Lecture 3 ‐ MAC spoofing and ARP spoofing - Dleifnesor/NET-215 GitHub Wiki

Mac Spoofing

MAC addresses are meant to be "unique," but they're actually easily changed and rarely verified.

o Bypass MAC-based network access controls

• Switches and/or Wireless AP’s may restrict access to registered MACs only

o Impersonating another user/system

• Harder to trace actions back to user/system

o Denial of Service

• Can cause network issues and potentially prevent access to system being spoofed

o Redirect Traffic

• Spoofing default gateway or server can result in traffic being redirected to attacker

ARP Spoofing

A malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network.

• This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.

• The attacker’s MAC address will begin receiving any data that is intended for that IP address.

• ARP spoofing attacks can only occur on local area networks (within layer 2 Broadcast Domain

A malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network.

• This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.

Gratuitous ARP

an unsolicited ARP Reply

o A gratuitous ARP is basically an ARP response that never had a request for it and is how most ARP spoofing programs work.

o Used legitimately if an IP or MAC address changes so ARP tables of other hosts can be updated.

o Spoofing exploits that by sending out lots of Gratuitous ARP packets

Dynamic ARP inspection

Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets.

• DAI relies on DHCP snooping on the switch.

o DHCP is the service that dynamically assigns IP addresses to hosts

o “DHCP snooping” listens to DHCP message exchanges and builds a database of MAC address, IP address, and physical port

• When DAI is enabled the switch drops ARP packet if the sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database