Cloning Network Adapters | Shellcoders Programming Uncovered (Uncovered series)

Usually, the physical address of the network adapter is hard-encoded in ROM. According to the standard, no MAC value can be used more than once. Nevertheless, any ROM can be reprogrammed ( especially if this is a programmable EEPROM, which typically is the case with network adapters). Furthermore, some network adapters allow their MAC addresses to be changed using legal tools (such as ipconfig ). Finally, the header of the Ethernet packet is formed by software tools, not by hardware; consequently, a malicious driver can easily write a MAC address belonging to someone else.

Cloning MAC addresses allows sniffing of network traffic even without capturing the IP address belonging to someone else, and without switching the adapter to the promiscuous mode.

Detecting Cloning and Counteracting It

Cloning can be easily detected using Reverse ARP (RARP), allowing the attacker to determine, which IP address corresponds to which MAC address. Each MAC address can have only one corresponding IP address. If this is not so, then something is wrong. If the attacker not only clones MAC addresses but also captures IP addresses, this technique won't work.

High-quality routers allow port binding, thus strictly mapping a predefined MAC address to specific ports and making adapter cloning meaningless.