Discussion on:

How to spoof a MAC address

http://amac.paqtool.com help finding or scanning useful mac address and changing mac address automatically

That's exactly the sort of thing I was talking about.

It is easy to change the Mac Address
This is what I did

Used an Atheros USB 2.0 Wireless Network Adapter
Windows XP sp2
From the device manager
Select properties on the adaptor
Change to advanced
Select Network Address
Type the address you want into Value
Eg 11-22-33-44-55-66
(Note remove the dashes this address now = 112233445566)

Enter the address 12 alpha numeric numbers 0-9 a-f
Click ok

I entered the same address as one of my working wireless adaptors
What happened next?

The router connected the Atheros USB 2.0 Wireless Network Adapter
Gave it the IP address assigned to the other PC

The other PC was kicked off the network

Try it yourself

Steve

In my router I can set it to give a specific IP address only to a corresponding MAC address, which I key into the routers DHCP config. As long as the PC with that MAC address has the IP lease and is running, then I would think that someoone trying to conect with the same MAC address from another wireless PC would be denied. What happens when your PC is turned off? Then I think the PC with the spoofed MAC address would get the lease. BUT, as soon as I try to connect to the WAP/Router with MY PC, and it doesn't let me in then I know to look at the router. It would be nice if there was a tool that reports to a PC that is always on that a lease has been given corresponding to one of your reserved MAC addys in static DHCP. Anyone Know of such a tool?

I downloaed the utility and ran the scan but it didn't find and report the MAC of the routers WAP, WAN, or LAN MAC addresses.
hmm...

Spoofing the router's MAC address is generally not the goal.

That wasn't my point. I was just pointing out that when I tried running the scan it did not find my router... BUT, then on the third try (after slowing down the scan) it did find the router and then disconnected all of my wireless clients; I had to reboot my router to re-connect. Nice software, and I'll probably make use of it, but it does have some bugs... or actually, if you're on the receiving end of an attack by someone using this tool, that bug could be a good thing for the one being hacked.
Just an observation.

Change the MAC address in Windows
1. Go to Start -> Control Panel. Double click on Network Connections (inside Network and Internet Connections category in Windows XP). The, right click on the active network connection with network adapter that you want to change the MAC address (normally Local Area Network or Wireless Network Connection) and click on Properties.
Above steps work in Windows XP, Windows 2000 and Windows Server 2003. For Windows Vista, access to NIC?s properties is from Control Panel -> Network and Internet -> Network and Sharing Center -> Manage Network Connections.
Alternatively, if you already know which network adapter that?s responsible for your network or Internet connection, go to Device Manager and open the properties dialog by double click on the NIC itself.
2. In the General tab, click on the Configure button.
3. Click on Advanced tab.
4. In the Property section, select and highlight Network Address or Locally Administered Address.
5. To the right, ?Not Present? radio button is by default selected as value. Change the value by clicking on radio button for Value:, and then type in a new MAC address to assign to the NIC.

The MAC address consists of 6 pairs of numbers (0 ? 9) and characters (A ? F) combination. For example, 88-17-E8-90-E2-0A. When entering the new MAC value, omit the dash (-), for example 8817E890E20A.
6. Click OK when done.
7. To verify the change of MAC address, go to command prompt, then type in one of the following commands:
ipconfig /all
net config rdr
8. Reboot the computer if successful to make the change effective.
Note: To restore or reset back to original default MAC address, simply set back the option to ?Not Present?.
Change the MAC Address of NIC in Windows via Registry
1. Open a command prompt.
2. Type the following command and hit Enter.
ipconfig /all
3. Record down the Description and the Physical Address (is MAC address) of the active network connection (discard those with Media Disconnected state).

For example, in figure above, Description is Intel(R) Wireless WiFi Link 4965AGN and MAC address is in the format of 00-XX-XX-XX-XX-XX.
4. In the command prompt also, type the following command and hit Enter.
net config rdr
5. Record down the GUID for the MAC address for the active connection?s NIC which MAC address to be changed. The GUID is contained within the { and } brackets right in front of the MAC address as shown in figure below.

