Security optimize

How to spoof a MAC address


MAC address filtering for wireless networking isn't real "security". Anyone who pays any attention to current trends in wireless security at all should know that MAC filtering is less effective than WEP -- and that WEP can be cracked almost instantly these days with commonly available tools.

This doesn't mean MAC filtering is useless. Its resource consumption is almost unmeasurable, and even if it doesn't keep out any reasonably knowledgeable security crackers willing to spend a few moments gaining access, it does keep out a lot of automated opportunistic attacks that are aiming solely for the absolute lowest-hanging fruit on the security tree. Since that lowest-hanging fruit consists of the majority of wireless access points, MAC filtering can be of value as a way of turning away the majority of opportunistic attackers.

Don't rely on MAC filtering alone, however. Please, just don't. It's a bad idea. People seem to think "Oh, well, sure a determined attacker can get past it, but not anyone else." It doesn't take much determination at all to spoof a MAC address. In fact, I'll tell you how:

  1. "Listen" in on network traffic. Pick out the MAC address. This can be done with a plethora of freely available security tools, including Nmap.
  2. Change your MAC address.

You can spoof a MAC address when using Nmap with nothing more than a --spoof-mac command line option for Nmap itself to hide the true source of Nmap probes. If you give it a MAC address argument of "0", it will even generate a random MAC address for you.

For more general MAC address spoofing, your MAC address is trivially reset with tools available in default installs of most operating systems. Here are some examples:

  • Linux: ifconfig eth0 hw ether 03:a0:04:d3:00:11
  • FreeBSD: ifconfig bge0 link 03:a0:04:d3:00:11
  • MS Windows: On Microsoft Windows systems, the MAC address is stored in a registry key. The location of that key varies from one MS Windows version to the next, but find that and you can just edit it yourself. There are, of course, numerous free utilities you can download to make this change for you as well (such as Macshift for MS Windows XP).

All of these techniques can of course be automated by self-propagating malware, and the creation of the malware can even be automated to some extent by existing malware creation "kits". If that doesn't convince you that MAC filtering does not provide real security, I don't know what will.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

63 comments
Tony Hopkinson
Tony Hopkinson

Is there a legitimate use for MAC Address spoofing? Not pointing fingers, I aren't enough of an admin to know that'as all.

castrol
castrol

I really don't get how this information can actually find ways into the cyberspace.It is like posting always the same things every 6 months.People know that MAC addresses can spoofed, and the web is full of HOWTOs about MAC. One more thing, although you change the mac address on windows box with regedit. I think most of the novice users would like to know that it can be changed also using the GUI of NIC properties in Connections. Click Configure on the adapter and in the advanced tab one of the properties will be LAA (Locally Administered Address. Changing this will change the MAC address in windows, until blanked.

signalgk
signalgk

Is anyone aware of anything that would allow you to read the WEP without forcing a reboot of the router or having the WEP already installed? To explain, I work primarily with charities whose systems are often created by volunteers who after a few months move on often without leaving any form of documentation - we've had a few cases where wireless systems have been encrypted but the only computers with an installed key belong to laptops that only come in occasionally so there is nothing to leech the WEP setting off and we can't just reset the router because it would then cause problems when the systems come in. At present we need to wait (sometimes weeks) until someone 'remembers' to bring their laptop in so we can get the key off it before we can then set up the machine we were called in to set up... A scanner of some sort would allow us to resolve these problems in a single visit. BTW we use wirelessmon on a laptop to read the mac. Thanks in advance for any assistance.

TheGooch1
TheGooch1

Its super easy in XP, you can find the network adapter properties either using device manager, or going to the connection properties, select "configure" button next to the adapter. Once in the adapter properties screen, click "advanced" and select "network address" ( MAC address ). Now select "custom" and enter whatever address that you would like after storing the original somewhere for future usage.

elegantbasura
elegantbasura

Perhaps the obvious/easy way to find the reg entry is to first determine the original MAC (ipconfig /all) and then do a search for that value.

