Why is it not MAC spoofing?

CK121 · November 2011

I'm in the middle of doing some practice questions for my upcoming Security+ 301 exam and I came across this question:

Which of the following would allow traffic to be redirected through a malicious machine by sending false hardware address updates to a switch?
A.
ARP poisoning

B.
MAC spoofing

The Answer is ARP poisoning but I don't seem to understand why it isn't MAC spoofing??
Can anyone shed some light on this please?
Thanks!

Everyone · November 2011

Because ARP spoofing/poisoning happens in Layer 3, MAC Spoofing happens in Layer 2.

MAC Spoofing won't allow traffic to be redirected.

lsud00d · November 2011

Correct Everyone, ARP is the layer 3/2 transfer, from IP to MAC (and reverse as well).

CK121 · November 2011

Thanks to you both! That has certainly cleared things up!

Forsaken_GA · November 2011

To go a little more in depth, what they're basically asking for is how you execute a man in the middle attack.

So if you spoof the MAC address of the router, you're going to have duplicate MAC's on the segment. That doesn't help you with redirection, it'll result in dropped traffic most of the time and will usually bring someone to investigate what's going on.

However, if you poison the ARP caches by issuing some gratuitous arp replies with the gateways IP, but your MITM box's MAC address, hosts will start directing their traffic to you instead, allow you to sniff and capture it, before you forward it on to the true gateway.

Easy way to remember it is that MAC spoofing is for impersonation, arp poisoning is for interception

lsud00d · November 2011

Forsaken_GA wrote: »

Easy way to remember it is that MAC spoofing is for impersonation, arp poisoning is for interception

Great explanation Forsaken, I will remember this

CK121 · November 2011

Seconded!! That is a easy and concise way to remember it. Thanks Forsaken_GA!!

Why is it not MAC spoofing?

Comments