关于网络MAC与ARP攻击

到目前为止，网络上流行的“网络控制”工具（或说病毒）是五花八门，包括许多用户自己喜欢用的局域网控制软件。但是这些程序在各方面的运行过程中，容易对网络产生攻击与影响， 下面从主要原理上描述与分析下网络MAC与ARP攻击问题。

案例：

问题：

我的戴尔630笔记本问题!

我家的网卡是最新的驱动，然后病毒也是用卡巴斯基杀的,而且本人也比较重视病毒,应该干净,然后我已经把网卡,硬盘的省电模式关了,可是不知道为什么,偶尔会断网,一旦断了,电脑没有任何征兆,一切正常,但是网就是没了,可是右下角图标也没显示断网,如果想断开,重新连接也是不行的,因为根本就断不开(其实早就没网了)。然后如果我想重启的话,电脑一直在保存设置,就是关不了，会不会是硬件的问题???

解答：

被ARP攻击了多半是,你们得机子都杀到毒,再用ARP专杀都杀一道,然后装个ARP防火墙,把IP绑定了,网卡得属性高级里面有个NETWORK ADDRESS点击下把右边那个值改成你得MAC值就可以了。确定系统没问题就换一个交换机和路由器的端口试一下。

附录：

ARP全称：address resolution protocol; 即地址解析协议

我们知道，当我们在浏览器里面输入网址时，DNS服务器会自动把它解析为IP地址，浏览器实际上查找的是IP地址而不是网址。那么IP地址是如何转换为第二层物理地址（即MAC地址）的呢？在局域网中，这是通过ARP协议来完成的。ARP协议对网络安全具有重要的意义。通过伪造IP地址和MAC地址实现ARP欺骗，能够在网络中产生大量的ARP通信量使网络阻塞。所以网管们应深入理解ARP协议。

如下是关于MAC的介绍与操作方法。

操作系统法修改MAC地址

首先，要求计算机的操作系统是Windows 2000或者Windows XP。接着，在其他的计算机上，查出该计算机的MAC地址。使用ipconfig /all命令即可看到Physical Address行对应的一个类似xx-xx-xx-xx-xx-xx的值，将该值记录下来。

接下来，在另外一台您希望修改MAC地址的计算机上右键点击“我的电脑”图标，选择“属性”，在弹出的窗体中选择“硬件”标签页，再选择“设备管理器”按钮。

在弹出的设备管理窗口中选中您的网卡后双击。在弹出的网卡属性窗口中选择“高级”标签页。在属性列表中选择“Network Address”，

选中右侧的“值”前的单选框。在里面输入您纪录的MAC值，注意输入的时候数值间不用空格，也不用输入“-”号。

现在您可以用ipconfig/all看看，这台机器的MAC地址，已经改成了您输入的值了。

注册表法修改MAC地址

Windows 9x/ME:

选择运行，在运行命令行中键入“regedit”，打开注册表编辑器，然后找到HKEY_LOCAL_MACHINE\ system\Currentcontrolset\services\classes\net这个目录。在这一级目录下会有000、001、002等多个子目录，观察DriverDesc中的内容描述，确定当前选项是所修改的是网卡的描述。

然后在其下添一个子键，名字为NetworkAddress，值设为所需要的MAC地址，再用winipcfg查看，MAC地址已经更改了。

Windows 2K:

打开注册表编辑器，找到“HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{4D36E972-E325-11CE-BFC1-08002BE10318}”这个目录，在这个目录下有0000、0001、0002等主键，查找DriverDesc内容为您要修改的网卡的描述相吻合的主键，

在此主键下，添一个字符串，名字为“NetworkAddress”，把它的值设为您要的MAC地址，要连续写如“001010101010”。然后到主键下“NDIparams”中添加一项“NetworkAddress”的主键值，在该主键下添加名为“default”的字符串，值写要设的MAC地址，要连续写，如“001010101010”。

在“NetworkAddress”的主键下继续添加名为“ParamDesc”的字符串，其作用为指定“NetworkAddress”主键的描述，其值可为可以随意设置。这样重新启动一次以后打开网络邻居的属性，双击相应网卡项会发现有一个高级设置，其下存在MAC Address 的选项，这就是您在第二步里在注册表中加的新项“NetworkAddress”，以后只要在此修改MAC地址就可以了。关闭注册表编辑器，重新启动，您的网卡地址已经改好了。

Linux下的MAC地址更改

首先用命令关闭网卡设备：/sbin/ifconfig eth0 down

然后就可以修改MAC地址了：/sbin/ifconfig eth0 hw ether xxxxxxxxxxx (其中xx是您要修改的地址)

最后重新启用网卡：/sbin/ifconfig eth0 up

网卡的MAC地址更改就完成了。

如此修改MAC后，即便是重装系统，其值也不会再改变——你已经把相关参数写进网卡的存储器中。

MAC地址

MAC(Media Access Control)地址，或称为 MAC位址、硬件位址，用来定义网络设备的位置。在OSI模型中，第三层网络层负责 IP地址，第二层资料链结层则负责 MAC位址。因此一个主机会有一个IP地址，而每个网络位置会有一个专属于它的MAC位址。

MAC（Medium/MediaAccess Control, 介质访问控制）MAC地址是烧录在NetworkInterfaceCard(网卡,NIC)里的.MAC地址,也叫硬件地址,是由48比特长(6字节),16进制的数字组成.0-23位叫做组织唯一标志符(organizationally unique，是识别LAN（局域网）节点的标识.24-47位是由厂家自己分配。其中第40位是组播地址标志位。网卡的物理地址通常是由网卡生产厂家烧入网卡的EPROM（一种闪存芯片，通常可以通过程序擦写），它存储的是传输数据时真正赖以标识发出数据的电脑和接收数据的主机的地址。 　　也就是说，在网络底层的物理传输过程中，是通过物理地址来识别主机的，它一般也是全球唯一的。比如，著名的以太网卡，其物理地址是48bit（比特位）的整数，如：44-45-53-54-00-00,以机器可读的方式存入主机接口中。以太网地址管理机构(除了管这个外还管别的)（IEEE）（IEEE：电气和电子工程师协会）将以太网地址，也就是48比特的不同组合，分为若干独立的连续地址组，生产以太网网卡的厂家就购买其中一组，具体生产时，逐个将唯一地址赋予以太网卡。 　　形象的说，MAC地址就如同我们身份证上的身份证号码，具有全球唯一性。

MAC地址的作用

　　IP地址就如同一个职位，而MAC地址则好像是去应聘这个职位的人才，职位既可以让甲坐，也可以让乙坐，同样的道理一个节点的IP地址对于网卡是不做要求，基本上什么样的厂家都可以用，也就是说IP地址与MAC地址并不存在着绑定关系。本身有的计算机流动性就比较强，正如同人才可以给不同的单位干活的道理一样的，人才的流动性是比较强的。职位和人才的对应关系就有点像是IP地址与MAC地址的对应关系。比如，如果一个网卡坏了，可以被更换，而无须取得一个新的IP地址。如果一个IP主机从一个网络移到另一个网络，可以给它一个新的IP地址，而无须换一个新的网卡。当然MAC地址除了仅仅只有这个功能还是不够的，就拿人类社会与网络进行类比，通过类比，我们就可以发现其中的类似之处，更好地理解MAC地址的作用。无论是局域网，还是广域网中的计算机之间的通信，最终都表现为将数据包从某种形式的链路上的初始节点出发，从一个节点传递到另一个节点，最终传送到目的节点。数据包在这些节点之间的移动都是由ARP(Address Resolution Protocol：地址解析协议)负责将IP地址映射到MAC地址上来完成的。其实人类社会和网络也是类似的，试想在人际关系网络中，甲要捎个口信给丁，就会通过乙和丙中转一下，最后由丙 转告给丁。在网络中，这个口信就好比是一个网络中的一个数据包。数据包在传送过程中会不断询问相邻节点的MAC地址，这个过程就好比是人类社会的口信传送过程。相信通过这两个例子，我们就可以进一步理解MAC地址的作用。

如何获取本机的MAC？

win98/me

　　对于数量不多的几台机器，我们可以这样获取MAC地址：在Windows 98/Me中，依次单击“开始”→“运行” →输入“winipcfg”→回车。即可看到MAC地址。

