Doug Vitale Tech Blog

Spoofing MAC addresses in Linux and Windows

Recall that each network adapter (whether wired or wireless) has a hard-coded  (“burned in”) Media Access Control (MAC) address that uniquely identifies the adapter on the local network to which it is connected. MAC addresses are 48-bit values comprised of twelve hexadecimal characters (0-9 and A-F). The twelve characters are separated into six pairs or octets. The first three octets are called the organizationally unique identifier (OUI) which identifies the manufacturer of the network adapter and the last three octets uniquely identify the adapter itself.

Many networks (WLANs in particular) enforce access restrictions based on host MAC addresses. To bypass this MAC filtering you can fake or “spoof” your own MAC address (you will need a known permitted MAC address to change to, obviously).

Linux

Modern operating systems give you the ability to bypass the burned in MAC address in favor of an arbitrary one that you specify. In Linux this is a simple process. To temporarily (until next reboot) change your MAC address, enter the following commands as root (where eth0 is your network interface card).

# ifconfig eth0 down
# ifconfig eth0 hw ether 00:70:59:CE:f1:20 (or whichever value you choose)
# ifconfig eth0 up

To use the new ip command (which replaces the deprecated ifconfig):

# ip link set dev [interface] address [mac_addr]

When you reboot, Linux will revert back to using the network interface card’s (NIC’s) normal MAC address. To make your spoofed MAC address “permanent”, in Red Hat/Fedora/CentOS you can edit /etc/sysconfig/network-scripts/ifcfg-eth0 (replace ‘eth0′ with your interface) and add:

MACADDR=21:22:44:34:23:27 (or whichever value you prefer).


For other distributions you may have to edit /etc/network/interfaces. This easy, straightforward process can be simplified even further by the GNU MAC Changer utility.

Jump to:

Windows

In Windows this process is surprisingly not much harder. In Windows Vista and 7 go to Control Panel -> Network and Sharing Center -> Change Adapter Settings. Then right-click on your NIC/adapter and choose Properties. Then click Configure, and select ‘Locally Administered MAC Address” (the MAC entry may also appear as ‘Network Address’). This process is the same for Windows XP except that instead of the Network and Sharing Center you would see ‘Network and Dial-up Connections’.

Change MAC address in Windows 7

Changing the MAC address of a wireless adapter in Windows 7

If you consider yourself too l337 to use  a Control Panel applet, you can run Regedit (regedt32.exe), navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}. This key contains several subkeys named 0000, 0001, 0002, etc. Check the DriverDesc for each subkey until you find the one for the adapter whose MAC address you want to spoof. In the appropriate subkey, create a new string value called ‘NetworkAddress’ and enter the spoofed MAC address you want to use. If NetworkAddress already exists, just edit its value.

Change MAC address in Windows registry

Using Regedit to configure a MAC address in Windows 7

The methods described above will work but they are cumbersome during efforts such as vulnerability assessments and penetration tests when you may need to frequently change your MAC address and IP settings “on the fly”. That’s where tools like SMAC and TMAC are especially handy (as well as these ones here for IP settings only).

SMAC

SMAC (Spoof MAC Address) by KLC Consulting is a shareware utility that lets you easily configure spoofed MAC addresses on Windows 2000, XP, Server 2003, Vista, 7, and Server 2008. You can install a trial edition to experiment with SMAC but be aware that you will get a registration “nag” screen when you launch it, and per the SMAC FAQ the only value that you can assign as your MAC address is 0C-0C-0C-0C-0C-0C. A license for SMAC v2.x is currently priced at $39.99 on the KLC website. To properly run SMAC you need to right-click the program’s shortcut and choose ‘Run as Administrator’.

SMAC registration dialog

SMAC registration dialog. Click 'Proceed' to continue.

SMAC user interface

The SMAC v2.7 user interface

Currently there are two versions of SMAC available from KLC – version 2.0 which appears to date from November 2005 and version 2.7 beta which appears to date from January 2010.

Notice in the screen shot above how the drop-down menu allows you to select MAC addresses from many network adapter manufacturers. After you input your desired MAC address value, click ‘Update MAC ‘ and reboot. To go back to using your real MAC address, run the program again and click ‘Remove MAC’.

TMAC

A very similar tool is Technitium Mac Address Changer, or TMAC. Currently released at version 6.0.5 (released Oct. 1, 2013), TMAC is freeware.

TMAC v6.0.5 user interface

TMAC v6.0.5 user interface

In addition to MAC address spoofing, TMAC also lets you set other IP parameters for your network adapters. You can also export your adapter configuration settings to Configuration Preset Files (.cpf).

TMAC v6.03 network adapter configuration options

TMAC v6.0.5 network adapter configuration options

TMAC v6.03 interface for creating and editing preset configuration files

TMAC v6.03 interface for creating and editing preset configuration files

The creator of TMAC maintains a blog.


Nmap and MAC spoofing

You can configure Nmap to utilize a spoofed MAC address during its scans with the --spoof-mac [mac_address/prefix/vendor_name] command option. This switch configures Nmap to use the specified MAC address for all raw Ethernet frames it sends. If the address provided is 0 (zero), Nmap will supply a randomly generated MAC address for the session.


Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book using the links below. Thanks!

Hacking Exposed Wireless on Amazon Hacking Exposed Wireless  BackTrack 5 Wireless Penetration Testing on Amazon BackTrack 5 Wireless Pen Testing

Security Power Tools on Amazon Security Power Tools  Low Tech Hacking on Amazon Low Tech Hacking

About these ads

Written by Doug Vitale

November 27, 2011 at 9:30 AM

%d bloggers like this: