7.5 Spoofing Attack
- MAC duplicating attack is launched by sniffing a network for MAC addresses of clients who are actively associated with a switch port and re-using one of those addresses.
- By listening to the traffic on the network, a malicious user can intercept and use a legitimate user's MAC address to receive all the traffic destined for the user.
- This attack allows an attacker to gain access to the network and take over someone's identity already on the network.
MAC Spoofing Technique: Windows
- In Windows 8 OS:
- Method 1: If the network interface card supports clone MAC address then follow the steps.
- Method 2: Steps to change MAC address in Registry.
MAC Spoofing Tool: SMAC
- SMAC is a MAC Address Changer (Spoofer) that allows users to change MAC address for any network interface cards (NIC) on the Windows systems.
- ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows host to discover the IP addresses of active routers on their subnet by listening to router advertisement and solicitation messages on their network.
- Attacker sends spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router to whatever the attacker chooses.
- This attack allows attacker to sniff the traffic and collect the valuable information from the packets.
- Attackers can use IRDP spoofing to launch man-in-the-middle, denial-of-service, and passive sniffing attacks.
How to Defend Against MAC Spoofing
- Use DHCP Snooping Binding Table, Dynamic ARP Inspection, and IP Source Guard.
- Retrieval of MAC Address
Q1) Which of the following is not considered to be a part of active sniffing?
- MAC Flooding
- ARP Spoofing
- SMAC Fueling
- MAC Duplicating
Q2) Which of the following countermeasure can specifically protect against both the MAC Flood and MAC Spoofing attacks?
- Configure Port Security on the switch
- Configure Port Recon on the switch
- Configure Switch Mapping
- Configure Multiple Recognition on the switch
Q3) Jayden is a network administrator for her company. Jayden wants to prevent MAC spoofing on all the Cisco switches in the network. How can she accomplish this?
- Jayden can use the commanD. ip binding set.
- Jayden can use the commanD. no ip spoofing.
- She should use the commanD. no dhcp spoofing.
- She can use the commanD. ip dhcp snooping binding.
Q4) MAC spoofing applies a legitimate MAC address to an unauthenticated host, which allows the attacker to pose as a valid user. Based on your understanding of ARP, what would indicate a bogus client?
- The MAC address doesn’t map to a manufacturer.
- The MAC address is two digits too long.
- A reverse ARP request maps to two hosts.
- The host is receiving its own traffic.
A4) MAC spoofing results in duplicate MAC addresses on a network unless the compromised client has been bumped from its connection. Two IP addresses mapping to one MAC indicates a bogus client.