在Windows 2000/XP中

　　，依次单击“开始”→“运行”→输入“CMD”→回车→输入“ipconfig /all”→回车。（或者依次单击“开始”→“所有程序”→“附件”→“命令提示符”→输入“ipconfig /all”→回车。）即可看到MAC地址。(Physical Address) 　　Physical Address. . . . . . . . . : 00-23-5A-15-99-42 　　另外，还可以通过查看本地连接获取MAC地址：依次单击“本地连接”→“支持”→“详细信息”。 即可看到MAC地址（实际地址）。

linux/unix

　　在命令行输入ipconfig即可看到MAC地址。 　　Link encap:以太网 硬件地址：00-23-5A-15-99-42

修改网卡MAC地址的方法

　　其实更改网卡MAC地址的功能不论98、2000还是XP，都已经提供了，只是平时大家都没有注意到而已。下面我就说说怎么更改。很简单哦。。。

win2000修改方法

　　好了，现在先来看看WIN2000。在桌面上网上邻居图标上点右键，选"属性"，在出来的"网络和拨号连接"窗口中一般有两个图标，一个是"新建连接"图标，一个是"我的连接"图标。如果你的机器上有两个网卡的话，那就有三个图标了。如果你只有一个网卡，那就在"我的连接"图标上点右键，选"属性"，会出来一个"我的连接 属性"的窗口。在图口上部有一个"连接时使用："的标识，下面就是你机器上的网卡型号了。在下面有一个"配置"按钮，点击该按钮后就进入了网卡的属性对话框了，这个对话框中有五个属性页，点击第二项"高级"页，在"属性"标识下有两项：一个是"Link Speed/Duplex Mode",这是设置网卡工作速率的，我们需要改的是下面一个"Network Address",点击该项，在对话框右边的"值"标识下有两个单选项，默认得是"不存在" ，我们只要选中上面一个单选项，然后在右边的框中输入你想改的网卡MAC地址，点"确定"，等待一会儿，网卡地址就改好了，你甚至不用停用网卡！ 　　另外，你也可以在"设置管理器"中，打开网卡的属性页来修改，效果一样。WINXP的修改方法跟WIN2000一样。

98下修改方法

　　在98下面修改和WIN2000、XP下差不多。在"网上邻居"图标上点右键，选择"属性"，出来一个"网络"对话框，在"配置"框中，双击你要修改的网卡，出来一个网卡属性对话框。在"高级"选项中，也是点击"属性"标识下的"Network Address"项，在右边的两个单选项中选择上面一个，再在框中输入你要修改的网卡MAC地址，点"确定"后，系统会提示你重新启动。重新启动后，你的网卡地址就告修改成功！！ 　　如果你想把网卡的MAC地址恢复原样，只要再次把"Network Address"项右边的单选项选择为下面一个"没有显示"再重新启动即可。在WIN2000、XP下面是选择"不存在"，当然也不用重新启动了。

MAC地址的应用

　　平日身份证的作用并不是很大，但是到了有的关键时刻，身份证就是用来证明你的身份的。比如你要去银行提取现金，这时就要用到身份证。那么MAC地址与IP地址绑定就如同我们在日常生活中的本人携带自己的身份证去做重要事情一样的道理。有的时候，我们为了防止IP地址被盗用，就通过简单的交换机端口绑定(端口的MAC表使用静态表项)，可以在每个交换机端口只连接一台主机的情况下防止修改MAC地址的盗用，如果是三层设备还可以提供：交换机端口/IP/MAC 三者的绑定，防止修改MAC的IP盗用。一般绑定MAC地址都是在交换机和路由器上配置的，是网管人员才能接触到的，对于一般电脑用户来说只要了解了绑定的作用就行了。比如你在校园网中把自己的笔记本电脑换到另外一个宿舍就无法上网了，这个就是因为MAC地址与IP地址(端口)绑定引起的。

MAC欺骗的攻击方法

　　ARP欺骗技术已经很成熟了，这里也不再阐述。此次重点讲解如何不用ARP欺骗进行嗅探以及会话劫持的技术原理，实际的攻击方法是进行MAC欺骗。 　　一、原理： 　　在开始之前我们先简单了解一下交换机转发过程：交换机的一个端口收到一个数据帧时，首先检查该数据帧的目的MAC地址在MAC地址表(CAM)对应的端口，如果目的端口与源端口不为同一个端口，则把帧从目的端口转发出去，同时更新MAC地址表中源端口与源MAC的对应关系；如果目的端口与源端口相同，则丢弃该帧。

英文资料

　　In computer networking a Media Access Control address (MAC address) or Ethernet Hardware Address (EHA) or hardware address or adapter address is a quasi-unique identifier attached to most network adapters (NIC or Network Interface Card). It is a number that serves as an identifier for a particular network adapter. Thus network cards (or built-in network adapters) in two different computers will have different MAC addresses, as would an Ethernet adapter and a wireless adapter in the same computer, and as would multiple network cards in a router. However, it is possible to change the MAC address on most of today's hardware, often referred to as MAC spoofing.

