Hi everyone! I wanted to ask if anyone could clarify the difference between ARP and MAC spoofing. I only have a surface level understanding of both these terms and they sound very similar. Correct me if I am wrong, but both cases result in a MAC address that ends up compromised where an attack 'impersonates' a stolen MAC address to get traffic that otherwise belongs to someone else.

I think mac spoofing is only a phase in arp spoofing. Arp spoofing is more complicated and it includes poisoning the arp cache of target computer. But mac spoofing is legal and can be done without any particular software. Arp spoofing is used to perform a MITM attack as you mentioned. I hope this is correct.

Here is pretty nice article about this: http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3750-series-switches/72846-layer2-secftrs-catl3fixed.html

Thanks for the link t13ru, it was actually very helpful :)

A way to look at it would be like going to a party and there's a room full of people and you're looking for "Bob Smith". With ARP Spoofing is you start yelling out "Hey! Which one of you is Bob Smith?". Some guy wearing a green sweater (fake Bob) in the corner yells back "I'm Bob Smith! I'm Bob Smith! OVER HERE!!!!" Another guy in the opposite corner in a blue sweater (real Bob) says "I'm Bob Smith!" You go over and talk to fake Bob because he was the first guy to respond (or maybe the loudest). You trust that blue sweater is the real Bob. With MAC Spoofing you're at the same party but fake Bob has tied up and gagged in the corner. Everybody is wearing name tags so you walk around the room looking at everybody's name tag until you find (fake) Bob and start talking to him. Does that make sense?

no.... :D well, at least to me its confusing. its simple as that.... an ARP spoof does intercept current session on target by injecting fake packets. this is desired for e.g. mitm attacks, while a MAC spoof is nothing else than cloning certain Hardware (MAC) address the target is linked to. to be exact, spoofing ARP you spoof the Routing protocol by injecting said packets, while spoofing MAC you spoof the Hardware address of your target by means of mimic the address.... hope kinda helped :) cheers

So MAC spoofing is more robust than ARP spoofing, I take it. Quick question: So if someone spoofs a MAC address on a network and two machines on said network have the same MAC address, will both parties receive the same traffic? Or will the most recent machine kick out the old one? I checked on stackoverflow, superuser, etc... but haven't found any widely accepted answers to this question.

If these are endpoints (user stations) on local lan on wireless it will lead cause havoc as both will try to respond to the same traffic. If you have home router and three PCs/laptops try it run wireshark on one machine to actually see the mess. Or look here: https://www.quora.com/Ethernet/What-happens-if-two-devices-connected-to-internet-have-same-MAC-address-Do-they-work-well http://superuser.com/questions/519409/can-two-devices-with-the-same-mac-address-be-on-the-same-network But to see it with own eyes is worth it even if you set it up using vms :)

Thanks for sharing.

Start learning with Cybrary

Create a free account

Related Posts

All Blogs