First let me explain a few things about MAC addresses. MAC stands for
Media Access Control and in a sense the MAC address is a computer?s
true name on a LAN. An Ethernet MAC address is a six byte number,
usually expressed as a twelve digit hexadecimal number (Example:
1AB4C234AB1F).
IPs are translated to MAC address by a
protocol called ARP (Address Resolution Protocol). Let?s say a computer
with and IP of 192.168.1.1 wants to send information to another
computer on the LAN that has an IP of 192.168.1.2 . First 192.168.1.1
will send out a broadcast to all stations on the LAN asking who has the
IP 192.168.1.2. Then the box that has 192.168.1.2 will respond to
192.168.1.1 with it?s MAC address which is cached in 192.168.1.1?s ARP
table for later use. To put this in Socratic Dialog form (with just a
touch of Stallone):
Host 1 (199.160.1.1): Yo everyone
on the LAN (FF:FF:FF:FF:FF:FF), who has the IP 199.160.1.2? My MAC is
DE:AD:BE:EF:CA:FE so you can respond back to me.
Host 2
(199.16o.1.2): Hello DE:AD:BE:EF:CA:FE, I have IP 199.160.1.2 and my
MAC address is 12:34:56:78:90:12 so you can send your IP packets to me.
You can see the ARP table of a box by dropping out to a
command prompt and typing ?arp ?a? in Windows or just ?arp? in Linux.
ARP can also work the other way by a host on the LAN sending its MAC
address to another machine on the LAN for preemptive caching unless the
host is configured to not accept un-requested ARP replies.
A person might want to change the MAC address of a NIC for many reasons:
1. To get past MAC address filtering on a router. Valid MAC addresses
can be found by sniffing them and then the deviant user could assume
the MAC of a valid host. Having two hosts on the same network can cause
some network stability problems, but much of the time it’s workable.
This is one of the reasons why MIC Address filtering on a wireless
router is pointless. An attacker can just sniff the MAC address out of
the air while in monitor mode and set his WiFi NIC to use it.
Interestingly, a lot of hotels use MAC filtering in their “pay to surf”
schemes, so this method can be an instant in for cheap skate road
warriors.
2. Sniffing other connections on the network. By
assuming another host’s MAC as their own they may receive packets not
meant for them. However, ARP poisoning is generally a better method
than MAC spoofing to accomplish this task.
3. So as to keep their
burned in MAC address out of IDS and security logs, thus keeping
deviant behavior from being connected to their hardware. For example,
two of the main things a DHCP server logs when it leases an IP to a
client is the MAC address and host name. If you have a wireless router
look around on it’s web interface for where it logs this info. Luckily
there are tools to randomize this information (MadMACs).
4. To
pull off a denial of service attack, for instance assuming the MAC of
the gateway to a sub net might cause traffic problems. Also, a lot of
WiFi routers will lock up if a client tries to connect with the same
MAC as the router’s BSSID.
Linux
To change your MAC address in Linux (and most *nix system) is easy as pie. All it takes is two easy to script commands:
ifconfig eth0 down hw ether 00:00:00:00:00:01
ifconfig eth0 up
These two little commands would set your eth0 interface to use the MAC
00:00:00:00:00:01. Just plug in the NIC you want to set and the MAC
address you want to use into the commands above and your done. Changing
your MAC address is one of those things that is much easier to do in
Linux then under Windows.
Mac OS X
For versions of OS X before Tiger (OS X 10.4) you will need this patch:
http://slagheap.net/etherspoof/
Then you use a command like:
sudo ifconfig en0 lladdr 00:00:00:00:00:01
I’m not much of a Macintosh guy, so I pulled most of this info from:
http://www.macgeekery.com/gspot/2006…dress_spoofing
My understanding is that there are complications with some AirPort cards so you may also want to read:
http://rgov.org/airport-spoof/
Windows 2000/XP/Vista: The Hard Way
In XP you can use the regedit to edit the registry from a GUI or th reg
command to edit it from the console, I?ll be using regedit. Information
on all your NICs can be found the registry key
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetContro l
Class{4D36E972-E325-11CE-BFC1-08002bE10318} . Under this key you will
find a bunch of sub keys labeled as 0000, 00001, 0002 and so forth. We
can assume any MAC address we want by finding the key that controls the
NIC we want to change, putting in a string value called
?NetworkAddress? and setting it to the MAC address we want to use
formatted as a twelve digit hex number (example: 000000000001). To find
out which key is which we can search through them for the value
?DriverDesc? until we find the one that matches the NIC we wish to
alter. After you set ?NetworkAddress? to the address you want just
restart the NIC by disabling it then enabling it (or in the case of
PCMCIA cards, just eject and reinsert). You can confirm the MAC address
change by using the ?getmac? or ?ipconfig /all? commands.
