Flood network with random MAC addresses with macof tool

November 16, 2010

Background

Before you can be a badass hacker you need to understand what exactly it is your doing.  Today’s Lesson is on flooding a network with random MAC addresses.

Switch Behavior
If you fill up a switches table with random mac addresses different vendors switches will behave differently.

Cisco switches will keep original MAC address on its table and will only remove them if they time out. However many other switches will let their entire table get filled up with fake addresses! This is beneficial to you if you wish to receive traffic intended for other people!

What is the point of filling up switches table with fake make addresses? It forces the switch to become a hub (and you as an attacker can now see traffic on every port as all packets are now broadcasted)

Flooding a VLAN
You can group a number of ports on a switch together and say they are part of a VLAN (they are logically separated from other VLANs). Why is this helpful? Broadcast packets will only occur within the same VLAN (Even they are on the same switch).

Most switches today do not have separate tables for each VLAN. Flooding a single VLAN would force all other VLANs to flood as well (just flood their own VLAN). Why? Because if the shared table is full than each VLAN no longer knows what ports legitimate MAC address(es) are on.. so they must broadcast.

Macof

SYNOPSIS

macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times]

DESCRIPTION

macof floods the local network with random MAC addresses (causing some switches to fail open in repeating mode, facilitating sniffing). A straight C port of the original Perl Net::RawIP macof program by Ian Vitek <[email protected]>.

OPTIONS

-i interface Specify the interface to send on.
-s src Specify source IP address.
-d dst Specify destination IP address.
-e tha Specify target hardware address.
-x sport Specify TCP source port.
-y dport Specify TCP destination port.
-n times Specify the number of packets to send.

Values for any options left unspecified will be generated randomly.

yersinia.net is another tool

Because macoff generates random MAC addresses it sometimes generates MAC addresses that are not valid (in which case those packets will be dropped). Flood network!