In this article:
NAME
macof.py — MAC address table overflow utilitySYNOPSIS
| macof.py | [-h] [-c count] [-f pps] [-i iface] [-l loop] [-r pps | -w msec] [--dip IP] [--dmac MAC] [--dport port] [--sip IP] [--smac MAC] [--sport port] |
DESCRIPTION
macof.py generates Ethernet frames bearing random source MAC addresses and floods the network with them.-
macof.py allows to tune the frame emission rate to minimize the impact on the attacker’s host and the network resources as much as possible.This offers a more reliable propagation of the forged MAC addresses throughout the switched network and a more efficient interception of broadcast data.
-
macof.py generates valid frames.While non-standard frames may be silently dropped by the switches, these effectively update their MAC address tables.
-
macof.py first locally pre-generates a certain amount of Ethernet frames, each with a unique random source MAC address, and then replays this same set of frames in loop for all the attack duration.This simulates genuine devices activity, forcing the switches to regularly reset the associated aging-timers, keeping their MAC address table filled without interruption.
- The flood phase is meant to be most intense: the goal here is to fill switches MAC tables as fast possible, usually in a few seconds.
-
The refresh phase is meant to be softer: the goal is to keep the MAC address tables filled by regularly refreshing each entry while still leaving as much resources as possible available for a reliable eavesdropping.Most switches have a default aging time of 5 minutes for their MAC address table entries, often increased by network administrators (Cisco NX-OS devices now use 30 minutes by default). In such conditions there is really no need to rush during the refresh phase.
OPTIONS
General options
The general options are as follow:- -h, --help
- Show usage information summary then exit.
- -c count, --count count
-
Generate count different MAC addresses and packets.Desktop switches can usually store up 1000 or 2000 addresses. Enterprise switches can usually store between 5000 and 16000 addresses by default, however some may be configured to handle larger tables.macof.py ensures that each packet uses a different MAC address (no duplicates).Default value: 20000.
- -f pps, --fspeed pps
-
Send pps packets per second during the initial flooding phase.Usually this phase is quite intense to fill switches MAC address tables in a few seconds.This feature relies on tcpreplay(1) to send the frames over the network.Default value: 5000.
- -i iface, --iface iface
-
Output interface name.Use this options if your system has several network interfaces.By default the first network interface found is used.
- -l loop, --loop loop
-
Send all packets loop times then exit.loop must be a positive integer.By default macof.py loops endlessly on the same set of forged frames and must be stopped manually (Ctrl+C).
- -r pps, --rspeed pps
-
Send pps packets per second during the refresh phase.This option is usually set to a lower value than -f.This feature relies on tcpreplay(1) to send the frames over the network. This allows faster and more predictable sending rates, but uses more CPU resources (typically an internal loop occupying 100% of one CPU core independently of the selected speed). See -w for lower resources consumption.This option is not compatible with -w.No refresh phase is enabled by default (constant sending rate).
- -w msec, --wait msec
-
Wait at least msec milliseconds between each packet sent during the refresh phase.This feature invoke sleep() between each sent frame. Sending rates are slower and less predictable than when using tcpreplay(1), but longer sleep times significantly reduces CPU consumption.This option is not compatible with -r. In doubt, prefer to use -w over -r.No refresh phase is enabled by default (constant sending rate).
Packets creation options
Packets creation options can be used to tune forged packets to your local environment and needs. They can also be used to better identify and filter-out flood-related packets while capturing network traffic.- --dip ip, -d ip
-
Destination IP address.CIDR notation is allowed to randomize only parts of the IP address (see the EXAMPLES section below).No uniqueness checking is done (several packets may share the same IP address with different MAC addresses).Default value: ‘0.0.0.0/0’ (fully randomized destination IP address).
- --dmac mac, -e mac
-
Destination MAC address.Bytes can be replaced by the ‘*’ characters to randomize only part the MAC address (see the EXAMPLE section below).Default value: ‘ff:ff:ff:ff:ff:ff’ (Ethernet broadcast address, this guaranties the best propagation of the flood, but might stand-out in the eyes of an IDS).
- --dport port, -y port
-
Destination port number.port must belong to the range [0-65535].By default a random number belonging to the range [32768-60099] (the default Linux default ephemeral port range) is chosen for each packet.
- --sip ip, -s ip
-
Source IP address.CIDR notation is allowed to randomize only parts of the IP address (see the EXAMPLES section below).Warning: If you use a valid range for your LAN, on some operating systems (Windows) users having the same IP as forged frames may see a popup warning them that “Another computer on this network has the same IP address as this computer”.No uniqueness checking is done (several packets may share the same IP address with different MAC addresses).Default value: ‘0.0.0.0/0’ (fully randomized source IP address).
- --smac mac
-
Source MAC address.Bytes can be replaced by the ‘*’ characters to randomize only part the MAC address (see the EXAMPLE section below).Warning: macof.py ensures that there is no duplicate in the generated MAC addresses, if the provided mask is to narrow for the number of addresses the command will fail.Default value: ‘*:*:*:*:*:*’ (fully randomized source MAC address).
- --sport port, -x port
-
Source port number.port must belong to the range [0-65535].By default a random number belonging to the range [32768-60099] (the default Linux default ephemeral port range) is chosen for each packet.
EXIT STATUS
The macof.py utility exits 0 on success, and >0 if an error occurs.EXAMPLES
- Example 1:
-
Usually default parameters are just fine, simply launch macof.py without additional options:
macof.py - Example 2:
-
To use a non-default network device:
macof.py -i eth1 - Example 3:
-
To lower CPU consumption, enable the refresh phase -w option, here sleeping 5 ms between each packet sent:
macof.py -w 5 - Example 4:
-
Loop 100 times then exit:
macof.py -l 100 - Example 5:
-
Use a fixed destination MAC adress, IP and port number:
macof.py --dmac 'ec:44:76:d8:66:f2' --dip '172.20.3.8' --dport 445 - Example 6:
-
Use a partially random source MAC and IP addresses:
macof.py --smac '00:16:3e:*:*:*' --sip '172.16.0.0/16'