In Red Hat Enterprise Linux (RHEL) 8, if someone does ifconfig eth0 hw ether abcd12341234, *all I know is ifconfig and ip -a*, so then is there a way to reliably get the real MAC address of that eth0 interface and if so how? ... other than for example rebooting to a Linux live CD coming from a reliable source to be sure the MAC address of the interface hasn't been changed.

I create my tunnel in my laptop via: ssh -p 22 -CfND 7777 mohsen@myserver After input my password, connection is established.
And via socks5 in firefox I use 127.0.0.1:7777 and I can browse many filtered sites.
But google or some site understand that I use tunnel, How can i configure my ssh server to tell google or another site that I am not fake?

I was trying to install dsniff package to use dnsspoof. I tried this command: apt-get install dsniff but I got this error: E: Unable to locate package dsniff What am I missing?

The website I want to use blocks part of the content for Linux users for some reason. I know about the user agent and how to change it. It works for websites like whatismybrowser, but it doesn't for this one. Not even changing the browser. Say I'm on Firefox and change it to be Chrome for Windows, it still detects as being Firefox on Linux, so there is extra technical wizardry going on there that's beyond my knowledge on the subject. But then I remember Wine is a thing. I've never really used it (only Proton on Steam), but the way I understand how it works, it basically reverse engineered Windows libraries for running Windows apps, so depending on the wizardry that's going on in that website, maybe I could trick it into believing it's running on Windows. But I don't want to mess too much with this sort of stuff if I don't have too, hence the question here. Alternatively, I would also accept as an answer other methods to spoof the OS for this website.

Everytime I spoof my mac-adress on Ubuntu using different approaches including macchanger it auto resets as soon as I actually try to reconnect to the network. This is what my problem looks like:
TERMINAL ENTRY before reconnection root@M-Linux:~# macchanger -s wlp2s0 Current MAC: XY (changed, obviously) (Hon Hai Precision Ind. Co.,Ltd.) Permanent MAC: XY (Hon Hai Precision Ind. Co.,Ltd.) root@M-Linux:~# ifconfig wlp2s0 down root@M-Linux:~# macchanger -rb wlp2s0 Current MAC: XY (Hon Hai Precision Ind. Co.,Ltd.) Permanent MAC: XY (Hon Hai Precision Ind. Co.,Ltd.) New MAC: AB (unknown) root@M-Linux:~# ifconfig wlp2s0 up root@M-Linux:~# macchanger -s wlp2s0 Current MAC: AB (unknown) Permanent MAC: XY (Hon Hai Precision Ind. Co.,Ltd.) Then I reconnect to the WIFI and then this happens root@M-Linux:~# macchanger -s wlp2s0 Current MAC: XY (Hon Hai Precision Ind. Co.,Ltd.) Permanent MAC: XY (Hon Hai Precision Ind. Co.,Ltd.) So the mac is back to normal. I tried this on kubuntu 16.04.3 and another debian-based distro. I tried it on my home and a public network. I tried it on two different machines: HP and Acer Notebooks. Exact same results every time and NO information about the issue on the web. What should I do?

I spoof my MAC address on a public WiFi network that I use often, but I do not want to have my MAC spoofed on my home network. I was thinking that a way to automate this is to have the computer automatically reset its MAC address with sudo spoof-mac reset wi-fi using SpoofMAC . How could I automate this, so that every time my computer connects to *x* network, that command gets run, and my MAC address gets set back to normal? I am on MacOS Monterey.

EDIT the selected answer solves the broader problem that I was trying to solve, which is "Given selected mac addresses, how do I efficiently find each mac addresses corresponding IP address on the local network?". ORIGINAL: I need to write a program to find out the IP addresses of machines on my local network. I have the mac address of the machines. Given that DHCP servers return the same IP address for a given mac address, would it be possible somehow to send a DHCP request to the server, insert the known mac address, and capture the response, which presumably has the correct IP address in it for that mac address? FURTHER INFORMATION: I tried arpwatch and found it to be unreliable. Much more satisfactory was addrwatch https://github.com/fln/addrwatch

**Problem:** I need to verify if Gratuitous ARP is disabled on a Linux server in the configuration files.

Some devices are known to data hosts by their MAC. If you physically replace that device and it has a new MAC the host will not accept the data. All the router will do is spoof the network interface card MAC, not the WIFI connected device's MAC. Is there any way to accomplish this task? Use case is a weather transmitting station that's connected to a router and the data sent to a host. I've considered using a Pi and a connected router to subnet the weather station but have been unable to find any reference to spoofing the WIFI station's MAC.

