Security

How to spoof a MAC address


MAC address filtering for wireless networking isn't real "security". Anyone who pays any attention to current trends in wireless security at all should know that MAC filtering is less effective than WEP -- and that WEP can be cracked almost instantly these days with commonly available tools.

This doesn't mean MAC filtering is useless. Its resource consumption is almost unmeasurable, and even if it doesn't keep out any reasonably knowledgeable security crackers willing to spend a few moments gaining access, it does keep out a lot of automated opportunistic attacks that are aiming solely for the absolute lowest-hanging fruit on the security tree. Since that lowest-hanging fruit consists of the majority of wireless access points, MAC filtering can be of value as a way of turning away the majority of opportunistic attackers.

Don't rely on MAC filtering alone, however. Please, just don't. It's a bad idea. People seem to think "Oh, well, sure a determined attacker can get past it, but not anyone else." It doesn't take much determination at all to spoof a MAC address. In fact, I'll tell you how:

  1. "Listen" in on network traffic. Pick out the MAC address. This can be done with a plethora of freely available security tools, including Nmap.
  2. Change your MAC address.

You can spoof a MAC address when using Nmap with nothing more than a --spoof-mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of "0", it will even generate a random MAC address for you.

For more general MAC address spoofing, your MAC address is trivially reset with tools available in default installs of most operating systems. Here are some examples:

  • Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11
  • FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11
  • MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key. The location of that key varies from one MS Windows version to the next, but find that and you can just edit it yourself. There are, of course, numerous free utilities you can download to make this change for you as well (such as Macshift for MS Windows XP).

All of these techniques can of course be automated by self-propagating malware, and the creation of the malware can even be automated to some extent by existing malware creation "kits". If that doesn't convince you that MAC filtering does not provide real security, I don't know what will.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

65 comments
techieindeed
techieindeed

People may think that apple products are really safe and secure, to an extent they are. Having your MAC address stolen is not good news for any MAC user. The trends in hacking and stealing information are changing wildly. Even the little kids of today know a thing or two about hacking. Companies should provide additional tools that along with filtering make the task of keeping the data more secure.

Tony Hopkinson
Tony Hopkinson

Is there a legitimate use for MAC Address spoofing? Not pointing fingers, I aren't enough of an admin to know that'as all.

castrol
castrol

I really don't get how this information can actually find ways into the cyberspace.It is like posting always the same things every 6 months.People know that MAC addresses can spoofed, and the web is full of HOWTOs about MAC. One more thing, although you change the mac address on windows box with regedit. I think most of the novice users would like to know that it can be changed also using the GUI of NIC properties in Connections. Click Configure on the adapter and in the advanced tab one of the properties will be LAA (Locally Administered Address. Changing this will change the MAC address in windows, until blanked.

signalgk
signalgk

Is anyone aware of anything that would allow you to read the WEP without forcing a reboot of the router or having the WEP already installed? To explain, I work primarily with charities whose systems are often created by volunteers who after a few months move on often without leaving any form of documentation - we've had a few cases where wireless systems have been encrypted but the only computers with an installed key belong to laptops that only come in occasionally so there is nothing to leech the WEP setting off and we can't just reset the router because it would then cause problems when the systems come in. At present we need to wait (sometimes weeks) until someone 'remembers' to bring their laptop in so we can get the key off it before we can then set up the machine we were called in to set up... A scanner of some sort would allow us to resolve these problems in a single visit. BTW we use wirelessmon on a laptop to read the mac. Thanks in advance for any assistance.

TheGooch1
TheGooch1

Its super easy in XP, you can find the network adapter properties either using device manager, or going to the connection properties, select "configure" button next to the adapter. Once in the adapter properties screen, click "advanced" and select "network address" ( MAC address ). Now select "custom" and enter whatever address that you would like after storing the original somewhere for future usage.

elegantbasura
elegantbasura

Perhaps the obvious/easy way to find the reg entry is to first determine the original MAC (ipconfig /all) and then do a search for that value.

Michael Kassner
Michael Kassner

I totally agree with your assessment of MAC addr filtering. But, you have not addressed what I consider a very important point. If you are going to spoof a MAC addr, you have two choices. You either wait until that MAC addr is not being used or you have to instigate a Man in the Middle attack to remove that MAC addr from use. Otherwise the MAC addr spoof is not applicable. This simple yet important concept is typically forgotten in this type of discussion.

Editor's Picks