Saturday, October 1, 2011

Mac Address Pool

I believe everyone know that each IP address is mask to a Media Access Control (MAC). In virtual environment you will have the abilities to set to static or dynamic MAC address.

What have bring my interest in this area would be the security issue when you are running on a flat lan environment. I will explain detail on this article. Let get started by how Microsoft assign the pool when the hyper-v is installed. The MAC address is devided into 2 part, the first part would be as highlight in color.


The blue portion is Microsoft OEM , but have you ever think where the red portion coming from? Let me explain to you, let said your IP address of the Hyper-V is , the second IP number which it is 26.43 you will need to convert from dec to Hex which you will get 1A:2B. 

So each time when you deploy the Hyper-V host the MAC address won't be duplicated. So you will the range of MAC address pool will have something like as below. FF when you convert it from HEX to DEC you will get 255.

00:15:5D:1A:2B:00 to 00:15:5D:1A:2B:FF.

Just now I did mention the security risk, from the hacker perspective they already know your entire MAC address pool. If you do run on flat LAN with iSCSI the chances to get ARP spoofing is high.

However there is a setting to enable MAC Address spoofing from the Microsoft article.

I have get those important point as below :

If you select the option to enable MAC address spoofing, the MAC address can be learned on other ports, and the following actions will be allowed:
  • The virtual switch port that connects the virtual network adapter can send and receive packets that contain any MAC address.
  • The virtual switch port dynamically learns of new MAC addresses and the virtual switch can add them in its forwarding table.
  • The virtual switch port will receive and forward unicast flooded packets to the virtual network adapter.
  • You can override the virtual network adapter MAC address configuration using the NetworkAddress key in the virtual machine registry. 
But in the actual hacking, the interest of the hacker would be the gateway, although they are some technote that said if you hardcode the gateway mac into the ARP, the server should be ok. But the real fact is not.

This is why, when you want to design the infrastructure for Hyper-V you need to have a tier access (e.g. user farm, server farm with different vlan).

You can read a technote on detail how ARP spoof work, there is a lot of tools outside there that can do ARP spoofing such as Cain&able. But I am not going to show you how to use Cain & Able, as I would to give more information on what is happening on the packets on my Arp Spoofing Article.

    No comments:

    Post a Comment