6. Type regedt32 or regedit in Start -> Run box or in Start Search for Windows Vista. Note: for Windows NT 4.0 and Windows 2000, regedt32 must be used.
7. Navigate to the following registry key
:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
8. Expand the {4D36E972-E325-11CE-BFC1-08002BE10318} tree, and there will be more sub-keys in the form of 0000, 0001, 0002 and so on.
9. Go through each sub-key starting from 0000, look for subkey that has DriverDesc value data that matches NIC description copied from step above, that want its MAC address to be changed. In most cases, it will be similar to the network adapter card name.
To verify that the subkey found is indeed a correct one, check the value of the NetCfgInstanceId, which should have the same value with the NIC?s GUID taken from step above.
10. Once a sub-key is matched to the network interface card that MAC address want to be spoofed, select and highlight the subkey. Right click on the sub-key (for example, 0000), then select New -> String Value. Name the new value name as NetworkAddress.
Note: If NetworkAddress REG_SZ registry key is already existed in the right pane, skip this step.
11. The double click on NetworkAddress and enter a new MAC address as its value data.
Note that the 12-digit MAC address in hexadecimal format, and should be entered without any dash (-). For example, 1A2B3C4D5E6F.
12. Reboot the system to make the new MAC address effective. Alternatively, if you don?t want to restart the system, try to disable and then re-enable the network adapter in Device Manager.
13. To verify the change of MAC address, go to command prompt, then type in one of the following commands:
ipconfig /all
net config rdr
Note: To restore or reset back to true original hardware burned-in MAC address, remove the NetworkAddress registry key that is been added

I totally agree with your assessment of MAC addr filtering.

But, you have not addressed what I consider a very important point. If you are going to spoof a MAC addr, you have two choices. You either wait until that MAC addr is not being used or you have to instigate a Man in the Middle attack to remove that MAC addr from use. Otherwise the MAC addr spoof is not applicable.

This simple yet important concept is typically forgotten in this type of discussion.

I didn't really intend to instruct people in how to get away with MAC spoofing so much as point out that it's not only possible, but easy, though. Anyway -- good point, for the sake of completeness. Thanks for commenting.

http://techrepublic.com.com/5208-6230-0.html?forumID=102&threadID=250847&messageID=2405142

I will try it out later on tonight, usually I just use:
On a Linux Box,
$ airmon-ng stop ath0
$ifconfig wifi0 down
$macchanger --mac 00:11:22:33:44:55 wifi0
$airmon-ng start wifi0

and this works fine.

On a Windo[z]e box,

http://tmac.technitium.com/tmac/index.html

Using the nmap --spoof-mac option doesn't change your system's MAC address in general. It only changes the MAC address reported by the system while performing a scan with Nmap.

Perhaps the obvious/easy way to find the reg entry is to first determine the original MAC (ipconfig /all) and then do a search for that value.

Its super easy in XP, you can find the network adapter properties either using device manager, or going to the connection properties, select "configure" button next to the adapter. Once in the adapter properties screen, click "advanced" and select "network address" ( MAC address ). Now select "custom" and enter whatever address that you would like after storing the original somewhere for future usage.

OK, what's the benefit of changing the MAC as described in the last post? Seems to me it would still be a consistent MAC associated with a specific machine...

Is this to cover tracks after a night of hacking? Someone knocks on the door and you show them the original hardware MAC, proving it t'weren't you?

Of course spoofing on the fly, e.g.man in the middle, has it's merits, dubious though they may be. But "hard wiring" a MAC other than the original, which then identifies that machine just the same, eludes my imagination...

A system that does MAC filtering won't allow you to access it with the "wrong" MAC address. Thus, if you can find a valid MAC address for getting past the filter, you can set your MAC address to that address, allowing access to the resource whose security you want to crack. It's just a "manual" method for MAC spoofing.

