxy ARP much under linux - is there such an interface as I
> describe above, that's "virtual" in the sense it's not associated w/
> hardware, and that you can assign a MAC address too, so traffic will be
> generated w/ that MAC, and then proxy'd out the single Ethernet
> interface by the kernel?
> 
> Aaron J.
> 
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list