Neon Samurai
Neon Samurai

Well, ligitimate depending on your ISP's service agreement. A lot of routers allow you to set the MAC they present to the cable/dsl modem. This lets you spoof the MAC on your workstation if your ISP uses MAC filtering. There are also cases where a NIC is replaced or some such similar change that would require you too manually set the MAC back to what the cable/dsl modem recognizes. This is an older example from when the normal setup was one computer/IP on the customer side of the highspeed modem.

Tony Hopkinson
Tony Hopkinson

spoof one of your own macs and see if you can detect that it's been done. This suggests to me that the intrusion detection and combat techniques are either low quality or highly expensive.

Neon Samurai
Neon Samurai

It sounds far fetched but asside from the above pentesting, there may be cases where a tech needs to use there machine to fully test the connection of another network client. Borrowing the MAC along with the IP would essentially make the test client a duplicate of the actual client machine as far as the network is concerned. It's not an everyday thing but it is a lagitimate use. Granted, anyone changing there MAC on your network probably need a much closer look unless you remember signing a contract for a pentest.

Penguin_me
Penguin_me

Well, the first example I can think of is Penetration Testing (I.E. trying to break into a network / system - normally your own, or in the case of professionals, one you're being paid to break into) to identify and exploit flaws in your (or their) security. At a college where I worked not that long ago, they had a new batch of about 10 computers ordered, they set them up, booted them, and they failed to register on the network. One of the techs from the company whom the computers were purchased from came down to take a look. *All* 10 of the computers had the same MAC address, not similar, identical. Theoretically it shouldn't happen, particularly all in one batch, but that's a legitimate use of MAC changing.

apotheon
apotheon

I checked around, and I didn't find any on TR that showed how easily MAC can be spoofed with actual examples of how it's done. Sometimes, people need all the details rubbed in their faces to grasp how easily some so-called security measures are circumvented. Actually, the inspiration for this article was the fact that I've run across people recently who still think that MAC addresses are effectively unchangeable. Apparently, some of the six billion people in the world didn't get the memo saying "Everybody knows this!" The fact you've heard about it six times doesn't necessarily mean everyone else has.

Neon Samurai
Neon Samurai

Assuming you are the system admin with authority to be mucking in the wifi router (the forums get a lot of "help me crack *my* admin password" questions so don't take that personally); Configuring a wifi router is pretty simple after you've done it once. There's not a lot of settings available with the normal default firmware for

apotheon
apotheon

There are freely available tools for that sort of thing -- like aircrack and WepLab. Please don't use this information for "evil". Also . . . at the first available opportunity, you should upgrade from WEP to WPA-PSK for wireless encryption. WEP simply isn't secure. A little temporary inconvenience is a small price to pay -- just make sure everyone that will be affected knows about the change in advance so there won't be any surprises for anyone that cannot connect.

Oktet
Oktet

Or capturing weak and unique IV's (Initialization Vectors)? If you are authorized to use the WEP encrypted Wireless Access Point (Wireless Router), just log into the router via its ip. Since you are authorized you should at least have the "Username" and "Password," and don't have to reset the router. If all else fails, just wait until you get the laptop with the key and use that, since you don't want to reset the router. And I guess calling the person with the laptop with the WEP key on it does not hurt either- via phone/email, since this is what you really need. Since everything is authorized and legal this should not be a problem for you.

robo_dev
robo_dev

there are only some LAN cards that will let the user do this. Usually you need a utility (smac, macshift) or dig into the registry

catseverywhere
catseverywhere

OK, what's the benefit of changing the MAC as described in the last post? Seems to me it would still be a consistent MAC associated with a specific machine... Is this to cover tracks after a night of hacking? Someone knocks on the door and you show them the original hardware MAC, proving it t'weren't you? Of course spoofing on the fly, e.g.man in the middle, has it's merits, dubious though they may be. But "hard wiring" a MAC other than the original, which then identifies that machine just the same, eludes my imagination...