I am trying to redirect all outbound DNS requests on my local network. I have a few devices made up of PC's, cell phones, etc. How would I go about redirecting (ex: www.domain.com to 192.168.1.80). Basically spoofing www.domain.com to 192.168.1.80 so anyone on the network will not be able to connect to www.domain.com.

Is there any way to detect IP or MAC address spoofing with iptables?

we are try to remove all folders from /var/spool/abrt/ on rhel 7.2 machines and that after we stop the services abrt-ccpp.service and abrtd.service because we not want any more the core under spool but we get find /var/spool/abrt/ -type d -exec abrt-cli rm '{}' \; '/var/spool/abrt' is not a problem directory Can't delete '/var/spool/abrt/': (null) '/var/spool/abrt/ccpp-2019-11-20-12:13:41-64941' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-12:13:41-64941': (null) '/var/spool/abrt/ccpp-2019-11-20-12:16:12-2687' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-12:16:12-2687': (null) '/var/spool/abrt/ccpp-2019-11-20-14:20:09-61612' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-14:20:09-61612': (null) '/var/spool/abrt/ccpp-2019-11-20-15:12:03-55822' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-15:12:03-55822': (null) the folder under spool are drwx------ 2 root root 4096 Dec 16 11:54 ccpp-2019-11-20-18:43:24-8768 drwx------ 2 root root 4096 Dec 16 11:54 ccpp-2019-11-20-12:14:55-1014 drwx------ 2 root root 4096 Dec 16 11:54 ccpp-2019-11-20-12:21:34-8475 drwx------ 2 root root 4096 Dec 16 11:54 ccpp-2019-11-20-12:25:27-12740 drwx------ 2 root root 4096 Dec 16 11:54 ccpp-2019-11-20-12:32:28-19585 drwx------ 2 root root 4096 Dec 16 11:54 ccpp-2019-11-20-16:13:48-52746 any solution for this problem? we also try find /var/spool/abrt/ -mindepth 1 -type d -exec abrt-cli rm '{}' \; '/var/spool/abrt/ccpp-2019-11-20-12:13:41-64941' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-12:13:41-64941': (null) '/var/spool/abrt/ccpp-2019-11-20-12:16:12-2687' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-12:16:12-2687': (null) '/var/spool/abrt/ccpp-2019-11-20-14:20:09-61612' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-14:20:09-61612': (null) '/var/spool/abrt/ccpp-2019-11-20-15:12:03-55822' is not a problem directory Can't delete '/var/spool/abrt/ccpp-2019-11-20-15:12:03-55822': (null) and we can see that we get the folder as find /var/spool/abrt/ -mindepth 1 -type d -print |more /var/spool/abrt/ccpp-2019-11-20-12:13:41-64941 /var/spool/abrt/ccpp-2019-11-20-12:16:12-2687 /var/spool/abrt/ccpp-2019-11-20-14:20:09-61612 /var/spool/abrt/ccpp-2019-11-20-15:12:03-55822 /var/spool/abrt/ccpp-2019-11-20-18:37:25-2253 /var/spool/abrt/ccpp-2019-11-20-12:22:50-9886 /var/spool/abrt/ccpp-2019-11-20-13:01:41-46329 /var/spool/abrt/ccpp-2019-11-20-13:20:12-582 /var/spool/abrt/ccpp-2019-11-20-14:07:40-48870 /var/spool/abrt/ccpp-2019-11-20-15:15:23-59287 /var/spool/abrt/ccpp-2019-11-20-19:35:27-61003 /var/spool/abrt/ccpp-2019-11-20-11:22:29-12490 /var/spool/abrt/ccpp-2019-11-20-14:44:22-26098 /var/spool/abrt/ccpp-2019-11-20-17:57:35-24985

Is it possible to set an ip with its relative mac address so that the clients (during the DHCP request) in addition to receiving the various data, will also directly receive the mac address of the router in order to protect the device from an ARP Spoofing attack? Is it possible via **isc-dhcp-server** or is there anything else needed?

