Follow:

Latest articles in ‘Macof.py’


  1. MAC address table overflow

    Published: Wed 25 October 2017 in Cookbook.
    A step-by-step guide to practical MAC address table overflow exploitation and protection.

    The main practical difference between a legacy hub and a switch is that the switch will do its best to forward ethernet frames only on the port allowing to reach the recipient, it won’t blindly forward everything everywhere as as a dumb hub would do.

    To achieve this, upon reception of a frame the switch stores the senders MAC address associated to its input port in an internal memory, usually implemented as a CAM table. Thanks to this information, would a packet have the same address as recipient, the switch will now forward this packet only to this port and not the other ones.

    I already wrote a more focused article on MAC table overflow within the context of GNS3 simulated environments, which resulted in patch being submitted upstream and initiated the development of the macof.py tool. The original article is available here.

    In this article I detailed …


  2. macof.py is now available

    Published: Wed 25 October 2017 in Projects.

    macof.py is a MAC address table overflow utility.

    The traditional tool for MAC table overflow attacks is macof from the dsniff project. However I was not satisfied with this tool.

    In particular:

    • macof has no rate limit mechanism, it sends the packets as fast as the local CPU and the network adapter can support it.

      This leaves no room for a proper interception of users data.

    • Half of the packets generated by macof violates the Ethernet protocol by having the multicast bit set on the sender’s MAC address.

      As a result, these packets are considered corrupted and silently dropped by the first encountered switch.

      In other words, half of the packets generated by macof are generated for nothing.

    • macof constantly uses random MAC addresses for generated packets, meaning that a given source MAC address is rarely used more than once.

      This means that switches’ MAC table aging system …

Popular tags see all

Website

Author

Follow