Windows 2000/XP/Vista: The Easy Way
Use Mac Makeup ( http://www.gorlani.com/publicprj/mac…/macmakeup.asp ), MadMACs (http://www.irongeek.com/i.php?page=s…cs-mac-spoofer), Smac ( http://www.klcconsulting.net/smac/ ) or Etherchange (http://ntsecurity.nu/toolbox/etherchange/
). Mac Makeup is a cool little GUI and Command line tool that’s
freeware, the creator also offers a Plugin for Bart’s PE builder.
MadMACs is a tool to randomize your MAC address and host name on every
reboot. Smac has a nice GUI and was free but has since gone commercial,
there’s no reason to bother with it as there are free tools that are
just as good. I use MadMACs since I wrote it and it lets me keep my
host information randomized.
Have fun with your MAC
addresses switching, but be careful not to cause network problems. My
favorite MAC address is DEADBEEFCAFE, for other interesting MACs see:
http://www.binrev.com/forums/index.php?showtopic=15942
Enjoy.
After Notes:
After I posted my article Benjamin E. Pratt emailed me some other notes
on changing your MAC address on different platforms and in different
ways:
BSD
1) Bring down the interface: “ifconfig xl0 down”
2) Enter new MAC address: “ifconfig xl0 link 00:00:00:AA:AA:AA”
3) Bring up the interface: “ifconfig xl0 up”
Linux
1) Bring down the interface: “ifconfig eth0 down”
2) Enter new MAC address: “ifconfig eth0 hw ether 00:00:00:AA:AA:AA”
3) Bring up the interface: “ifconfig eth0 up”
Windows 2000/XP
Method 1:
This is depending on the type of Network Interface Card (NIC) you have.
If you have a card that doesn?t support Clone MAC address, then you
have to go to second method.
a) Go to Start->Settings->Control Panel and double click on Network and Dial-up Connections.
b) Right click on the NIC you want to change the MAC address and click on properties.
c) Under “General” tab, click on the “Configure” button
d) Click on “Advanced” tab
e) Under “Property section”, you should see an item called “Network Address” or “Locally Administered Address”, click on it.
f) On the right side, under “Value”, type in the New MAC address you
want to assign to your NIC. Usually this value is entered without the
“-” between the MAC address numbers.
g) Goto command prompt
and type in “ipconfig /all” or “net config rdr” to verify the changes.
If the changes are not materialized, then use the second method.
h) If successful, reboot your system.
Method 2:
This should work on all Windows 2000/XP systems
a) Go to Start -> Run, type “regedt32″ to start registry editor. Do not use “Regedit”.
b) Go to “HKEY_LOCAL_MACHINESYSTEMCurrentControlSet
ControlClass{4D36E972-E325-11CE-BFC1-08002BE10318}”. Double click on it
to expand the tree. The subkeys are 4-digit numbers, which represent
particular network adapters. You should see it starts with 0000, then
0001, 0002, 0003 and so on.
c) Find the interface you want by searching for the proper “DriverDesc” key.
d) Edit, or add, the string key “NetworkAddress” (has the data type “REG_SZ”) to contain the new MAC address.
e) Disable then re-enable the network interface that you changed (or reboot the system).
Method 3:
Use the program Etherchange from http://ntsecurity.nu/toolbox/etherchange/
Windows 9x
Use the same method as Windows 2000/XP except for the registry key
location is “HKEY_LOCAL_MACHINESystem
CurrentControlSetServicesClassNet” and you must reboot your system.
Popularity: 10% [?]
Related posts:
- How to merge multiple CSV files This is a very simple trick I picked up that has saved me A LOT of time when doing research that has required multiple csv...
- 0 Comment
- Tags: