http://www.milw0rm.com/video/watch.php?id=102
Basically, it’s a ‘find logged in users and then clone their IP/MAC’ hack.
2.9.27…
Nice hack btw…
Is this hack working on a supported 3.x version?
There’s the “Addresses per MAC” config too..
It’s the oldest trick in the book! Taking over someone’s mac address is possible on every walled garden/captive portal setup out there, unless you isolate each client… Since I never worked with the wireless part of MT, I don’t know if that can be done, but my point is that this not a very great hack, and it’s not at all MikroTik specific.
i tried to reply this but couldn’t get it working.. 
The hack is working on 3.26 for me.
What I’d like to see is the “Cookie” tied to the user’s identity along with MAC address and IP address. This way, you could clone the MAC but you’d also have to have the cookie on the client browser. Or a better way would be a session cookie (cookie on server-side).
this is a widely known hole that works on lots of hotspots, but I’m glad it’s been made more public so that Mikrotik will take some extra precautions.
But doesn’t this assume that all net access will be through the browser. When I use a hotspot, I use the browser to open the session and then everything else I do is done over SSH or PPTP. In this instance, cookies on the browser are pointless - if somebody clones my MAC/IP after I’ve closed the browser window, how does a cookie help?
As an aside, the user in the video is using a tool called ‘NetCut’. Looks interesting (in an “I’d like to play with this to see how people cause havoc with it” way), but I can’t seem to find a download source. Any ideas?
These are not the droids your are looking for…
30 seconds of googling told me that if you specify default-forwarding=no on your wireless interface, this “hack” is stopped for good, as the clients wont be able to to see each other…
So move along, nothing to see.
Yeah that’s true. I guess I was in the mindset of web hotspot ↔ web cookie rather than general internet access.
of course, this is the administrators problem. don’t allow users to communicate with each other, and they will never get other’s MAC addresses
So if you tun off “default fowarding” on a wireless interface and two client computers have the same MAC address and IP (because DHCP would’ve given then the same one), they can’t steal the user credentials of each other? If so, this is a great feature!
Just making sure I understand.
Well, not really, but with default forwarding, you won’t be able to see the other clients, and thus not be able to find any mac or IP addresses of any other clients.