I'm experimenting with a spoofed IP connection, as described in section 7 of this article (IP SPOOFING with BSD RAW SOCKETS INTERFACE ). Indeed, when a SYN is sent with no regard for ARP, there's no response. One of the two solutions presented in the article (should be the simpler) is to add a static ARP entry to the client host. My host is configured as 10.1.1.10 and I want the spoofed IP address to be 10.1.1.20. To add the new entry, I ran: # arp -i enp4s2 -Ds 10.1.1.20 enp4s2 pub and when I run arp -n, it shows: 10.1.1.20 * * MP enp4s2 From the server, I tried to arping 10.1.1.20 and there is no reply from the client host (with the published ARP entry). Probably I didn't understand how ARP publishing works. Literature on the net seems to be very simplified on this matter. My distro is an OpenSuSE and the kernel version is 3.16.7-21-desktop #1 SMP PREEMPT.

I'd like to ask a question about spoofing MAC addresses. I'm trying it out in my own wifi network just to see how it's done. I'm running ubuntu 16.04 LTS. Let's say my original MAC address is 00:22:ac:55:0b:02. Using ifconfig I do: sudo ifconfig wlan0 down sudo ifconfig wlan0 hw ether 00:22:ac:55:0b:01 sudo ifconfig wlan0 up As you can see, I've only changed the last digit of my MAC address. If I now try to load a web page (in Firefox), I get a "server not found" error. After calling sudo dhclient wlan0 I am able to load web pages but only very slowly. About half the time I still get the same "server not found error" as well, but by hitting f5 repeatedly it sometimes works. If I go back to my original MAC address, the first three commands are enough to get me connected, and I don't always even need to call dhclient. Needless to say, the internet is nice and fast with my original configuration. I'm curious about why, after spoofing my MAC address, I get a trickle of slow internet connection. I would have thought I would either have the same connection as before, or not be connected at all. Could someone wiser than me explain? Cheers

I would like to setup MAC spoofing in Fedora, similar do what Tails does to their Debian. Any idea how? Thanks

I'm trying to learn some stuff about DNSspoofing, but it didn't work well for me. Here's what i have done. step 1 : turn my NIC into promisc mode using the following command ifconfig wlan0 promisc step 2 : make a hosts file for dnsspoof named : /usr/share/dsniff/dnsspoof.hosts (this is suggested in the man page of dnsspoof ) here's what's i typed inside the file github.com 192.168.1.102 *.github.com 192.168.1.102 www.github.com 192.168.1.102 step 3: run dnsspod with the following command dnsspoof -i wlan0 -f /usr/share/dsniff/dnsspoof.hosts then i get this output : everything seems okay to me, but whenever i tried visiting github from my machine or other machine in my network, it didn't go to the given adress 192.168.1.102

I've been making a BASh script that changes your MAC Address to that of any manufacturer of your choice from a list. At the last part of the script that is run, it stops before finishing. Here is the code for that part: function spoofUseMAC() { echo read -p "[*] $($stopAllFX; $bgBlack; $white)Enter the number code for manufacturer: >>> " num echo "[-] Generating MAC Address" num=$( expr $num - 1 ) declare -a array while read -r; do array+=( "$REPLY" ) done >> " iface $yellow; echo "[-] $iface selected !" $white; echo "[-] Disabling $iface ..." ifconfig $iface down ifconfig '$iface' hw ether '$macAddress' echo "[-] MAC Address spoofed !" sleep 1 echo "[-] Enabling $iface ..." ifconfig '$iface' up echo "[-] $iface enabled !" echo "[-] Using address: $macAddress" exit } function spoofSearchAgainOrNot() { $bold; $white; echo echo "[*] $($stopAllFX; $bgBlack; $white)Please select an option from the list below:" $yellow; $bold; echo " [$($white)0$($yellow)] $($stopAllFX; $bgBlack; $white)Search again" $yellow; $bold; echo " [$($white)1$($yellow)] $($stopAllFX; $bgBlack; $white)Use one of these" read -p ">>> " searchAgainOrNot if [[ "$searchAgainOrNot" == "0" ]]; then spoofSearch elif [[ "$searchAgainOrNot" == "1" ]]; then spoofUseMAC else spoofSearchAgainOrNot fi } # Spoof, search option selected function spoofSearch() { $bold; echo read -p "[*] $($stopAllFX; $bgBlack; $white)Search for a manufacturer: >>> " search $blue; awk -F '#' '{printf("%10d %s\n", NR, ":" $1 )}' /usr/bin/oui.txt | grep -i $search spoofSearchAgainOrNot } # Spoof function spoof() { echo; $white echo "[*] $($stopAllFX; $bgBlack; $white)Please select an option from the list below:" $yellow; $bold; echo " [$($white)0$($yellow)] $($stopAllFX; $bgBlack; $white)Search for a manufacturer" $yellow; $bold; echo " [$($white)1$($yellow)] $($stopAllFX; $bgBlack; $white)Browse for a manufacturer through $($bold)long $($stopAllFX; $bgBlack; $white)list" read -p ">>> " searchOrBrowse if [[ $searchOrBrowse == "0" ]]; then spoofSearch elif [[ $searchOrBrowse == "1" ]]; then spoofBrowse else spoof fi } Why can't I use the internet (git clone says could not resolve hostname: github.com) after running this script? And why is it not finishing? EDIT: This is supposed to work on MacOS and Linux. On MacOS, there is no ip route command, but in Linux, ip route results in: 192.168.0.0/24 dev wlp1s0 proto kernel scope link src 192.168.0.18 192.168.0.0/24 dev wlp1s0 proto kernel scope link src 192.168.0.18 metric 600

I have a Linux VPS serving data on the internet that has a legitimate Domain name and SSL Certificate ( from GoDaddy.com ). I will refere to this server as "**www.myserver.com**". I also have a local Linux machine ( on my own LAN ) that I want to use to DNS spoof my internet facing Domain name ( www.myserver.com ) to it's own NGINX webserver running on that local machine. I setup DNSMasq on the local machine to spoof that domain to it's local 192.x address and I verified from another machine on the LAN that dig reports the local address. Local server dnsmaq spoof mapping: cat /etc/dnsmasq.d/spoof.hosts 192.168.1.142 www.myserver.com myserver.com Separate machine on LAN shows that spoofed mapping should work: dig +short @192.168.1.142 myserver.com >> 192.168.1.142 My dnsmasq.conf: server=127.0.0.1 listen-address=127.0.0.1 listen-address=192.168.1.142 no-dhcp-interface= no-hosts addn-hosts=/etc/dnsmasq.d/spoof.hosts My spoof.hosts: 192.168.1.142 www.myserver.com myserver.com On the local server, I configured NGINX with resolver to look to localhost for DNS as shown here: http { access_log off; include mime.types; default_type html; sendfile on; keepalive_requests 50; keepalive_timeout 75s; reset_timedout_connection on; server_tokens off; server { listen 8080 default_server; resolver 127.0.0.1 valid=10s; location / { return 302 http://myserver.com/ ; } } server { listen 80; server_name *.myserver.com; // Various Endpoints } } The problem is that when I visit my local machine 192.168.1.131:8080, it redirects to my **actual** internet facing machine - the **real** domain name on the internet. I want it to redirect to the local spoofed DNS. What am I doing wrong? How can I accomplish this? Thank you. UPDATE: I've tried this as well but no luck: http { access_log off; include mime.types; default_type html; sendfile on; keepalive_requests 50; keepalive_timeout 75s; reset_timedout_connection on; server_tokens off; server { listen 80 default_server; server_name _; resolver 127.0.0.1; return 301 https://myserver.com/$request_uri ; } server { listen 443; server_name *.myserver.com; ssl on; ssl_certificate /etc/nginx/ssl/1e17e6d8f94cc4ee.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ... } }

