Mac-adressen hacken
De tutorial is momenteel alleen verkrijgbaar in het engels!
Tutorial: MAC adress infection Written by: de ijscoman (Deze word met zijn toestemming op h4ck.nl gezet!)
Like almost every tutorial, its ok to copy and stuff, as long as you give me credit.
Hello,
This toturial wil explain how MAC adress infection can be used to preform "man in the middle" attacks on hosts in the same switched LAN.
1. What are MAC adresses, and where are they used for:
You probably already know that every pc connected to a network needs an IP adress to communicate to others pc's. This IP adress can be diffrent on the same machine the next time it connects to the network, and can easely be changed. The MAC adress however is a static adress that cannot be changed and is always the same for a networkcard. You will never find a networkcard that has the same MAC adress as you, becouse it just doesn't exist. A MAC adress looks like this: 0A:1B:2C:3D:4E:5F but as i just told you, its diffrent on each network card.
The MAC adress is used to locate machines on a network, and not the internet. For example: When you send a packet to google.nl(66.249.93.104) and your ip adress is 192.168.2.104 (and if 255.255.255.0 is subnet mask), your pc will detect that google.nl is not in the same network as you. because your network ip range gose from 192.168.2.1-255, and google.nl is not in that range. your packet will be send to the gateway(192.168.2.1) of your network. The next thing that happens is that your pc will ask to ip 192.168.2.1 what its mac adress is, and send the package to it. After that, your gateway does exactly the same, etc.
So you see, a MAC adress is needed in all networks, else you wont be able to know what ip adress belongs to a pc in the network.
2. The diffrence between hubs and switches:
A hub is a Layer 1 device, Layer 1 means the hardware layer, and actually means that a hub is a very dumb device wich knows nothing about networking. A switch is a Layer 2 device, and that means it works with MAC adresses, and knows a lot more about networking.
This is the way a hub works: Lets say there are 4 pc's connected to a hub, and pc 1 sends something to the mac adress of pc 2. The packet goes in the hub, and the dumb hub doesn't know where to send it, becouse it knows nothing about networking. So the hub just sends the packet to all te pc's in the network, becouse that includes te pc where it needs to go.
The problem with hubs is that EVERYONE connected to the hub will be able to know the content of the package. Imagine yourself logging in on your favrite forum, where your password is plain text readable in the package you send that EVERYONE connected to the hub will be able to read.
And this is how a switch works: Lets say there are 4 pc's connected to the switch, and pc 1 sends something to the mac adress of pc 2. The packet goes in the switch, and is then only send to the pc witch that mac adress. and not to the others.
The problem with switches is that you are now not able to read the plain text passwords of other people connected to the switch anymore, becouse you dont recieve the packets anymore.
3. ARP packets:
ARP packets are used to find the MAC adress of a pc by knowing his IP adress. When pc 1 knows that pc 2 has IP adress 192.168.2.102 and wants to send him a packet, he first sends an ARP-request packet to the ip adress. pc 2 recives this request, and sends an ARP-reply packet to pc 1 containing his MAC adress. Now pc 1 knows the MAC adress of pc 2 and is now able to directly send packages to it.
4. The situation:
There are 3 pc's connected to the switch. pc 1 (IP: 192.168.2.110 MAC: 11:11:11:11:11:11): a mail(pop3) server pc 2 (IP: 192.168.2.120 MAC: 22:22:22:22:22:22): someone that uses the mailserver pc 3 (IP: 192.168.2.130 MAC: 33:33:33:33:33:33): the attacker
Pc 2 wants to connect with pc 1 to check its mail. Pc 2 uses ARP to ask for the MAC adress of pc 1. Pc 2 can now connect becouse it knows that MAC adress 11:11:11:11:11:11 belongs to the ip adress 192.168.2.110. Pc 2 sends username and password to pc 1, and is able to read mail.
5. The attack:
Pc 3 sends a fake ARP package to pc 2, that says: Hello, My ip adress is 192.168.2.110 And my MAC adress is 33:33:33:33:33:33 The result is that when pc 2 wants to connect to pc 1, it will send all its packets to pc 3. becouse he now thinks that MAC adress 33:33:33:33:33:33 belongs to the IP adress 192.168.2.110.
Now pc 3 also sends a fake ARP package to pc 1, that says: Hello, My ip adress is 192.168.2.120 And my MAC adress is 33:33:33:33:33:33 The result is that when pc 1 wants to send packets to pc 1, it will send all its packets to pc 3. becouse he now thinks that MAC adress 33:33:33:33:33:33 belongs to the IP adress 192.168.2.120.
The final step for the attacker is to forward the packet from and to pc 1 and pc 2, so that they will be able to send and recieve packets from eachother.
The result is that all the packets between pc 1 and pc 2 are now readable by pc 3, becouse they pass his pc first.
Now it is very easy to sniff out the username and password from the person who uses pc 2.
Oh, and one more thing... I am not responsible for any stolen password or information and stuff as the result of this tutorial.
have fun! :)
|