Behavior of Spoof MAC Address communication

3
votes

I am programming with Python and his partner Scapy. I am facing a situation that i dont know if it is a normal behavior from ARP Protocol or some another problem.

I have this scenario:

1- A vm machine (1) sending an "ARP Request" to another vm machine (2) with Spoofed Source MAC Address field (generated with Scapy).

2 - The vm machine (2) receives that "ARP Request" with the Source MAC Address field Spoofed and RESPONDS that with an "ARP Reply". The strange part is that the vm machine (1) receives that.

Notes: I have confirmed with Wireshark that the first packet (ARP Request) gets on the vm machine (2) with the Source MAC Address Field REALLY spoofed. And the promiscous mode on networks interfaces are disabled, so, the vm machines only receive packets that are REALLY destined to their interfaces.

So, my questions:

a) Is it the normal behavior from ARP Protocol?

b) Because vm machine (1) has another MAC Address configured on your interface (the real one), how the response packet sent from vm machine (2) with another MAC Address on the Destination field (that is spoofed, so, not even exists on the network) arrives to vm machine (1) and is effectively processed by vm machine (1) like a valid "ARP Reply"??

1
pythonnetworkingarpscapyspoof
Are you talking about ARP caching? If machines receive a ARP response (not destined to it), it will cache it in its local cache. After all, if someone announces "00-1F-29-52-E7-81 is at 1.1.1.1" why not add an arp entry mapping 1.1.1.1 -> 00-1f-29-52-e7-81. - David Z.
Also can you check if there are any other packets from vm machine 2 to vm machine 1 that is being sent on broadcast address? vm machine 1 may be sending arp announcements (which even on interfaces with promiscuous mode disabled will receive). - David Z.
Hi David, I will exemplify (Packet 1 - Request) -- Who has IP 192.168.2.2? -- Source MAC Address: 22:22:22:11:11:11 (Spoofed)- Destination MAC Address: ff:ff:ff:ff:ff:ff (Broadcast) ******** (Packet 2 - Reply)- IP 192.168.2.2 is at 44:44:44:44:44:44 -- Source MAC Address: 44:44:44:44:44:44 -- Destination MAC Address: 22:22:22:11:11:11 (Spoofed) **** Question: How Packet2 (reply) come back to the vm machine (1) if the packet contains a Fake Destination MAC Address that is not the real MAC Address configured on the vm machine (1)'s network iface? - StarkBR
How are you confirming that Packet2 has come back to the originating VM machine? Are you taking a packet capture (is the packet capture set to promiscuous mode) or are you just checking the arp cache on VM2. In the packet capture on the first machine, are you sure it is not recieving any broadcast arps with destination MAC set to broadcast mac address. - David Z.
I'm taking a capture with Wireshark. The promiscuous mode is disable on the capture from both machines. The ARP cache on VM2 has only one entry (Spoofed IP to Spoofed MAC), the real MAC from VM1 not appears. On the VM1 i see on the capture that the ARP Reply packet arrives back: even with the fake MAC on the Destintation field that doesn't match with real MAC on network iface of VM1 - StarkBR

1 Answers

0
votes

The strange thing I see here that how the ARP Reply bounced back to VM(1) although it uses a spoofed MAC address..

Well, try to check on the ARP table on VM (2) and see which MAC record it holds for VM (1); probably you'll find the legitimate MAC address cached due to some communications before you spoof the MAC address.