"Is this to cover tracks after a night of hacking? Someone knocks on the door and you show them the original hardware MAC, proving it t'weren't you?"

FBI: "Sir, we have reason to believe you have been hacking, is your mac address 00:11:22:33:44:55?"
Me: "No, my mac address is 00:00:00:00:00:00,that is probably my neighbor's ."

there are only some LAN cards that will let the user do this. Usually you need a utility (smac, macshift) or dig into the registry

I'll check against my own win32 machine tonight where I have Admin access but you seem very sure. If a utility can change teh MAC address that the OS reports then why couldn't such a utility be built into the OS?

I am a little sceptical about Windows having the native ability to report a different MAC but that's simply because teh last time I was curious about doing such a thin win Windows as around NT 2000 which may not have had the function available.

Correct, the MAC is burned into the NIC's chip but obviously that can be adjusted to report differently through an OS utility so "It doesn't work that way" might be a little strong - is all.

For some reason, MS Windows' network configuration utilities rely on the driver to provide certain functionality via the standard GUI tools -- functionality that is in no way dependent upon the hardware itself, in some cases. One of these cases is setting the MAC address in software.

The same is true of some display properties configuration options depending on your graphics adapter driver, sound configuration options depending on your sound card driver, and so on. MS Windows provides means of adding such functionality to the standard GUI configuration tools (if you have a Radeon card, right-click the desktop and see all the options for display properties that aren't there with a motherboard integrated SiS chipset), but doesn't provide the functionality directly even if it's something you can set in the registry regardless of the specific hardware.

It seems like the guys in Redmond, in their infinite wisdom, have decided what we do and do not need to be able to do, as dumb end-users that shouldn't be monkeying around with things beyond setting the colors of our fonts and the sounds our GUI buttons make.

Here I was poking someone to see if there was a technical reason for there comment or if they where talking out there .... (suspecting the later but offering the benefit of the doubt).

But, I should have known you'd pop in with the technical reasoning and knowing that the promiscious mode was an ability of the driver, I hadn't actualy connected changing the MAC with the driver supported functions.

So saving me the time of booting a winXP VM and checking myself, XP can change the mac through a native utility if the driver supports the function where *nix just can then? That kind of true functionality with the hardware was what started me on Red Hat so long ago.

The MAC address can always be set in software. To do so with tools that ship with MS Windows, though, you have to use regedit. Some MS Windows drivers for NICs also provide GUI interfaces for things like changing the MAC address -- interfaces that are integrated with the standard MS Windows network configuration interfaces. Some don't.

For those that don't, there are third-party tools out there that allow you to edit the MAC address in the registry more easily than hunting through the registry yourself via regedit.

The quickest way to search through the registry yourself if you want to, though, is probably to check the MAC address with the ipconfig command line utility, then do a search for that string in the registry. Some of those third-party MAC address editing applications probably do exactly that behind the scenes.

The wifi power on/off function on this Dell Vostro 1000 has been given entirely over to windows. There is no button, no hardware control whatsoever.

I run Linux, and there is no equivalent to the windows software that controls most of the "fn" keys. As a result, I cannot use the built in wifi, I had to buy a USB wifi adapter. (no scroll lock, no display brightness control etc)

This is the whole-system equivalent of the "winmodem," cheaper hardware that has off loaded much of the functionality into windows.

It is disturbing to see microsoft working so close with hardware manufacturers in a way that results in a dependency on windows, like this machine has in spades. It is decidedly unfriendly toward Linux, and I cannot believe that such was entirely unintended.

So like with the MAC residing in a software layer somewhere in windows, the trend seems to be moving any/all hardware possible in the same direction.

One of the Linux kernel geeks (who's quit) has an interesting take on the history of computer hardware and software development, and how they effected one another.

He correctly points out that real software innovation became stifled once the question of "what's the OS?" became just about written in stone.