I'm scratching my head about this question... I have a debian squeeze machine that is connected to an internal lab network. We have a lot of machines that have default proxy-arp configurations on them, and occasionally one of those machines starts hijacking a lot of lab addresses. After resolving the latest Proxy-ARP incident which brought down most of our lab, I found a few residual entries like this in /var/log/syslog (below). For those not accustomed to reading arpwatch logs, the machine that owns 00:11:43:d2:68:65 is fighting with 192.168.12.102 and 192.168.12.103 about who owns those address. Sep 13 14:25:27 netwiki arpwatch: flip flop 192.168.12.103 00:11:43:d2:68:65 (84:2b:2b:4b:71:b4) eth0 Sep 13 14:26:24 netwiki arpwatch: flip flop 192.168.12.103 84:2b:2b:4b:71:b4 (00:11:43:d2:68:65) eth0 Sep 13 14:29:03 netwiki arpwatch: flip flop 192.168.12.102 00:26:b9:4e:d3:71 (00:11:43:d2:68:65) eth0 Sep 13 14:29:03 netwiki arpwatch: flip flop 192.168.12.102 00:11:43:d2:68:65 (00:26:b9:4e:d3:71) eth0 The very alarming thing is that 00:11:43:d2:68:65 belongs to the same machine I was running arpwatch on... First, I validated that /proc/sys/net/ipv4/conf/eth0/proxy_arp is 0. Next, I used tshark to validate that my machine really is spoofing ARPs to others... [mpenning@netwiki ~]$ ip addr show eth0 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:11:43:d2:68:65 brd ff:ff:ff:ff:ff:ff inet 192.168.12.239/24 brd 192.168.12.255 scope global eth0 inet6 fe80::211:43ff:fed2:6865/64 scope link valid_lft forever preferred_lft forever [mpenning@netwiki ~]$ [mpenning@netwiki ~]$ arp -an ? (192.168.12.46) at 00:15:c5:f5:81:9d [ether] on eth0 ? (192.168.12.236) at 00:1e:c9:cd:46:c8 [ether] on eth0 ? (10.211.180.1) at 00:1e:49:11:fe:47 [ether] on eth1 ? (192.168.12.20) at f0:4d:a2:02:81:66 [ether] on eth0 [mpenning@netwiki ~]$ cat /proc/sys/net/ipv4/conf/eth0/proxy_arp 0 [mpenning@netwiki ~]$ sudo tshark -i eth0 arp and ether src 00:11:43:d2:68:65 Running as user "root" and group "root". This could be dangerous. Capturing on eth0 0.000000 Dell_d2:68:65 -> Dell_02:81:66 ARP 192.168.12.102 is at 00:11:43:d2:68:65 84.954989 Dell_d2:68:65 -> Dell_f5:81:9d ARP 192.168.12.103 is at 00:11:43:d2:68:65 [mpenning@netwiki ~]$ uname -a Linux netwiki 2.6.32-5-amd64 #1 SMP Tue Jun 14 09:42:28 UTC 2011 x86_64 GNU/Linux [mpenning@netwiki ~]$ The facts are undeniable. I have a debian box that is spoofing ARPs and I have no idea why. I am the only user on this machine, I run fail2ban to prevent brute-force attacks, and it's on an internal lab network behind a door that requires a badge for entry; I highly doubt it has been hacked. Three questions... 1. First, is there any cause I may have missed? What steps should I use to isolate whether this is an application or kernel problem? 2. If this is a kernel bug, which mailing-list should I report it on? FYI, the normal [kernel.org bug reporting tool](http://www.kernel.org/pub/linux/docs/lkml/reporting-bugs.html) seems to be down right now. 3. Is there anything I can do to to solve the problem other than waiting for a patch?