How to Spoof a MAC

What is a MAC Address?

A MAC address is a unique identifier that’s associated to an individual network interface card (NIC). I like to think of them like a Social Security Number for a computer i.e. they are unique and only exist for that particular computer. MACs are what allows the Internet to work, for without them, there would be no Internet.

MAC addresses are also referred to as Hardware Addresses or Physical Addresses that uniquely identify network interface cards on a Local Area Network (LAN). MAC addresses are 12-digit hexadecimal numbers equaling 48 bits or 6 bytes in length. As illustrated in figure 1 below, the first 3 bytes are referred to as the Organizational Unique Identifier or (OUI). This essentially identifies the manufacturer or vender of the physical network card. The last set of 3 bytes represents the specific ID assigned by the manufacturer to that particular network adapter.

figure 1

figure 1

As seen in figure 2, Mac addresses operate at the Data-Link layer of the OSI model, which is layer 2. This allows computers to uniquely identify themselves on a network at a relatively low level. When a device needs to communicate with the Internet, then an IP Address will be mapped to the MAC address by what is known as an ARP cache or ARP table. The Address Resolution Protocol (ARP) is the protocol that’s responsible for this mapping configuration and for keeping the ARP cache tables updated.

figure 2

figure 2

MAC Spoofing Procedure and Analysis

MAC spoofing is relatively easy to do and serves many purposes, which includes; appearing as a legitimate device on a system for which it is not, tracking avoidance, profiling avoidance, and on wireless access points to provide multiple wireless networks with a single wireless interface. MAC spoofing is also used to reroute traffic, which could be for both good and bad reasons. MAC Spoofing also allows an attacker to assume the identity of another authorized device.

I identified two ways of spoofing a MAC address on an Apple Mac, one by using the command line, and the other by using 3rd party software called “WiFiSpoof” for Mac, which costs $9.99. I will first outline the procedure for changing the MAC via the command line. The command line method requires knowledge of various commands that will run in the command line. I was able to identify my existing mac address as indicated below:

Miguels-Mac-Pro:~ mb$ ifconfig en0 | grep ether

                ether 00:25:00:ef:0a:34

I ran the following command:

Miguels-Mac-Pro:~ mb$ sudo ifconfig en0 ether 11.22.33.44.55.66

The resultant output is as follows:

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>
ether 11:22:33:44:55:66
nd6 options=1<PERFORMNUD>
media: autoselect (<unknown type>)
status: inactive

The second method used to Spoof a MAC address requires 3rd party software, which I did not buy, but rather, downloaded a free 14-day trial version. The software is very simple to use. At first launch, the current MAC address is displayed as seen below:

Current MAC:
figure 3 - Current MAC

figure 3 – Current MAC

Spoofed MAC:

To change the current MAC address, one click to the randomize button does the trick as seen below:

figure 4 - Spoofed MAC

figure 4 – Spoofed MAC

en2: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 6a:83:84:89:89:04
inet6 fe80::6883:84ff:fe89:8904%en2 prefixlen 64 scopeid 0x6
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active

Restored MAC:

To restore the MAC, click on the “Hardware Address:” button as seen below, then the “Restore” option pop-up window will display:

figure 5 - MAC restoration

figure 5 – MAC restoration

en2:flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:1f:f3:bd:89:c3
inet6 fe80::21f:f3ff:febd:89c3%en2 prefixlen 64 scopeid 0x6
inet 192.168.1.4 netmask 0xffffff00 broadcast 192.168.1.255
nd6 options=1<PERFORMNUD>
media: autoselect
status: active

Conclusion

MAC spoofing has its many uses, some good, some bad, and is also very easy to implement as seen above. Once a computer goes offline, attackers can impersonate computers using spoofed MAC addresses.

MAC filtering has its limitations because it can’t differentiate the legitimacy of Mac addresses, which is why other security mechanisms should be in place. MAC filtering is most beneficial when it is implemented as part of a “Defense in Depth” strategy or “Unified Threat Management” (UTM). Spoofing a MAC address hides the identity of its implementer, which is detrimental to online privacy concerns when used for nefarious purposes; therefore, it’s critical to not rely solely on MAC filtering as a security mechanism.

Citation:

Cardenas, E. D. (2003, 8 23). MAC Spoofing–An Introduction. Retrieved 5 2015, 2015, from giac.org: http://www.giac.org/paper/gsec/3199/mac-spoofing-an-introduction/105315

feross. (2015). SpoofMAC. Retrieved 5 23, 2015, from GitHub: https://github.com/feross/SpoofMAC

Kishore, A. (2015, 4 2). Change or Spoof a MAC Address in Windows or OS X. Retrieved 5 22, 2015, from Online Tech Tips: http://www.online-tech-tips.com/computer-tips/how-to-change-mac-address/

macupdate. (2015). mac apps. Retrieved 5 23, 2015, from macupdate: http://www.macupdate.com/app/mac/44340/wifispoof

Mitchell, B. (2015). Wireless/Networking. Retrieved 2015, from About.com: http://compnetworking.about.com/od/networkprotocolsip/l/aa062202a.htm

Patience. (2014, 10 21). Ask Different. Retrieved 5 23, 2015, from StackExchange: http://apple.stackexchange.com/questions/151986/change-mac-address-in-os-x-yosemite

Perot, E. (2013, 1 22). Etienne Perot Blog Post. Retrieved 5 23, 2015, from perot.me: https://perot.me/mac-spoofing-what-why-how-and-something-about-coffee

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s