Hello, aspiring ethical hackers. In our previous blogpost on data link layer attacks, you learnt what is a hub, What is a switch, how they both work, what is a MAC address, what is a CAM table and different types of LAN attacks etc. In this blogpost, you will learn about one of the LAN attacks, MAC Spoofing.

What is MAC spoofing?

MAC Spoofing is a technique in which a factory assigned Media Access Control (MAC) address of a network interface is changed or altered. As communication between devices in a single LAN takes place using the MAC address of the device, changing the MAC address to that of another device will make all the traffic belonging to that device visible to the attacker.

For example, let’s say there are two devices A and B. An attacker changed the MAC address of the device “A” to that of “B”. Then all the traffic belonging to “B” will be coming to “A” and the attacker can sniff this traffic. MAC spoofing attack can be performed after gaining access on the target network.

How can MAC address be changed?

MAC address of a network interface card can be changed either manually or using a tool. Let’s see how to change the MAC address of a Linux machine manually. For this, I will be using Kali Linux. The first method we can use to change MAC address in a Linux machine is the “ifconfig” command. Ifconfig is a command line tool in UNIX operating systems that is used to configure network interfaces.

To change the MAC address of the network interface, we need to first disable the network interface. This can be done with “ifconfig” using the command below.

sudo ifconfig <network interface> down

Then we can change the MAC address using the command shown below.

sudo ifconfig <network interface> hw ether <new MAC address>

For example, let’s assign a MAC address ee:12:ee:ff:45:54 to the interface eth0.

Then all we have to do is enable the network interface as shown below.

Let’ see use the ifconfig command again to see if the MAC address has changed.

It has changed. There is another way in which we can change the MAC address using ip command of Linux too. Even for this, you have to disable the network interface. This can be done with “ip” as shown below.

To change the MAC address with ip utility, the command is given below.

sudo ip link set <network interface> address <new MAC address>

For example,

Then all we have to do is enable the network interface as shown below.

We can also use tools to change MAC addresses. one such tool is mac changer. See the complete guide to change MAC addresses with macchanger tool.

Learn how to change the MAC address of a Windows machine manually here.

Hello, aspiring ethical hackers. In our previous blogpost, you learn what is steganography, its significance and types of steganography to cybersecurity. In this blogpost you will learn in detail about image steganography. But first, let’s see its significance in cybersecurity.

In April 2024, a hacker group being tracked as TA558 has widely used image steganography to deliver malware such as Agent Tesla, FormBook, Remcos RAT, LokiBOT, GuLoader, Snake keylogger and Xworm etc. The malware code embedded in the images contained VBS, PowerShell.

Now that you have understood the importance of image steganography, its time to learn about various images steganography techniques. In cybersecurity, It is a very good thing to learn about various image steganography techniques used to hide data in an image.

Types of image steganography

Image steganography techniques can be primarily divided into Spatial Domain techniques and Transform Domain techniques.

Spatial Domain techniques

Let’s study about various Spatial Domain steganography techniques first.

1. Least Significant Bit (LSB) steganography technique:

In this type of steganographic technique, the secret data is stored in pixels of an image. This is done by replacing the least significant bit of the image.

2. Pixel Value Differencing (PVD) steganography technique:

Pixel Value Differencing (PVD) is a steganography techniques in which secret data is embedded into images using the differences in pixel Value between adjacent pixels.

3. Exploiting Modification Direction (EMD) steganography technique:

In this type of steganographic technique, the secret data is embedded into a group of pixels of an image.

Transform Domain techniques

Now let’s learn about various Transform Domain image steganography techniques. In Transform Domain image steganography techniques, secret data is hidden in the transform domain coefficient of an image.

1. Discrete Cosine Transform (DCT) steganography technique:

In this steganographic technique, 8*8 blocks of an image are transformed into 64 DCT coefficients. Then, the LSB of each DCT coefficient is replaced with a bit of secret data.

2. Discrete Wavelet Transform (DWT) steganography technique:

In this steganographic technique, secret data is hidden by modifying the wavelet coefficient of the image.

3. Fast Fourier Transform (FWT) steganography technique:

In this steganography technique, the secret data is expressed as a Fourier series and then coefficients are added to the images.

Learn how to hide secret data in an image using steghide.

Hello, aspiring ethical hackers. In our previous blogpost on data link layer attacks, you learnt what is a hub, What is a switch, how they both work, what is a MAC address, what is a CAM table and different types of LAN attacks etc. In this blogpost, you will learn about one such attack, MAC flooding attack.

What is MAC flooding?

MAC flooding attack is an attack on the network switch that floods the network switch with fake MAC addresses. The purpose of this attack is to consume memory of the network switch. Once the CAM table of the network switch becomes full, the MAC addresses of the legitimate devices are purged out of the CAM table.

The network switch can no longer save new MAC addresses sent to the switch and it soon falls into a fail-open mode in which it will broadcast the incoming data to all the ports of the switch instead of transferring it to the intended device. Typically, the switch here functions like a network hub.

Since the data is now being broadcast to all the devices connected to the network, hackers can sniff on data belonging to all the devices in the network.

