Some beginner questions about spoofing

On 12 Oct 2006 13:41:17 -0700, snipped-for-privacy@techemail.com wrote in :

Most non-trivial providers wind up supplying different hardware, sooner or later, so there's usually a mix of products in the field. In addition, some users may buy their hardware from a third-party source.

Why would you want to change your MAC address? You're identifiable by your IP address.

Those things out there just use your IP address. Your MAC address comes from ARP. (Look it up in Wikipedia.)

Read up on Ethernet. (Wikipedia again, as a starting place.)

You wouldn't learn anything more than by sniffing yourself.

IP addresses are logical addresses, a host can change his IP address. Where a MAC address is a burned in address for a paticular NIC. This address cannot be changed, hence it represents one unique host. Of course you can change out nics, but that is not usually done.

Your MAC address does not come from ARP, your MAC address is burned into your NIC by the manufacture. The first part af the MAC addressed is controlled by a global body that gives addresses to the manufactures, the second part of the MAC address is controlled by the manufacture to identify the host. ARP is a way to resolve addresses, ARP does not give out addresses.

On Thu, 12 Oct 2006 13:52:14 -0800, "Dana" wrote in :

The remote bad guy can't see your MAC address (only the local network sees it), so this is irrelevant.

Are you trying to be argumentative? ARP is how the local network finds your MAC address from your IP address.

That is said better than your MAC address comes from ARP.

What does this have to do with Virtual PC for Macintosh?

My router will "clone" a MAC address.

Please remove the microsoft.public.mac.virtualpc newsgroup from replies to this thread. It is NOT related to MAC addresses, but Apple Mac software.

That's not completely true. DEC systems changed their MAC addresses and SUN systems do also. If you have multiple NIC adapters in a SUN system, they all use the same MAC address by default unless you change this at the Open Boot Prompt. For the most part, this is only a problem with mulithomed systems on the same network segment. If the NICs are in different segments, they can broadcast the same MAC address. Only VLANs get upset with having the same MAC address on the same box connected to different ports.

Never said you cannot change MAC addresses. Only said that MAC addresses were burned into the NIC by the MFG.

I suppose that would be correct, but I fail to see the point of changing the MAC. Regardless of the MAC, you are identifiable by your IP.

The translation of IP to MAC on an incoming packet is done at the last stop before your modem (i.e by your ISP.) Other users on the net cannot see your MAC. There is no need for them to see it, they have your IP.

Reverse the process for outgoing packets. Your ISP knows the MAC of the modem the packet came from, but it forwards only your IP address, not your MAC.

Note, I'm speaking of wired systems. On wireless systems, you may be able to discover the MAC of someone's wireless adaptor in the signal between the adaptor and the wireless access point. The only reason for doing so is to spoof someone else's MAC so you can gain illicit access.

Oh, okay, it's bots, trojans, and background noise you are concerned about. Changing your MAC isn't going to help. As I said above, no one else on the net knows your MAC. Only your ISP knows it.

If you are being hit at random, that can be due to an infected system(s) on your ISP subnet (though most reputable ISP's quickly cut off such systems until the users fix their PC's.) Or you can be hit intentionally, but blindly, by anybody, anywhere, targeting entire subnets.

Or you could be infected yourself. Have you run Spybot S&D or AdAware, and do you have an up to date virus scanner?

Echo packets are ICMP, not TCP. So they will be a different size.

I don't know of one offhand. But here is a site that will explain in detail what the packets contain.

Could you tell a beginner how the router knows which machine to route the packet sent to its external IP then? Good FAQ pointer appreciated.

On Sat, 14 Oct 2006 18:47:31 +0200, Hadron Quark wrote in :

The router uses ARP to learn the MAC address on a local network that corresponds to a given IP address, and then sends packets for that IP address to that MAC address.

So you guys are saying that the unique hardware MAC address of my internet card only gets transmitted as far as my local ISP provider? I haven't been able to find a good FAQ or guide explaining in detail how this works (and yes, I did read the links you've posted about ARP and others).

How does this work?

As far as I can make out from what I've read here, I send a packet to my ISP with my real MAC address and the destination MAC address. The ISP records the destination IP and MAC address in its memory, and then strips the packet of the MAC addresses because they are not necessary from that point on. It sends out a slimmed version of my original packet, which doesn't contain any MAC addresses. The destination ISP receives the packet and uses its own table of stored IP/MAC addresses to generate a packet that it will send to the destination IP that will include the MAC addresses from its database. But the MAC address it is sending has been generated by itself, it does not know the real MAC address of my computer. With this method, the destination IP can route the packet to the appropriate computer on its LAN network, if there are more than one users on the destination IP.

Then their computer sends a reply packet to me, in which they include the destination MAC address of my computer, which is actually the randomly generated MAC their local ISP uses in its memory to identify packets sent to my IP for this internet session. The process is repeated, and I also receive the packet with a MAC generated by my own local ISP, but in our communications, neither of us can know what the real MAC of each other truly is.

Is this remotely close to how it works?

No.

You send a packet out which reaches your ISP's first hop router. Your ISP knows the MAC address of your computer because your computer is part of their LAN (this is assuming you have a cable modem directly connected to a single PC.)

The MAC address is recorded in a table, connecting it with your outgoing packet in anticipation of a response.

Keep in mind that your packet has a destination IP in it. The recipient's router knows which MAC address goes with that IP, and directs the packet accordingly.

The recipient responds with a packet, and the same thing happens in reverse. Thier first hop router strips their MAC and forwards the packet with the destination IP (your IP). Your ISP's router receives the packet and matches it to it's table to find out which MAC address to send the packet to.

There is no generation of MAC's going on. Your MAC address is static - it is permanently burned into your ethernet card.

The same process goes on in your home if you have a NAT router with more than one computer hooked up. Say you and your girlfriend are both surfing the web. How does your router know which computer to send responses to?

Your ISP *doesn't* know in this case since regardless of whether it is you or your girlfriend sending a packet, all the ISP sees is your NAT router's IP and MAC address. It is your NAT router that keeps a table of packets connected to particular MAC's so that it can forward responses to the correct computer.

Also keep in mind that the MAC address process is working at every hop your packet takes. Routers have MAC addresses as well. If you open a command prompt and type "tracert

Technically, "knows" is a bad term, but it illustrates the point. What is actually going on is what ARP is for. Each router knows how to find the MAC address of the one before it, and the one after it.

That is all a router needs to know to forward a packet.

Do you know what the MAC is, and how it is used to determine where to send packets.

Some ISPs require MAC registration, with a limit on the number of registrations. If you have several devices directly connected (not going through a router) it's very handy to use the same MAC address for all of them.

I did the tracert and got this :

Tracing route to