1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

MAC Spoofing

Discussion in 'Wireless' started by zebulebu, Sep 3, 2006.

  1. zebulebu

    zebulebu Terabyte Poster

    I've had this knocking around for a while - I've edited it a bit and posted it in response to an earlier thread about WEP/WPA and MAC filtering. Let me know if you think its useful - or if you want to discuss any aspect of it. Bear in mind that this is pretty old, and written for an audience already familiar with the basics of WLAN 'auditing'


    So - you've enabled MAC address filtering on your WLAN. You sit back smugly, safe in the knowledge that only those MAC addresses you specify will be able to connect to your shiny new WAP - and figure that you probably don't even need to bother with encryption right?


    It is so trivial to spoof a MAC address that a wardriver can do it within thirty seconds of finding your AP.

    In order to carry out this cunning little bit of subterfuge, your would-be hacker only has to sniff a few packets passing to your AP, looking for a conversation between an authenticated client and the AP itself - and for the 'hacker-in-a-hurry' there is even a method to speed this process up.

    So - first things first. You need to find an AP to try this out on.

    DISCLAIMER - Do NOT do this on an AP which doesn't belong to you or, if trying it out 'on the job' - make sure you have the requisite authorisation from the peeps in your organisation who matter! Its no good pleading ignorance after the fact - your employer/neighbour will NOT be impressed if you try this sort of thing without them being aware of it.

    OK - with the warning out of the way, lets see how to go about finding an AP. There are several methods available to you. Lets cover the easiest here. Simply download NetStumbler and, once installed, open it up. It will immediately start searching your locale for Access Points that are present. It might be easiest, just for demonstration purposes, for you to sit your laptop down near an AP which you know is on, so that you don't end up spending ages looking for one!

    Once you've found your Access Point, take a note of the MAC address - this will come in handy later. You now have your target AP recced out. Its time to go about grabbing hold of a MAC address that can get you past the sneaky MAC filtering that has been turned on...

    What you'll need to accomplish the task is a WLAN network analyser - my tool of choice for this is Airocrack - a tool freely available as part of the peerless Linux SLAX-based distro Backtrack
    There are other tools available, some free, some not. AiroPeek, for instance, from Wild Packets, is a commercial tool (and not a particularly cheap one), whilst Ethereal (now named Wireshark) is a free sniffer, which has the advantage of having a Windows-compatible version - but it can be notoriously difficult to configure for some WNICs.

    Whichever sniffer you choose, once you have it fired up, you need to sniff traffic being sent to a target client from the AP. (recall from earlier that you should have taken a note of the MAC address of the AP from your stumbling). What you're looking for here first of all is a client sending a probe to the broadcast MAC address (which is always FF:FF:FF:FF:FF:FF). The AP listens for broadcasts from clients looking to authenticate to it and, once one has been received, it sends out a probe response to the client that made the broadcast. The snag is - it will only ever send a probe request to one of the MAC addresses that is authorised to access the AP. Since you know the AP's MAC address, all you need to do is wait for a client to request authentication to the AP and - hey presto - you have a MAC address which you can later spoof to gain access.

    Once you have a MAC address which can be used to connect to the AP, spoofing your MAC address to match is a trivial matter. You can often even achieve this simply by editing the network connection properties (open up your NIC properties, go to ‘Configure’, then ‘Advanced’ – if there is an entry in there called ‘Network Address’ you will be able to enter your new MAC address in the box provided. If you choose this approach, bear in mind you should enter your MAC address only as the 12 digits – eliminate the colons as this will cause Windows to throw a hissy fit.

    If your WNIC doesn’t support this (and many don’t), you can achieve the same objective by using a third party tool – there are loads out there that will do the job.
    One such tool is SMAC (I believe it’s freeware but you’ll need to check), which has a nice GUI and is very simple to use.

    Finally, if you’re familiar with the registry, you can edit the properties of your WNIC in the following key:



    As you can see from the screenshot above, there will be a number of registry entries with the same name – you will need to have a peek through them all to find one that deals with the network cards registered to your system. Once you’ve located it, look through the individual entries for each network card until you find the one matching your WNIC. It shouldn’t be difficult to ascertain which one is your wireless card – usually the name of the card’s manufacturer is provided under the ‘DriverDesc’ entry. In order to change your MAC address, simply right click in the right hand pane, enter a new ‘String’ value. Ensure you name your new string ‘NetworkAddress’. Once done, double-click this new entry and enter the MAC address you wish to spoof (omitting the colons).

    There you go – you now have a valid MAC address to use to gain access to the WLAN you are ‘attacking’.

    Of course, it might be some time before you can capture the authentication request necessary to divulge a valid MAC address, if there are no clients authenticating, or if there are clients around but they are already connected, they may not send an authentication request for some time. What you need is a way to ‘con’ the clients into authenticating to the AP at a time that is convenient for you. This can be achieved through use of a simple DOS technique – I’ll show you how to do that in a later tutorial.

    What the above should give you is a very good understanding of why enabling MAC filtering is not a valid method of security for your WLAN.
    Certifications: A few
    WIP: None - f*** 'em
  2. Boycie
    Honorary Member

    Boycie Senior Beer Tester


    Excellent! Looking forward to the <DOS hack>.

    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  3. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    Good stuff Zeb, well worth being aware of IMHO 8)
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  4. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    Also as posted elsewhere ...


    Please note that this post contains both facts and opinions as posted by this site's Members, and in no way constitutes the views, thoughts, beliefs, opinions or otherwise of CertForums. We in no way condone, or otherwise, any actions, techniques or suggestions posted here, and reserve the right to remove this thread at anytime if deemd to place CertForums in a legally unsound position.
    Certifications: MCP, A+, Network+
    WIP: Clarity
  5. Mr.Cheeks

    Mr.Cheeks 1st ever Gold Member! Gold Member

    Gav, perhaps Zeb should have the disclaimer on his signature.... :twisted:

Share This Page