　　Most layer 2 network protocols use one of three numbering spaces managed by the Institute of Electrical and Electronics Engineers (IEEE): MAC-48, EUI-48, and EUI-64, which are designed to be globally unique. Not all communications protocols use MAC addresses, and not all protocols require globally unique identifiers. The IEEE claims trademarks on the names "EUI-48" and "EUI-64" ("EUI" stands for Extended Unique Identifier).

　　MAC addresses, unlike IP addresses and IPX addresses, are not divided into "host" and "network" portions. Therefore, a host cannot determine from the MAC address of another host whether that host is on the same layer 2 network segment as the sending host or a network segment bridged to that network segment.

　　ARP is commonly used to convert from addresses in a layer 3 protocol such as Internet Protocol (IP) to the layer 2 MAC address. On broadcast networks, such as Ethernet, the MAC address allows each host to be uniquely identified and allows frames to be marked for specific hosts. It thus forms the basis of most of the layer 2 networking upon which higher OSI Layer protocols are built to produce complex, functioning networks. 　　

Contents [hide]

　　1 Notational conventions

　　2 Address details

　　2.1 Individual address block

　　3 Bit-reversed notation

　　4 See also

　　5 References

　　6 External links

　　Notational conventions

　　The standard (IEEE 802) format for printing MAC-48 addresses in human-readable media is six groups of two hexadecimal digits, separated by hyphens (-) in transmission order, e.g. 01-23-45-67-89-ab. This form is also commonly used for EUI-64. Other conventions include six groups of two separated by colons (:), e.g. 01:23:45:67:89:ab; or three groups of four hexadecimal digits separated by dots (.), e.g. 0123.4567.89ab; again in transmission order.

　　Address details

　　The original IEEE 802 MAC address comes from the original Xerox Ethernet addressing scheme.[1] This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC addresses.

　　All three numbering systems use the same format and differ only in the length of the identifier. Addresses can either be "universally administered addresses" or "locally administered addresses."

　　A universally administered address is uniquely assigned to a device by its manufacturer; these are sometimes called "burned-in addresses" (BIA). The first three octets (in transmission order) identify the organization that issued the identifier and are known as the Organizationally Unique Identifier (OUI). The following three (MAC-48 and EUI-48) or five (EUI-64) octets are assigned by that organization in nearly any manner they please, subject to the constraint of uniqueness. The IEEE expects the MAC-48 space to be exhausted no sooner than the year 2100; EUI-64s are not expected to run out in the foreseeable future.

　　A locally administered address is assigned to a device by a network administrator, overriding the burned-in address. Locally administered addresses do not contain OUIs.

　　Universally administered and locally administered addresses are distinguished by setting the second least significant bit of the most significant byte of the address. If the bit is 0, the address is universally administered. If it is 1, the address is locally administered. The bit is 0 in all OUIs. For example, 02-00-00-00-00-01. The most significant byte is 02h. The binary is 00000010 and the second least significant bit is 1. Therefore, it is a locally administered address.[2]

　　If the least significant bit of the most significant byte is set to a 0, the packet is meant to reach only one receiving NIC. This is called unicast. If the least significant bit of the most significant byte is set to a 1, the packet is meant to be sent only once but still reach several NICs. This is called multicast.

　　MAC-48 and EUI-48 addresses are usually shown in hexadecimal format, with each octet separated by a dash or colon. An example of a MAC-48 address would be "00-08-74-4C-7F-1D". If you cross-reference the first three octets with IEEE's OUI assignments,[3] you can see that this MAC address came from Dell Computer Corp. The last three octets represent the serial number assigned to the adapter by the manufacturer.

　　The following technologies use the MAC-48 identifier format:

　　Ethernet

　　802.11 wireless networks

　　Bluetooth

　　IEEE 802.5 token ring

　　most other IEEE 802 networks

　　FDDI

　　ATM (switched virtual connections only, as part of an NSAP address)

　　Fibre Channel and Serial Attached SCSI (as part of a World Wide Name)

　　The distinction between EUI-48 and MAC-48 identifiers is purely semantic: MAC-48 is used for network hardware; EUI-48 is used to identify other devices and software. (Thus, by definition, an EUI-48 is not in fact a "MAC address", although it is syntactically indistinguishable from one and assigned from the same numbering space.)

　　The IEEE now considers the label MAC-48 to be an obsolete term which was previously used to refer to a specific type of EUI-48 identifier used to address hardware interfaces within existing 802-based networking applications and should not be used in the future. Instead, the term EUI-48 should be used for this purpose.

　　EUI-64 identifiers are used in:

　　FireWire

　　IPv6 (as the low-order 64 bits of a unicast network address when temporary addresses are not being used)

　　ZigBee / 802.15.4 wireless personal-area networks

　　The IEEE has built in several special address types to allow more than one Network Interface Card to be addressed at one time:

　　Packets sent to the broadcast address, all one bits, are received by all stations on a local area network. In hexadecimal the broadcast address would be "FF:FF:FF:FF:FF:FF".

　　Packets sent to a multicast address are received by all stations on a LAN that have been configured to receive packets sent to that address.

　　Functional addresses identify one of more Token Ring NICs that provide a particular service, defined in IEEE 802.5.

　　These are "group addresses", as opposed to "individual addresses"; the least significant bit of the first octet of a MAC address distinguishes individual addresses from group addresses. That bit is set to 0 in individual addresses and 1 in group addresses. Group addresses, like individual addresses, can be universally administered or locally administered.

　　In addition, the EUI-64 numbering system encompasses both MAC-48 and EUI-48 identifiers by a simple translation mechanism. To convert a MAC-48 into an EUI-64, copy the OUI, append the two octets "FF-FF", and then copy the organization-specified part. To convert an EUI-48 into an EUI-64, the same process is used, but the sequence inserted is "FF-FE". In both cases, the process can be trivially reversed when necessary. Organizations issuing EUI-64s are cautioned against issuing identifiers that could be confused with these forms. The IEEE policy is to discourage new uses of 48-bit identifiers in favor of the EUI-64 system.

　　IPv6—one of the most prominent standards that uses EUI-64—applies these rules inconsistently. Due to an error in the appendix to the specification of IPv6 addressing, it is standard practice to extend MAC-48 addresses (such as IEEE 802 MAC address) to EUI-64 using "FF-FE" rather than "FF-FF."

　　Individual address block

　　An Individual Address Block comprises a 24-bit OUI managed by the IEEE Registration Authority, followed by 12 IEEE-provided bits (identifying the organization), and 12 bits for the owner to assign to individual devices. An IAB is ideal for organizations requiring fewer than 4097 unique 48-bit numbers (EUI-48).[4]

　　Bit-reversed notation

　　The standard transmission order notation for MAC addresses, as seen in the output of the ifconfig command for example, is also called canonical format.

　　However, since IEEE 802.3 (Ethernet) and IEEE 802.4 (Token Bus) send the bits over the wire with least significant bit first, while IEEE 802.5 (Token Ring) and IEEE 802.6 send the bits over the wire with most significant bit first, confusion may arise where an address in the latter scenario is represented with bits reversed from the canonical representation. So for instance, an address whose canonical form is 12-34-56-78-9A-BC would be transmitted over the wire as bits 01001000 00101100 01101010 00011110 01011001 00111101 in the standard transmission order (least significant bit first). But for Token Ring networks, it would be transmitted as bits 00010010 00110100 01010110 01111000 10011010 10111100 in most significant bit first order. If care is not taken to translate correctly and consistently to the canonical representation, the latter might be displayed as 482C6A1E593D, which could cause confusion. This would be referred to as "Bit-reversed order", "Non-canonical form", "MSB format", "IBM format", or "Token Ring format" as explained by RFC 2469. Canonical form is preferred[who?].

　　See also

　　NSAP address, another endpoint addressing scheme.

　　Cisco Hot Standby Router Protocol or standard alternative VRRP Virtual router redundancy protocol, which allows multiple routers to share one IP address and MAC address to provide router redundancy. The OpenBSD project has an open source alternative, the Common Address Redundancy Protocol (CARP).