Today, various tools can perform MAC flooding attacks. These tools include Ettercap3, Yersinia4, THC Parasite5, and macof. Macof is efficient and extremely simple to use. Example 2-1 presents its manual page.
Example 2-1 Macof Manual Page
SynGUI is a dedicated software utility that can help you assess the stability of your devices by performing stress testing against a specific type of DoS conditions, namely SYN flooding. In computer networking, a media access control attack or MAC flooding is a technique employed to compromise the security of network switches.
The MAC Flooding is an attacking method intended to compromise the security of the network switches. Usually, the switches maintain a table structure called MAC Table. This MAC Table consists of individual MAC addresses of the host computers on the network which are connected to ports of the switch. The MAC Flooding is an attacking method intended to compromise the security of the network switches. Usually, the switches maintain a table structure called MAC Table. This MAC Table consists of individual MAC addresses of the host computers on the network which are connected to ports of the switch.
MACOF(8) MACOF(8)
NAME
macof - flood a switched LAN with random MAC addresses SYNOPSIS
macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]
DESCRIPTION
macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <[email protected]>.
OPTIONS
-i interface
Specify the interface to send on.
-s src Specify source IP address.
-d dst Specify destination IP address.
-e tha Specify target hardware address.
-x sport
Specify TCP source port.
-y dport
Specify TCP destination port.
-n times
Specify the number of packets to send.
Values for any options left unspecified will be generated randomly.
SEE ALSO
dsniff(8)
AUTHOR
Dug Song <[email protected]>
Example 2-2 presents a snapshot of a Catalyst 6500's bridging table before invoking macof.
Example 2-2 Catalyst 6500 Bridging Table Before Macof Operation
6K-1-720# sh mac-address-table dynamic vlan 20
Legend: * - primary entry age - seconds since last seen n/a - not available vlan mac address type learn age ports
* 20 00ff.01ff.01ff dynamic Yes 45 Gi1/15
Only one entry is off port Gi1/15. Let's now start macof from the workstation connected to port Gi1/15, as shown in Example 2-3.
Example 2-3 Using the Macof Tool
[[email protected] root]# macof -i eth1 -n 5 | |||
3a:50:db:3f:e9:c2 75:83:21:6a:ca:f 0.0.0 212769628:212769628(0) win 512 | 0.30571 > 0.0 | 0.0.19886 | S |
db:ad:aa:2d:ac:e9 f6:fe:a7:25:4b:9a 0.0. 1354722674:1354722674(0) win 512 | 9.0.4842 > 0.0 | 0.0.13175 | S |
2b:e:b:46:a8:50 d9:9e:bf:1f:8f:9f 0.0.0.1 1283833321:1283833321(0) win 512 | 9.32533 > 0.0. | 9.0.29366: | S |
ce:56:ee:19:85:1a 39:56:a8:38:52:de 0.0. 886470327:886470327(0) win 512 | 9.0.26508 > 0. | 9.0.0.8634 | S |
89:63:d:a:13:87 55:9b:ef:5d:34:92 0.0.0.1 1851212987:1851212987(0) win 512 | 9.54679 > 0.0. | 9.0.46152: | S |
[[email protected] root]# |
Example 2-4 shows the bridging table now.
Example 2-4 Catalyst 6500 Bridging Table After Macof Operation
6K-1-720# sh | mac-address- | table dynamic vlan | 20 | ||
Legend: | * - primary entry | ||||
age | seconds since last seen | ||||
n/a | not available | ||||
vlan | mac | address | type learn | age | ports |
+ | + | + +---- | + | ||
* | ce56 | ee19.851a | dynamic Yes | 70 | Gi1/15 |
* | 00ff | 01ff.01ff | dynamic Yes | 70 | Gi1/15 |
* | 3a50 | db3f.e9c2 | dynamic Yes | 70 | Gi1/15 |
6K-1-720# | |||||
Only three entries appear, even though macof was asked to generate five entries. What happened? If you look at the MAC addresses that the switch learned, you see CE:56:EE: 19:85:1a and 3A:50:DB:3f:E9:C2. They were indeed generated by macof. However, the tool also generated traffic from MAC addresses 2b:e:b:46:a8:50, DB:AD:AA:2D:AC:E9, and 89:63:d:a:13:87. Actually, it is no accident that the switch did not learn those addresses. They all have something in common. Table 2-2 shows the far-left octets.
