1
00:00:01,560 --> 00:00:11,140
Let's now consider the next layer the data link layer is layer to this layer is susceptible to Mac spoofing.

2
00:00:11,310 --> 00:00:21,020
The second layer of the OSA model includes the Internet protocol is used in most local networks no matter

3
00:00:21,020 --> 00:00:23,330
whether it's a wired or wireless network.

4
00:00:23,450 --> 00:00:25,880
The Internet Protocol is widely employed.

5
00:00:26,960 --> 00:00:32,300
And Internet networks the sender hosts identity and the receiver whose identity is determined by the

6
00:00:32,300 --> 00:00:35,690
MAC address often called the physical address.

7
00:00:38,170 --> 00:00:44,040
The manufacturer of a network interface such as a network card should give it a unique address.

8
00:00:45,640 --> 00:00:52,630
For many years now however it's been relatively easy to change the MAC address.

9
00:00:52,680 --> 00:00:56,940
You can do that thanks to the drivers that come with the device or using a program you download from

10
00:00:56,940 --> 00:01:02,610
the Internet no matter what environment the program is dedicated for.

11
00:01:02,610 --> 00:01:06,060
It will allow you to easily change the MAC address in real time.

12
00:01:07,590 --> 00:01:15,490
You can even have more than one such address at a time to conclude you send headers of higher layer

13
00:01:15,490 --> 00:01:22,050
packets and actual data in either net protocol frames because we're at the lower layer.

14
00:01:22,060 --> 00:01:29,320
This can be controlled at only the ether net frim header must contain MAC addresses of the sender and

15
00:01:29,320 --> 00:01:34,270
receiver of the packet.

16
00:01:34,290 --> 00:01:37,560
The rules that govern MAC address distribution are very simple.

17
00:01:38,100 --> 00:01:44,070
If both the sender and the receiver belong to the same local network the sender sends the frame directly

18
00:01:44,070 --> 00:01:45,140
to the receiver.

19
00:01:47,530 --> 00:01:54,740
However if that's not the case the sender since the packet to the router in Windows operating systems

20
00:01:54,750 --> 00:02:01,350
the router is called the default gateway when the packet reaches the gateway it's no longer the sender's

21
00:02:01,350 --> 00:02:02,260
concern.

22
00:02:04,100 --> 00:02:10,800
It's the Gateway's test to deliver it to the receiver.

23
00:02:10,810 --> 00:02:16,990
The question remains how does the sender the host that initiates the connection know the MAC address

24
00:02:16,990 --> 00:02:17,810
of the receiver

25
00:02:20,590 --> 00:02:22,830
in accordance with RAFC standards.

26
00:02:23,630 --> 00:02:27,290
A local network host that doesn't know the MAC address of the receiver.

27
00:02:27,290 --> 00:02:33,050
Since this so-called broadcast to all of their hosts in the network the broadcast is a request for a

28
00:02:33,050 --> 00:02:41,600
specific MAC address.

29
00:02:41,770 --> 00:02:44,520
You can see a sample request in the picture below.

30
00:02:45,720 --> 00:02:51,080
It contains all requests for MAC addresses of the neighboring machines.

31
00:02:51,210 --> 00:02:57,190
One of them should respond to the request when a remote host does respond.

32
00:02:57,190 --> 00:02:59,620
Their response is in no way verified by the sender

33
00:03:04,760 --> 00:03:09,470
the sender trusted the response came from the host identified by the requested MAC address.

34
00:03:11,350 --> 00:03:19,990
The AARP protocol as with all other lower layer Protocols of the OS type model is stateless.

35
00:03:20,060 --> 00:03:25,580
There's no way to make sure that the response corresponds to the request the request was sent to all

36
00:03:25,580 --> 00:03:28,000
machines and the response is not verified.

37
00:03:29,930 --> 00:03:35,270
What makes the attack even easier is that the AARP protocol can announce its MAC address to neighboring

38
00:03:35,270 --> 00:03:42,780
machines without being asked to no one and nothing verifies whether such information is true.

39
00:03:45,590 --> 00:03:49,820
Please also remember that as we mentioned before a network interface.

40
00:03:49,820 --> 00:03:57,740
MAC address can be changed at any time nowadays virtually any network card can be put in promiscuous

41
00:03:57,740 --> 00:03:59,860
mode.

42
00:04:00,000 --> 00:04:05,430
The network card is a device whose task is to receive and send packets and also filter out packets that

43
00:04:05,430 --> 00:04:07,230
are addressed to a given machine.

44
00:04:08,090 --> 00:04:14,180
A properly working network card rejects packets addressed to someone else.

45
00:04:14,260 --> 00:04:20,120
Those that had the wrong MAC address the Internet Protocol header in the promiscuous mode.

46
00:04:20,400 --> 00:04:24,850
The card accepts all packets passing through the medium that it's connected to.

47
00:04:24,860 --> 00:04:30,730
These include packets addressed to another machine all of the above.

48
00:04:30,850 --> 00:04:37,360
The promiscuous mode the possibility to change the MAC address and gratuitous error messages can be

49
00:04:37,360 --> 00:04:39,820
exploited in an attack called Mac spoofing.