Macof is a member of the Dsniff suit toolset and mainly used to flood the switch on a local network with MAC addressess . The reason for this is that the switch regulates the flow of data between its ports. It actively monitors (cache) the MAC address on each port, which helps it pass data only to its intended target. This is the main difference between a switch and passive hub. A passive hub has no mapping, and thus broadcasts line data to every port on the device. The data is typically rejected by all network cards, except the one it was intended for. However, in a hubbed network, sniffing data is very easy to accomplish by placing a network card into promiscuous mode. This allows that device to simply collect all the data passing through a hubbed network. While this is nice for a hacker, most networks use switches, which inherently restrict this activity.
Dsniffs “macof” generates random MAC addresses exhausting the switch’s memory. It is capable of generating 155,000 MAC entries on a switch per minute. Some switches than revert to acting like a hub.
The following question then arises: What happens if the switch is asked to process a constant stream of MAC addresses? In certain circumstances and on certain switches, this will cause the switch to go into a fail-safe mode, in which it basically turns into a hub. In other words, by overloading the switch, a hacker could have access to all the data passing through the switch! One tool for doing this is called “macof” To use “macof”, you will need to install the ‘dnsiff’ suite .
| macof [-i interface] [-s src] [-d dst] [-e tha] [-x sport] [-y dport] [-n times] |
|---|
| -i interface | Specify the interface to send on. |
| -s src | Specify source IP address. |
| -d dst | Specify destination IP address. |
| -e tha | Specify target hardware address. |
| -x sport | Specify TCP source port. |
| -y dport | Specify TCP destination port. |
| -n times | Specify the number of packets to send. |
macof produces a lot of traffic on the network , it is a good practice to define a large number for the mac-flood attack with the ” -n xxxx” option ( if no option is specified –> infinite flooding) . Some switches regain their initial state after some time interval , this can be bypassed by setting macof in ” burst mode operation ” :
# while [ 1 ] ; do macof -d 192.168.1.1 -n 100000 ; sleep 50 ; done
# while [ 1 ] ; do macof -d 192.168.1.1 -n 100000 ; sleep 50 ; done
