MAC Address Spoofing

MAC spoofing is a technique for changing a factory-assigned Media Access Control (MAC) address of a network interface on a networked device. The MAC address is hard-coded on a network interface controller (NIC) and cannot be changed. However, there are tools which can make an operating system believe that the NIC has the MAC address of a user’s choosing. The process of masking a MAC address is known as MAC spoofing. Essentially, MAC spoofing entails changing a computer’s identity, for any reason, and it is relatively easy.

MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of the other host, the network attacker overwrites the MAC Table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic, it will not receive any traffic. When the host sends out traffic, the MAC Table entry is rewritten once more so that it moves back to the original port.

 

MAC Spoofing

Figure 1: MAC Spoofing Attack

The diagram shows how MAC spoofing works. In the beginning, the switch SW1 has learned that host A is on port fa0/1, host B is on port fa0/2, host C is on port fa0/3 and host D is on port fa0/4. Host D sends out a packet identifying itself as the IP address of host D (its own IP address) but with the MAC address of host A or another packet with the same IP address and MAC address combination. This traffic causes the switch SW1 to move the location of host A in its MAC Table from port fa0/1 to port fa0/4. Traffic from host C destined to host A is now visible to host B. In this way the attack could also lead to MAC Table Overflow attack where all traffic is replicated on all ports and the switch acts like a hub.

Attack Tools:

Some operating systems allow changing MAC address from adapter settings or registry keys and this spoofing can be done with no other tools.

MAC spoofing attack explained above can be executed using the tools used for ARP spoofing attacks. Other software for network scanning like NMap allow spoofing the source MAC address with a command line options for hiding the true source of the NMap probe.

Mitigation

MAC address spoofing can be mitigated using Port Security.