Now that you understand IP addressing at Layer 3, we drop down to Layer 2 โ the Data Link layer โ where Ethernet and MAC addresses operate. This is the layer that governs how devices communicate on the same local network segment, and it is one of the most fertile grounds for offensive attacks like ARP spoofing, MAC flooding, and VLAN hopping.
A MAC (Media Access Control) address is a 48-bit (6-byte) hardware identifier assigned to every network interface. It is typically written in hexadecimal, separated by colons or hyphens (e.g., 00:1A:2B:3C:4D:5E). The first 3 bytes are the Organizationally Unique Identifier (OUI), which identifies the manufacturer. The last 3 bytes are device-specific.
๐ก You can look up the OUI (first 3 bytes) at https://macvendors.com to identify the manufacturer of a network device. This is useful during reconnaissance to fingerprint network hardware.
At Layer 2, data is encapsulated into Ethernet frames. Each frame contains a source MAC address, a destination MAC address, an EtherType field (indicating the payload protocol, e.g., 0x0800 for IPv4), the payload itself, and a Frame Check Sequence (FCS) for error detection.
Ethernet Frame Structure:
โโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโ
โ Dest MAC (6B)โ Src MAC (6B) โ Type (2B)โ Payload โ FCS โ
โ ff:ff:ff:ff โ 00:1a:2b:3c โ 0x0800 โ 46-1500Bโ 4B โ
โโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโดโโโโโโโโโโดโโโโโโ
Broadcast frame: ff:ff:ff:ff:ff:ff (all devices on segment)Network switches operate at Layer 2 and maintain a MAC address table (also called a CAM table) that maps MAC addresses to physical ports. When a frame arrives, the switch looks up the destination MAC and forwards the frame only to the appropriate port. This is more efficient than hubs, which broadcast to every port.
However, switches have a critical weakness: if you flood the CAM table with fake MAC addresses, the switch enters a 'fail-open' state and starts broadcasting all traffic to all ports โ essentially turning into a hub. This is called MAC flooding, and it allows an attacker to sniff all traffic on the segment.
โ ๏ธ MAC flooding attacks only work on networks without port security configured. Modern switches with port security, dynamic ARP inspection (DAI), and 802.1X authentication are resistant to these attacks. Always test in your lab first.
MAC addresses can be changed in software โ a technique called MAC spoofing. Attackers use this to bypass MAC-based access controls, impersonate other devices, or evade detection. On Linux, this is trivially easy:
| Attack | Target | Tool | Mitigation |
|---|---|---|---|
| MAC Flooding | Switch CAM table | macof (dsniff) | Port security, CAM table limits |
| ARP Spoofing | ARP cache | arpspoof, bettercap | Dynamic ARP Inspection (DAI) |
| VLAN Hopping | 802.1Q trunking | yersinia | Disable DTP, hardcode trunk ports |
| STP Manipulation | Spanning Tree Protocol | yersinia | BPDU Guard, Root Guard |
| MAC Spoofing | MAC-based ACLs | ip link, ifconfig | 802.1X authentication |
Verify exercises to earn โ 130 XP and unlock next lab level.