Check it out:

http://apcmag.com/node/6735/

He also has a take on the windows-vs-Linux controversy that the windows fanboys might find refreshing. I happen to agree with the fellow's take...

cat

Is anyone aware of anything that would allow you to read the WEP without forcing a reboot of the router or having the WEP already installed?

To explain, I work primarily with charities whose systems are often created by volunteers who after a few months move on often without leaving any form of documentation - we've had a few cases where wireless systems have been encrypted but the only computers with an installed key belong to laptops that only come in occasionally so there is nothing to leech the WEP setting off and we can't just reset the router because it would then cause problems when the systems come in.

At present we need to wait (sometimes weeks) until someone 'remembers' to bring their laptop in so we can get the key off it before we can then set up the machine we were called in to set up... A scanner of some sort would allow us to resolve these problems in a single visit.

BTW we use wirelessmon on a laptop to read the mac.

Thanks in advance for any assistance.

Or capturing weak and unique IV's (Initialization Vectors)?

If you are authorized to use the WEP encrypted Wireless Access Point (Wireless Router), just log into the router via its ip.

Since you are authorized you should at least have the "Username" and "Password,"

and don't have to reset the router.

If all else fails, just wait until you get the laptop with the key and use that, since you don't want to reset the router.

And I guess calling the person with the laptop with the WEP key on it does not hurt either- via phone/email, since this is what you really need.

Since everything is authorized and legal this should not be a problem for you.

There are freely available tools for that sort of thing -- like aircrack and WepLab.

Please don't use this information for "evil".

Also . . . at the first available opportunity, you should upgrade from WEP to WPA-PSK for wireless encryption. WEP simply isn't secure. A little temporary inconvenience is a small price to pay -- just make sure everyone that will be affected knows about the change in advance so there won't be any surprises for anyone that cannot connect.

If WPA-PSK has been set up with a minimum of a 25 random character password, how is the MAC still visible for capture/spoofing?

URL are a text representation of an IP address which is a more variable representation of a MAC address.

When you send a network packate to an IP, the router and other hardware is actually converting that too the MAC of the recieving network card. At the lowest level, the MAC is a required bit of information so even if you have encryption, that outer most layer of the onion is still going to present an unencrypted MAC (at least for the first recieving encryption device that is).

Encrypting the MAC would be like dropping a parcel in the post box with no address indicated; it's not going to get where it was meant to go.

Assuming you are the system admin with authority to be mucking in the wifi router (the forums get a lot of "help me crack *my* admin password" questions so don't take that personally); Configuring a wifi router is pretty simple after you've done it once. There's not a lot of settings available with the normal default firmware for 200$ routers so you can also write down most of the settings. If you loose the router admin password or wifi password then simply reset teh modem. In reality, that only should apply to the admin password since you can easily change the wifi password through the normal router webforms.

If you mean the WEP preshared key which is basically the wifi password for computers to connect using in combination with the broadcasted ssid (network name) and no one can remember what it is, your not going to loose anything by resetting the router.

Also, the only reason to use WEP these days is if there is a specific bit of wifi hardware that doesn't support WPA or for some reason, the router doesn't provide WPA encryption. WEP is considered a broken encryption barely better than leaving the router wide open. If you have the choice, switch to WPA. In my case, I gave up the ability to connect my PalmOS PDA too my network over wifi because it would have meant using WEP instead of something actually secure.

(Someone with a very small amount of practice can pop a WEP key in less than five minutes provided there is a router and at least one wireless client active.)

Last; separate your office and wifi networks. Using a local community centre as an example; the office computers are networked on one router without wifi. That router connects into one of the wifi router's network ports like any other machine would. This allows both layers of the network to have internet access without allowing the wireless layer (outer) to easily access the office machines on the inner layer.

As for MAC addresses, they are as open as the IP address. Anything reading packets off the network has the MAC address and IP.

The real thing to take away is; change to WPA and be able to reset and reconfig the router on a whim.