Oktet
Oktet

I will try it out later on tonight, usually I just use: On a Linux Box, $ airmon-ng stop ath0 $ifconfig wifi0 down $macchanger --mac 00:11:22:33:44:55 wifi0 $airmon-ng start wifi0 and this works fine. On a Windo[z]e box, http://tmac.technitium.com/tmac/index.html

prscott1
prscott1

I've had to change the MAC on replacement routers to the MAC on the old one in order to connect and get an IP lease from the ISP.

mercedesman1981
mercedesman1981

MAC's are supposed to be unique, but I have had incidences where innocently, two macs came up in my network and one had to be changed to comply with the network security policy.

ben@channells
ben@channells

At work we have a wireless network to access time sheets works with Firefox not Internet Explorer(the timer sheet program also send messages using Thunderbird and does not support MS Outlook), divers and patches downloads, testing apps deployment to remote users and programs and others items and web which are caught by the corporate security policy. However the IT team perform monthly sweeps blocking various Computer names or MAC addresses. So we are forced to change our laptop name and MAC address. some times they change the network key without our permission on our wireless router (which we normally do twice a year). Since the router is ours and NOT IT department's we have to changes the PC name and MAC regularly however the IT team spoof our MAC address and WEP key to change the use, yes they have admitted to doing it and not external hackers. Perhaps we are lucky we only have to fight the IT department and not some hackers doing a OOS attack

apotheon
apotheon

Penetration testing is generally done by someone testing to see if you've set up your system with sufficient security measures in place -- not whether your security measures in place are crap. . . . and some of the best intrusion detection software in the world (like Snort) is open source.

signalgk
signalgk

Thanks to everyone who replied - as stated in my original message there are reasons why just resetting the router isn't always possible and no I don't take offence at the innuendos - I just wanted to know if it was possible. Unlike businesses, most community organisations don't have a dedicated IT worker and often rely on volunteers to set things up - and documentation is often the first thing to be forgotten. Only this week we were called out to a local church to sort out a network problem (a cable was damaged by some builders) and as so often happens we were asked could we ALSO set up access for the pastor's new laptop while we were there... Now I'm only a few years away from retirement and have never really got my head around wireless networking so when things get a little unusual I usually need to ask one of our younger circuit riders to have a look instead of me - if I know in advance which again not always happens. If we don't know in advance then that can mean an additional visit and an additional charge to the client which given their often very limited budgets we try to avoid. In this case a volunteer had set up the wireless network but had left about a year ago and yes you guessed it hadn't left any documentation. All the premanent computers in the church are on the wired LAN (which is why I went myself rather than asking someone whose comfortable with wireless networking to go instead) and the wireless network is only used on a couple of laptops that are not stored on the premises but are brought in by their owners. In this case we had to say we couldn't do it, book a second visit and have had to ask the youth worker to bring his laptop in. We already have software tools available that we can use to read the WEP key from his computer but we are now having to wait until the youth worker or one of the other wireless users remembers to bring their laptops in before we can finish the job... Ce la Guerre! Anyway it sounds as though there are scanner tools out there that migt do what we need so thanks to everyone who replied.

mercedesman1981
mercedesman1981

If WPA-PSK has been set up with a minimum of a 25 random character password, how is the MAC still visible for capture/spoofing?

Neon Samurai
Neon Samurai

I'll check against my own win32 machine tonight where I have Admin access but you seem very sure. If a utility can change teh MAC address that the OS reports then why couldn't such a utility be built into the OS? I am a little sceptical about Windows having the native ability to report a different MAC but that's simply because teh last time I was curious about doing such a thin win Windows as around NT 2000 which may not have had the function available. Correct, the MAC is burned into the NIC's chip but obviously that can be adjusted to report differently through an OS utility so "It doesn't work that way" might be a little strong - is all.

Oktet
Oktet

"Is this to cover tracks after a night of hacking? Someone knocks on the door and you show them the original hardware MAC, proving it t'weren't you?" FBI: "Sir, we have reason to believe you have been hacking, is your mac address 00:11:22:33:44:55?" Me: "No, my mac address is 00:00:00:00:00:00,that is probably my neighbor's ;-) ."

apotheon
apotheon

A system that does MAC filtering won't allow you to access it with the "wrong" MAC address. Thus, if you can find a valid MAC address for getting past the filter, you can set your MAC address to that address, allowing access to the resource whose security you want to crack. It's just a "manual" method for MAC spoofing.

apotheon
apotheon

Using the [b]nmap --spoof-mac[/b] option doesn't change your system's MAC address in general. It only changes the MAC address reported by the system while performing a scan with Nmap.

apotheon
apotheon

Those last six digits are hexadecimal digits, though. That means that each vendor has about sixteen million MAC addresses it can assign.