Table 2-2 High-Order Octets of Source MAC Addresses
Far-Left/High-Order Octet | Value in Binary |
2B | 0010 1011 |
DB | 1101 1011 |
89 | 1000 1001 |
Mac Flooding Program For Windows
Look at the low-order (far-right) bit of each MAC address. It is set to 1. This indicates a group address, which is normally exclusively used by multicast traffic.
What Is Multicast?
Multicast is a technique used for one-to-many or many-to-many communication. By using multicast, a source can reach an arbitrary number of interested recipients who can subscribe to the group (a special Class D IP address) it is sending to. The beauty of multicast is that, from the source's perspective, it sends only a single frame. Only the last networking device replicates that single frame into as many frames as necessary, depending on the number of recipients. On Ethernet, multicast frames are identified by a special group bit being set to 1. It is the low-order bit of the high-order byte.
Switches should not learn source addresses whose group bit is set. The presence of the group bit is legitimate only when present in a destination MAC address. The IEEE 802.32002 specification is clear on this topic:
'5.2.2.1.29 aReadWriteMACAddress ATTRIBUTE
APPROPRIATE SYNTAX: MACAddress
BEHAVIOUR DEFINED AS:
Read the MAC station address or change the MAC station address to the one supplied (RecognizeAddress function). Note that the supplied station address shall not have the group bit set and shall not be the null address.'6
If your LAN switch learns those frames, consider having a conversation with the switch's vendor. That being said, macof is essentially a brute-force tool and, as such, it does not embarrass itself by abiding official IEEE standards. It generates both valid and illegitimate source MAC addresses. As a matter of fact, some switches are known to learn such addresses! Regardless, a hacker is probably not going to start macof to generate just five MAC addresses. The strength of the tool is the sheer speed at which it can produce an impressive number of random addresses and source traffic from them, as Example 2-5 shows.
Example 2-5 Filling Up the Bridging Table During a Macof Attack
6K-1-720# clear mac-address dynamic | |
MAC entries cleared. | |
6K-1-720# show mac-address count | |
MAC Entries for all vlans : | |
Dynamic Address Count: | 37 |
Static Address (User-defined) Count: | 494 |
Total MAC Addresses In Use: | 531 |
Total MAC Addresses Available: | 65536 |
6K-1-720# show clock | |
21:59:12.121 CST Fri Dec 23 2006 | |
6K-1-720# show mac-address-table count | |
MAC Entries for all vlans : | |
Dynamic Address Count: | 58224 |
Static Address (User-defined) Count: | 503 |
Total MAC Addresses In Use: | 58727 |
Total MAC Addresses Available: | 65536 |
6K-1-720# show clock | |
21:59:20.025 CST Fri Dec 23 2006 | |
6K-1-720# | |
In a matter of seconds (between 7 and 8, in this case), more than 50,000 MAC addresses are injected on a port using a regular Intel Pentium 4-based PC running Linux. The command used is macof -i ethl. In less than 10 seconds, the entire bridging table is exhausted, and flooding becomes inevitable. When targeting a Catalyst 6500 equipped with a Supervisor Engine 720 running Cisco IOS Software Release 12.2(18)SXF1, the following syslog message appears when the table is full:
Dec 23 21:04:56.141: %MCAST-SP-6-L2_HASH_BUCKET_COLLISION: Failure installing
(G,C)->index: (0100.5e77.3b74,20)->0xEC6 Protocol :0 Error:3
The message indicates that there just isn't any room left in the table to insert a single MAC address. Naturally, a hacker does not need to see that message to determine whether the attack succeeded.
NOTE Smart hackers are unlikely to carry out MAC flooding attacks for extensive periods of time—usually just long enough to gather a list of genuine IP/MAC addresses on a given VLAN or a few clear-text login credentials. However, not all switches react the same way to MAC flooding attacks, particularly when faced with high-volume attacks. Indeed, some switches perform MAC learning using specific hardware, while others relegate this task to a software process. The latter are more likely to suffer from the attack.
Continue reading here: MAC Flooding Alternative MAC Spoofing Attacks
Mac Flooding Tool Windows
Was this article helpful?