MAC Spoofing with Netgraph

From WTFwiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Prerequisites

  • Kernel in static or modular configuration that has the following enabled: ng_ether, ng_eiface, and ng_bridge.
  • A fair amount of knowledge.
  • A machine that you can break the crap out of.

Background

  • We will be taking a machine with a physical network interface, adding a virtual interface, bridging them, and using the virtual interface in a live environment.
  • There is an awful lot to netgraph(4). Read the manual pages often.

Assumptions

  • We have a machine with (1) NIC, labelled 'fxp0'; its IP is "192.168.2.5/24".
  • We can remove it from the network for testing. It will not piss off the boss or coworkers.

Configuration

  • First, if you're using the kernel modules, load them:
 # kldload ng_ether
 # kldload ng_eiface
 # kldload ng_bridge
  • Next, create the eiface.
  • 'ng_eiface' has exactly one hook, to a lower-level ng_ether node.
 # ngctl mkpeer . eiface hook ether
  • Now create and name the bridge.
  • 'ng_bridge' has NG_BRIDGE_MAX_LINKS hooks, named 'linkN'.
  • 'ng_bridge' hook 'link0' connects the downstream ('lower') from ngeth0:
 # ngctl mkpeer ngeth0: bridge lower link0
 # ngctl name ngeth0:lower bridge0
  • Now setup the ngeth0 interface:
 # ifconfig ngeth0 link 00:de:ad:be:ef:00
 # ifconfig ngeth0 inet 192.168.2.5 netmask 0xffffff00 down
  • Now connect the ethernet device to the bridge.
  • 'ng_eiface' hook 'upper' for fxp0: leads upstream to the bridge.
 # ngctl connect fxp0: bridge0: upper link1
  • Now the virtual interface to the other half of the bridge.
  • 'ng_eiface' hook 'upper' for ngeth0: leads upstream to the bridge.
 # ngctl connect ngeth0: bridge0: upper link2
  • Now setup the physical interface:
 # ngctl msg fxp0: setpromisc 1
 # ngctl msg fxp0: setautosrc 0
 # ifconfig fxp0 delete
  • And finally, connect it to the last piece of the bridge:
 # ngctl connect fxp0: bridge0: lower link3
  • Now on your upstream router (if you can access it):
 # arp -a | grep "192\.168\.2\.5"
 machine.domain.com (192.168.2.5) at 00:de:ad:be:ef:00 on em0
  • You may need to re-add your default route:
 # route add default .......
  • Thats it. For an explanation, we'll have to work on that.
Retrieved from "http://wtf.hijacked.us/wiki/index.php?title=MAC_Spoofing_with_Netgraph&oldid=179"