TheGooch1
TheGooch1

If you remember, the first 6 digits of a MAC identify the vendor, so they only have the last 6 to use to make the addresses of their NIC's unique. Over time, the vendor will run out of "address space" and have to loop back and reuse old MAC addresses on new cards. This is with the hope that the card with the MAC they assigned 5 years ago is no longer in use..which may not be the case.

apotheon
apotheon

"[i]Why would a VAR or OEM screw with something like that?[/i]" Stupidity and laziness, of course.

s31064
s31064

I was under the impression that every NIC manufactured anywhere in the world had a unique MAC, up to almost 17,000,000 units per manufacturer. Why would a VAR or OEM screw with something like that?

apotheon
apotheon

Computer vendors sometimes sell multiple systems with the same MAC addresses.

Tony Hopkinson
Tony Hopkinson

Tell me these PCs aren't connected in direct to the corporate network as well!

ben@channells
ben@channells

Its totally separate from the main network, separate ISP: computers that attach to the wireless are used for test the web servers from outside and building and testing setup's for VMwear before production release, testing remote connection to users ect, blah,blah. All agreed with IT service director and design engineering director how ever the IT team still want control over it :-0, but refuse to support any development PC or servers in our section Wire or not. the fact is we are often called upon to fix there AD/DNS ?cluster issues once they break them. PS techrepublic.com is blocked on the corporate network due to spelling "mistocks" there are several ofthe IT resource sites blocked including Toms Harware, but you can get to face book and UTube :-}

s31064
s31064

"the router is ours and NOT IT department's" Sounds to me like you're deliberately running a rogue wap on the network. It is IT's responsibility to to provide and maintain the security of the ENTIRE network to prevent intrusion and data theft. Just because you think you have a legitimate reason to install a wap on your own doesn't give you the right to jeopardize the security of everyone else. If you were on my network, you would have been fired after the second instance. Period.

Tony Hopkinson
Tony Hopkinson

Either you are contravening agreed policy, or you need to agree a policy.

Tony Hopkinson
Tony Hopkinson

So you need to legitimately spoof to test the quality of the detection algorithms, as opposed to something simple like port scanning, which is sort of on or off, end of story

apotheon
apotheon

1. You can get the MAC address you want to test for spoofing. Example: [b]00:16:6f:13:d3:a9[/b] 2. You drop the last three hexadecimal numbers (called octets because they represent eight bits each) and keep the first three. Example: [b]00:16:6f[/b] 3. You enter that number (known as the OUI number, for Organizationally Unique Identifier) into the IEE database to find out who the manufacturer. Example: [b]Intel Corporation[/b] 4. You check that information against the manufacturer name reported by the connecting network interface card. If they don't match, it's a spoofed MAC address. This technique is far from foolproof. MAC spoofing detection is not an exact science, as far as I'm aware. Another imperfect technique is frame sequence analysis. Check incoming frames to see if they arrive out of sequence, and to see if you get duplicate frames a lot. If so, you may have two systems on the network using the same MAC address. This only works quickly if the attacker's methods aren't very sophisticated -- if he or she uses a spoofed MAC address to connect while the original holder of that MAC address is still online. Otherwise, it takes time to analyze traffic and identify an attacker via sequence number analysis, because the two systems with the same MAC address are not visible on the network at the same time. It's all very heuristic and fuzzy around the edges.

Tony Hopkinson
Tony Hopkinson

A question, however, how do you detect a spoofed MAC.

apotheon
apotheon

I'm afraid I didn't understand your question.

Tony Hopkinson
Tony Hopkinson

If you turn detect and stop mac spoofing in your system, why is there so little confidence that it is detected and stopped.