I really don't get how this information can actually find ways into the cyberspace.It is like posting always the same things every 6 months.People know that MAC addresses can spoofed, and the web is full of HOWTOs about MAC. One more thing, although you change the mac address on windows box with regedit. I think most of the novice users would like to know that it can be changed also using the GUI of NIC properties in Connections. Click Configure on the adapter and in the advanced tab one of the properties will be LAA (Locally Administered Address. Changing this will change the MAC address in windows, until blanked.

Is there a legitimate use for MAC Address spoofing?

Not pointing fingers, I aren't enough of an admin to know that'as all.

Well, the first example I can think of is Penetration Testing (I.E. trying to break into a network / system - normally your own, or in the case of professionals, one you're being paid to break into) to identify and exploit flaws in your (or their) security.
At a college where I worked not that long ago, they had a new batch of about 10 computers ordered, they set them up, booted them, and they failed to register on the network. One of the techs from the company whom the computers were purchased from came down to take a look. *All* 10 of the computers had the same MAC address, not similar, identical. Theoretically it shouldn't happen, particularly all in one batch, but that's a legitimate use of MAC changing.

It sounds far fetched but asside from the above pentesting, there may be cases where a tech needs to use there machine to fully test the connection of another network client. Borrowing the MAC along with the IP would essentially make the test client a duplicate of the actual client machine as far as the network is concerned.

It's not an everyday thing but it is a lagitimate use. Granted, anyone changing there MAC on your network probably need a much closer look unless you remember signing a contract for a pentest.

spoof one of your own macs and see if you can detect that it's been done.
This suggests to me that the intrusion detection and combat techniques are either low quality or highly expensive.

Penetration testing is generally done by someone testing to see if you've set up your system with sufficient security measures in place -- not whether your security measures in place are crap.

. . . and some of the best intrusion detection software in the world (like Snort) is open source.

If you turn detect and stop mac spoofing in your system, why is there so little confidence that it is detected and stopped.

I'm afraid I didn't understand your question.

A question, however, how do you detect a spoofed MAC.

1. You can get the MAC address you want to test for spoofing. Example: 00:16:6f:13:d3:a9

2. You drop the last three hexadecimal numbers (called octets because they represent eight bits each) and keep the first three. Example: 00:16:6f

3. You enter that number (known as the OUI number, for Organizationally Unique Identifier) into the IEE database to find out who the manufacturer. Example: Intel Corporation

4. You check that information against the manufacturer name reported by the connecting network interface card. If they don't match, it's a spoofed MAC address.

This technique is far from foolproof. MAC spoofing detection is not an exact science, as far as I'm aware.

Another imperfect technique is frame sequence analysis. Check incoming frames to see if they arrive out of sequence, and to see if you get duplicate frames a lot. If so, you may have two systems on the network using the same MAC address. This only works quickly if the attacker's methods aren't very sophisticated -- if he or she uses a spoofed MAC address to connect while the original holder of that MAC address is still online. Otherwise, it takes time to analyze traffic and identify an attacker via sequence number analysis, because the two systems with the same MAC address are not visible on the network at the same time.

It's all very heuristic and fuzzy around the edges.

So you need to legitimately spoof to test the quality of the detection algorithms, as opposed to something simple like port scanning, which is sort of on or off, end of story

At work we have a wireless network to access time sheets works with Firefox not Internet Explorer(the timer sheet program also send messages using Thunderbird and does not support MS Outlook), divers and patches downloads, testing apps deployment to remote users and programs and others items and web which are caught by the corporate security policy.

However the IT team perform monthly sweeps blocking various Computer names or MAC addresses. So we are forced to change our laptop name and MAC address. some times they change the network key without our permission on our wireless router (which we normally do twice a year).

Since the router is ours and NOT IT department's we have to changes the PC name and MAC regularly however the IT team spoof our MAC address and WEP key to change the use, yes they have admitted to doing it and not external hackers. Perhaps we are lucky we only have to fight the IT department and not some hackers doing a OOS attack

Either you are contravening agreed policy, or you need to agree a policy.