Mac-adressen hacken
De tutorial is momenteel alleen verkrijgbaar in het engels!
Tutorial: MAC adress infection
Written by: de ijscoman (Deze word met zijn toestemming op h4ck.nl gezet!)
Like almost every tutorial, its ok to copy and stuff, as long as you give me
credit.
Hello,
This toturial wil explain how MAC adress infection can be used to preform "man
in the middle" attacks on hosts in the same switched LAN.
1. What are MAC adresses, and where are they used for:
You probably already know that every pc connected to a network needs an IP
adress to communicate to others pc's.
This IP adress can be diffrent on the same machine the next time it connects to
the network, and can easely be changed.
The MAC adress however is a static adress that cannot be changed and is always
the same for a networkcard.
You will never find a networkcard that has the same MAC adress as you, becouse
it just doesn't exist.
A MAC adress looks like this: 0A:1B:2C:3D:4E:5F but as i just told you, its
diffrent on each network card.
The MAC adress is used to locate machines on a network, and not the internet.
For example:
When you send a packet to google.nl(66.249.93.104) and your ip adress
is 192.168.2.104 (and if 255.255.255.0 is subnet mask), your pc will
detect that google.nl is not in the same network as you. because your
network ip range gose from 192.168.2.1-255, and google.nl is not in
that range. your packet will be send to the gateway(192.168.2.1) of
your network.
The next thing that happens is that your pc will ask to ip 192.168.2.1
what its mac adress is, and send the package to it.
After that, your gateway does exactly the same, etc.
So you see, a MAC adress is needed in all networks, else you wont be able to
know what ip adress belongs to a pc in the network.
2. The diffrence between hubs and switches:
A hub is a Layer 1 device, Layer 1 means the hardware layer, and actually means
that a hub is a very dumb device wich knows nothing about networking.
A switch is a Layer 2 device, and that means it works with MAC adresses, and
knows a lot more about networking.
This is the way a hub works:
Lets say there are 4 pc's connected to a hub, and pc 1 sends something
to the mac adress of pc 2. The packet goes in the hub, and the dumb hub
doesn't know where to send it, becouse it knows nothing about networking.
So the hub just sends the packet to all te pc's in the network, becouse
that includes te pc where it needs to go.
The problem with hubs is that EVERYONE connected to the hub will be able to know
the content of the package. Imagine yourself logging in on your favrite forum,
where your password is plain text readable in the package you send that EVERYONE
connected to the hub will be able to read.
And this is how a switch works:
Lets say there are 4 pc's connected to the switch, and pc 1 sends
something to the mac adress of pc 2. The packet goes in the switch, and
is then only send to the pc witch that mac adress. and not to the others.
The problem with switches is that you are now not able to read the plain text
passwords of other people connected to the switch anymore, becouse you dont
recieve the packets anymore.
3. ARP packets:
ARP packets are used to find the MAC adress of a pc by knowing his IP adress.
When pc 1 knows that pc 2 has IP adress 192.168.2.102 and wants to send him a
packet, he first sends an ARP-request packet to the ip adress. pc 2 recives this
request, and sends an ARP-reply packet to pc 1 containing his MAC adress.
Now pc 1 knows the MAC adress of pc 2 and is now able to directly send packages
to it.
4. The situation:
There are 3 pc's connected to the switch.
pc 1 (IP: 192.168.2.110 MAC: 11:11:11:11:11:11): a mail(pop3) server
pc 2 (IP: 192.168.2.120 MAC: 22:22:22:22:22:22): someone that uses the mailserver
pc 3 (IP: 192.168.2.130 MAC: 33:33:33:33:33:33): the attacker
Pc 2 wants to connect with pc 1 to check its mail.
Pc 2 uses ARP to ask for the MAC adress of pc 1.
Pc 2 can now connect becouse it knows that MAC adress 11:11:11:11:11:11 belongs to
the ip adress 192.168.2.110.
Pc 2 sends username and password to pc 1, and is able to read mail.
5. The attack:
Pc 3 sends a fake ARP package to pc 2, that says:
Hello,
My ip adress is 192.168.2.110
And my MAC adress is 33:33:33:33:33:33
The result is that when pc 2 wants to connect to pc 1, it will send all its
packets to pc 3. becouse he now thinks that MAC adress 33:33:33:33:33:33 belongs to
the IP adress 192.168.2.110.
Now pc 3 also sends a fake ARP package to pc 1, that says:
Hello,
My ip adress is 192.168.2.120
And my MAC adress is 33:33:33:33:33:33
The result is that when pc 1 wants to send packets to pc 1, it will send all its
packets to pc 3. becouse he now thinks that MAC adress 33:33:33:33:33:33 belongs to
the IP adress 192.168.2.120.
The final step for the attacker is to forward the packet from and to pc 1 and pc 2,
so that they will be able to send and recieve packets from eachother.
The result is that all the packets between pc 1 and pc 2 are now readable by pc 3,
becouse they pass his pc first.
Now it is very easy to sniff out the username and password from the person who uses
pc 2.
Oh, and one more thing...
I am not responsible for any stolen password or information and stuff as the result
of this tutorial.
have fun! :)
|