Neon Samurai
Neon Samurai

URL are a text representation of an IP address which is a more variable representation of a MAC address. When you send a network packate to an IP, the router and other hardware is actually converting that too the MAC of the recieving network card. At the lowest level, the MAC is a required bit of information so even if you have encryption, that outer most layer of the onion is still going to present an unencrypted MAC (at least for the first recieving encryption device that is). Encrypting the MAC would be like dropping a parcel in the post box with no address indicated; it's not going to get where it was meant to go.

apotheon
apotheon

There's always good open source software support for Thinkpads. Sometimes, a new Thinkpad comes out and some of the hardware isn't well supported right away, but a few months later the new hardware is guaranteed to have some support in the open source community. A few months after that, and the support is pretty much "plug and play". I basically never buy a new laptop model the year it comes out, anyway, because the prices are always jacked up at first. I'll give that link a look in a bit. Maybe I'll have something to say about it, afterward. Thanks.

apotheon
apotheon

The MAC address can [b]always[/b] be set in software. To do so with tools that ship with MS Windows, though, you have to use regedit. Some MS Windows drivers for NICs also provide GUI interfaces for things like changing the MAC address -- interfaces that are integrated with the standard MS Windows network configuration interfaces. Some don't. For those that don't, there are third-party tools out there that allow you to edit the MAC address in the registry more easily than hunting through the registry yourself via regedit. The quickest way to search through the registry yourself if you want to, though, is probably to check the MAC address with the ipconfig command line utility, then do a search for that string in the registry. Some of those third-party MAC address editing applications probably do exactly that behind the scenes.

catseverywhere
catseverywhere

The wifi power on/off function on this Dell Vostro 1000 has been given entirely over to windows. There is no button, no hardware control whatsoever. I run Linux, and there is no equivalent to the windows software that controls most of the "fn" keys. As a result, I cannot use the built in wifi, I had to buy a USB wifi adapter. (no scroll lock, no display brightness control etc) This is the whole-system equivalent of the "winmodem," cheaper hardware that has off loaded much of the functionality into windows. It is disturbing to see microsoft working so close with hardware manufacturers in a way that results in a dependency on windows, like this machine has in spades. It is decidedly unfriendly toward Linux, and I cannot believe that such was entirely unintended. So like with the MAC residing in a software layer somewhere in windows, the trend seems to be moving any/all hardware possible in the same direction. One of the Linux kernel geeks (who's quit) has an interesting take on the history of computer hardware and software development, and how they effected one another. He correctly points out that real software innovation became stifled once the question of "what's the OS?" became just about written in stone. Check it out: http://apcmag.com/node/6735/ He also has a take on the windows-vs-Linux controversy that the windows fanboys might find refreshing. I happen to agree with the fellow's take... cat

Neon Samurai
Neon Samurai

Here I was poking someone to see if there was a technical reason for there comment or if they where talking out there .... (suspecting the later but offering the benefit of the doubt). But, I should have known you'd pop in with the technical reasoning and knowing that the promiscious mode was an ability of the driver, I hadn't actualy connected changing the MAC with the driver supported functions. So saving me the time of booting a winXP VM and checking myself, XP can change the mac through a native utility if the driver supports the function where *nix just can then? That kind of true functionality with the hardware was what started me on Red Hat so long ago.

apotheon
apotheon

For some reason, MS Windows' network configuration utilities rely on the driver to provide certain functionality via the standard GUI tools -- functionality that is in no way dependent upon the hardware itself, in some cases. One of these cases is setting the MAC address in software. The same is true of some display properties configuration options depending on your graphics adapter driver, sound configuration options depending on your sound card driver, and so on. MS Windows provides means of adding such functionality to the standard GUI configuration tools (if you have a Radeon card, right-click the desktop and see all the options for display properties that aren't there with a motherboard integrated SiS chipset), but doesn't provide the functionality directly even if it's something you can set in the registry regardless of the specific hardware. It seems like the guys in Redmond, in their infinite wisdom, have decided what we do and do not need to be able to do, as dumb end-users that shouldn't be monkeying around with things beyond setting the colors of our fonts and the sounds our GUI buttons make.