Network addresses are not strong proof of identity, because it is fairly easily to alter them. In this video, Mike Chapple explains how attackers can spoof both MAC and IP addresses.
- [Instructor] Network addresses are easily altered by anyone with administrative access to a system so they should not be relied upon for authentication purposes. Attackers can modify both the IP address and the MAC address of a system. In the last video, you learned how attackers can engage in ARP poisoning attacks to redirect traffic headed for a system to a different device. This isn't the only type of attack that involves MAC addresses. Attackers may also engage in MAC spoofing attacks.
MAC addresses are normally assigned to hardware by the manufacturer, so many people mistakenly believe that they cannot be changed. Unfortunately, that couldn't be further from the truth. While it is true that the default MAC address assigned to a system is created by the manufacturer, an administrator can easily change this value through normal operating system commands. For example, let's take a look at changing the MAC address on a Macintosh system. I'm going to use a few command line tools at the terminal to do so.
I'm going to begin by typing the sudo command to tell the MAC that I would like to execute a command with administrative privileges. Then I'm going to use the interface config, ifconfig utility and tell it I'd like to see information about the ethernet zero interface and then I'll return and here I can see some information about that interface. The results of this command show the MAC address assigned to my ethernet zero interface. It's on the second line here which begins with the keyword ether. That stands for ethernet address which is another name for MAC address and this shows that the ethernet or MAC address for my system is currently 20:c9:d0:44:ba:6f.
That's the address that was assigned by the manufacturer of my device. Now I'm going to go ahead and try to change that. I'm going to type a very similar command. I'm going to use sudo to get into administrative mode, then use the ifconfig command on ethernet interface zero but this time I'm going to give it some additional information. I'm going to specify what I would like the ethernet address to be 00:00:aa:aa:55:66, something that I just made up and hit enter.
Now I'm going to rerun that first command, sudo ifconfig en0 to find out what my current MAC address is. As you can see, the MAC address of my system has now changed from the original value created by the manufacturer that began with 20:c9 to my new address, 00:00:aa:aa:55:66, a value that I just made up. That's how you can conduct a simple MAC spoofing attack. IP spoofing attacks are just as easy to conduct as MAC spoofing attacks.
Anyone with administrative access to a system can alter the system's IP address. However, IP spoofing attacks are often more difficult to use in reality because it's difficult to reconfigure the network to receive return traffic at a spoofed IP address. For this reason, spoofed IP addresses are often used in denial-of-service attacks where that return information isn't necessary but they can't commonly be used in attacks that require two-way communication. Network security professionals may deploy a variety of anti-spoofing technologies to prevent spoofing attacks that either target or originate from their networks.
Anti-spoofing controls may be implemented at the router, firewall or switch level. Ingress filtering watches all incoming traffic for signs of spoofing and blocks that traffic from reaching the network. For example, an ingress filter might monitor external inbound traffic for source addresses that match those assigned to internal systems and networks. Internal source addresses should never appear on traffic coming from systems outside of the internal network, so their presence is a sign of spoofing.
Egress filtering, on the other hand, watches outbound traffic for source addresses that don't belong to the organization. If someone is sending a packet out from your network with the source address belonging to another network, that system is likely engaged in spoofing. This may be a malicious user on your network but more likely it's a sign that a system on your network was compromised and is being used in a denial-of-service attack.
- Comparing viruses, worms, and Trojans
- Backdoors and logic bombs
- Understanding the attacker
- Attack types: from denial of service to brute force attacks
- Preventing insider threats
- Wireless attacks
- Understanding cross-site scripting
- Preventing SQL injection
- Social engineering
- Scanning for vulnerabilities
- Penetration testing
- Assessing the impact of vulnerabilities