How to Test and Circumvent MAC Address Controls
A very common defense against hacking for wireless networks is Media Access Control (MAC) address controls. This is where you configure your APs to allow only wireless clients with known MAC addresses to connect to the network. Consequently, a very common hack against wireless networks is MAC address spoofing.
The bad guys can easily spoof MAC addresses in UNIX, by using the ifconfig command, and in Windows, by using the SMAC utility. However, like WEP and WPA, MAC-address-based access controls are another layer of protection and better than nothing at all.
If someone spoofs one of your MAC addresses, the only way to detect malicious behavior is through contextual awareness by spotting the same MAC address being used in two or more places on the WLAN, which can be tricky.
One simple way to determine whether an AP is using MAC address controls is to try to associate with it and obtain an IP address via DHCP. If you can get an IP address, the AP doesn’t have MAC address controls enabled.
The following steps outline how you can test your MAC address controls and demonstrate just how easy they are to circumvent:
Find an AP to attach to.
You can do this simply by loading NetStumbler.
Note the MAC address of this AP as well. This will help you make sure you’re looking at the right packets. Although most of the MAC address of this AP is hidden for the sake of privacy, let’s just say its MAC address is 00:40:96:FF:FF:FF. NetStumbler was able to determine the IP address of the AP. Getting an IP address will confirm that you’re on the right wireless network.
Using a WLAN analyzer, look for a wireless client sending a probe request packet to the broadcast address or the AP replying with a probe response.
You can set up a filter in your analyzer to look for such frames, or you can simply capture packets and just browse through looking for the AP’s MAC address, which you noted in Step 1.
Note that the wireless client (again for privacy, suppose its full MAC address is 00:09:5B:FF:FF:FF) first sends out a probe request to the broadcast address (FF:FF:FF:FF:FF:FF) in packet number 98. The AP with the MAC address replies with a Probe Response to 00:09:5B:FF:FF:FF, confirming that this is indeed a wireless client on the network.
Change your test computer’s MAC address to that of the wireless client’s MAC address you found in Step 2.
In UNIX and Linux, you can change your MAC address very easily by using the ifconfig command as follows:
Log in as root and then disable the network interface.
Insert the network interface number that you want to disable (typically wlan0 or ath0) into the command, like this:
[root@localhost root]# ifconfig wlan0 down
Enter the new MAC address you want to use.
Insert the fake MAC address and the network interface number like this:
[root@localhost root]# ifconfig wlan0 hw ether 01:23:45:67:89:ab
The following command also works in Linux:
[root@localhost root]# ip link set wlan0 address 01:23:45:67:89:ab
Bring the interface back up with this command:
[root@localhost root]# ifconfig wlan0 up
If you change your Linux MAC addresses often, you can use a more feature-rich utility called GNU MAC Changer.
In Windows, you might be able to change your MAC addresses in your wireless NIC properties via Control Panel. However, if you don’t like tweaking the OS in this manner or prefer to have an automated tool, you can use a neat and inexpensive tool created by KLC Consulting called SMAC.
To reverse any of the preceding MAC address changes, simply reverse the steps performed and then delete any data you created.
Note that APs, routers, switches, and the like might detect when more than one system is using the same MAC address on the network (that is, yours and the host that you’re spoofing). You might have to wait until that system is no longer on the network; however, there are rarely any issues spoofing MAC addresses in this way, so you probably won’t have to do anything.
Ensure that your wireless NIC is configured for the appropriate SSID.
Even if your network is running WEP or WPA, you can still test your MAC address controls. You just need to enter your encryption key(s) before you can connect.
Obtain an IP address on the network.
You can do this by rebooting or disabling/enabling your wireless NIC. However, you can do it manually by running ipconfig /renew at a Windows command prompt or by manually entering a known IP address in your wireless network card’s network properties.
Confirm that you’re on the network by pinging another host or browsing the Internet.
That’s all there is to it! You’ve circumvented your wireless network’s MAC address controls in six simple steps. Piece of cake!
The easiest way to prevent the circumvention of MAC address controls and subsequent unauthorized attachment to your wireless network is to enable WPA or ideally WPA2. Another way to control MAC spoofing is by using a wireless IPS. This second option is certainly more costly, but it could be well worth the money when you consider the other proactive monitoring and blocking benefits such a system would provide.