There are many ways to perform MAC flooding. One such method is to using a too named macof. Macof is a tool that comes with dsniff package. macof is used to flood the local network with random MAC addresses. It is installed by default in Kali Linux. The default way to flood the switch with macof is to specify the interface as shown below.

sudo macof -i eth0

This will create multiple random MAC addresses. You can even specify the number of packets you want to create as shown below.

sudo macof -i <interface> -n <number of packets to create>

You can even specify the source IP address from where these random MAC address should originate from.

sudo macof -i <interface> -s <IP address> -n <number of packets to create>

You can also specify the MAC address or physical address of the target device you want to flood with random MAC addresses.

sudo macof -i <interface> -e <Physical address of target> 

Hello, aspiring ethical hackers. In this blogpost, you will learn about DNS spoofing attack. Also known as DNS poisoning or DNS cache poisoning, in this attack a fake or wrong value are entered into the DNS cache. To understand this in detail, you have to first understand what is DNS, DNS server and DNS cache etc.

What is DNS?

Domain Name System (DNS) is a system that associates domain names with their IP addresses. For example, you want to go to a website named Alkapulka.com. When you open the browser and enter the domain name in the URL, your query first goes to a server that keeps a record of domain names and their IP addresses. Then this server takes you to the IP address associated with the alkapulka.com. This server is called the Domain Name System (DNS) server. A DNS server stores domain names and the IP addresses associated with these domain names in a cache known as DNS cache. Hence it is also known as DNS cache poisoning.

What is DNS spoofing?

Just imagine the IP address of the website alkapulka.com is xyx.xyz.xyx.xyz. Somehow the hacker takes control of the DNS server and registers the IP address of alkapulka.com to xyz.xyz.xyz.xyz where I am hosting a different website that looks similar to that of alkapulka.com. Now, when someone tries to visit alkapulka.com, instead of going to the original website, he will be redirected to the duplicate website controlled by the hacker.

Impact of DNS Spoofing

A hacker performs DNS spoofing to make unsuspecting users visit a malicious website. Once the user is one the malicious website, a lot of hacking attacks are possible. Some of them are,

1. Phishing:

Hackers may take unsuspecting users to a phishing website. Phishing is an act of presenting a fake page resembling the original webpage you intend to visit with the sole intention of stealing your credentials. Learn more about phishing.

2. Infecting with malicious software :

The website the users are redirected to may contain malware that can infect the user systems. Malware or malicious software is any software that performs malicious actions on a computer or mobile.

3. Gaining initial access:

Hackers can use multiple techniques to gain initial access on the system of the user. Learn more about gaining access.

How DNS spoofing attack can take place?

DNS spoofing can be achieved using many techniques like

1. Man in the Middle attack:

When attacker gets between the web browser and the DNS Server, he can perform DNS spoofing. Learn more about MiTM attack.

2. DNS server compromise:

If the DNS Server is compromised due to any vulnerability, then attacker gains access to the DNS cache, which he can manipulate as he want.

Hello, aspiring ethical hackers. In our previous blogposts, you learnt what is sniffing and what is Man in the Middle (MITM) attacks etc. In this blogpost, you will learn about a tool named Ettercap. Ettercap is an open-source sniffer and a comprehensive suite for performing man in the middle attacks. With Ettercap we can perform both active and passive protocol analysis, data injection etc.

Let’s see how to use Ettercap for sniffing. For this tutorial, I will be using Kali Linux as my attacker system as ettercap is installed by default on it. As a target system, I am using Metasploitable 2 (see how to create a virtual hacking lab). Ettercap can be started in both command line and GUI. For this tutorial, let’s use the graphical version.

To start ettercap in graphical mode, start ettercap with the “-G” option as shown below.

sudo ettercap -G

The GUI version of Ettercap opens as shown below.

You can also open a network capture file (pcap file) using Ettercap. To start sniffing with ettercap, we have to click on the highlighted part as shown below after selecting the interface we want to sniff on.

As soon as you do this, Ettercap loads all its plugins and engines required for sniffing. By default, ettercap starts sniffing automatically. It can be stopped or started by clicking on the highlighted part as shown below.

Before you perform any attack, you need to know about all the devices on the LAN. Clicking on the tab highlighted in the image below makes this tool scan for all the LIVE hosts on the network.

After the scan is finished, ettercap adds the detected hosts.

The added hosts can be viewed by clicking of the tab highlighted below.

In our case five hosts have been added. I want to sniff the communication taking place between two machines. To do this, I right click on the IP of the client machine with IP 192.168.249.162 and add it as Target 2.

Similarly, I add the server machine with IP 192.168.249.149 as Target 1.

Needless to say, these two machines are the machines I want to perform sniffing on.

Then, I open the MiTM menu of this tool and select ARP poisoning as shown below.

This opens a new window as shown below.

I select “sniff remote connections” option and click on “OK”. This starts the ARP poisoning attack and all the traffic intending to go for 192.168.249.162 (client machine) to192.168.249.149 (server machine) will be sniffed. From the client machine, I make a telnet connection to target system.

Then on ettercap, I open the menu and go to view > connections.

This will show all the connections being made between client and the server.

In the above image, we can see one connection from IP 192.168.244.162 to port 23 of 192.168.249.149. Clicking on it will reveal the connection data exchanged between the two machines.

By default, the data from the client and server machines are shown in different tabs. You can see the credentials being exchanged between client and server. You can even join both the views for clarity.

Here, you can see the clear text credentials used to login into the telnet server.