Macchanger - Spoofing your MAC Address

#macchanger - Spoofing your MAC Address#

This is going to be a really quick and simple tutorial. I’ve decided to post this because a while ago, I was having trouble using this program, so this is for anyone who’s having trouble using it right now.

The MAC Address (Media Access Control Address) is a unique identifier which identifies your computer in a network. There are numerous reasons why you would want to change/spoof you MAC Address. Just to name a few:

  • Privacy: This hides your machine’s manufacturer (i.e Asustek; Acer; etc…), which can appear when someone scans your network;

  • Bypass MAC Address filtering (Some networks limit acess based on MAC Addresses);

  • Allows you to “evade” Forensics (It’ll be more difficult to track you);

For this tutorial, I’ll be using macchanger (This is a command line tool). If you’re more comfortable using a GUI tool, you can try macchanger-gtk.

You can install either one by typing:

sudo apt-get install macchanger or sudo apt-get install macchanger-gtk , respectively.

Now we need to take down our network adapter in order to successfuly change our MAC Address, so once you finish the installation, write in the terminal (This step is vital, if you fail to do so, you won’t be able to change the MAC Address):

sudo ifconfig <network_interface> down

And to change the MAC Address type:

macchanger -r <network_interface> The -r flag generates a random MAC Address. There are other flags that allow you to choose a MAC ADdress of your liking.

All we have to do now is bring our network adapter back up…

sudo ifconfig <network_interface> up

If you want to texplore the other options the program has to offer, simply type macchanger --help to see all flags and options available.

We reached the end of the tutorial. Hope you enjoyed reading it, and as always, feel free to comment below!

13 Likes

Thanks for the write up and your time.

Don’t machanger append 00-00-00-00-00 to the end of the MAC making you stand out to a trained eye?.

Also Don’t -r generate gibberish MAC’s that don’t go to any vendor known to man?
Wouldn’t -a/-A be a better starting point?

Further more has macchanger been patched after the rolling update 3? It will get overridden by NM when you down/up it. As reported by:mmusket33

One last thing, people with multiple wlans report strange naming (MAC in the name) of monitor mode interfaces after bringing them up?

Thanks again!

3 Likes

I use macchanger all the time to get free WiFi. Most premium hotspots just validate that you’ve paid based on your Mac address. So if you do a scan or check the ARP broadcasts, you can just spoof their mac address and hijack their connection, giving you, free WiFi.

I might make a tutorial on it.

6 Likes

I use NM but have no problem. I did have an issue where it would be overridden, but the solution is to disconnect to the network before putting your network device down. And then allow it to automatically reconnect.

2 Likes

Hi pry0cc, glad to be part of the new community. Quick question, does what your mentioning work by just spoofing a mac using the hotspot already? For example, if a hotspot provides internet access that requires login and pw, would that be needed? Ive been maintaining access by spoofing my mac and using the hotspots free trial time, but it is getting old having to do this over and over again. Your method really interests me as a solution to this. Thanks

Hey @Cx2H , just to let you know that I’m a little busy atm but I will try to answer your questions later today!

It’s OK but thanks again.

If you can find a device that uses premium on the network, then you can do it. It seems that Mac spoofing already works on the network, so you could try doing a network scan and finding it, and then spoofing the Mac.

I’d add that this only works if the MAC address is the only factor used in determining network privileges.

Some networks will have a specific WiFi password mapped to each whitelisted MAC address. Whether it is random or some hash, I have not yet figured out.

2 Likes

Yep, that’s a pretty good way to get free WiFi. Did that some times too, works like a charm.
Most of these Wifi’s you can connect to at first (because there is no password for the WiFi itself). But afterwards you are prompted in a browser to enter the credentials to access the internet.
So you can easily do an nmap scan, look which clients are connected and take one of their MAC address.

Another way to use these Wifi’s without changing the MAC would be something like dns2tcp. That should work as well. Sadly I don’t have experience with dns2tcp yet…

3 Likes

There’re a few things:

You can use netdiscover, arp-scan, or nmap to seek out another MAC. Finding out which MACs are able to access the internet can be simple brute force. If anything, you could write a program to parse the netdiscover result and then apply changes until you can get, let’s say, an HTTP 200 from http://google.com/.

In the same program, you can utilize macchanger or even just sudo ifconfig <interface> hwaddr xx:xx:xx:xx:xx:xx.

So, this’ll work for things like Airport WiFi; however, there’s one downside: the person who rightfully owns that MAC could be disrupted because of ARP and IP, right?

4 Likes

That would be for WPA2 secured networks. We are talking about hotspots which are already open, but require auth via login through a web-gui. Generally these kind of networks charge.

This means you can join the network (since it is open), do an IP scan (if client isolation isn’t set), and just try and get lucky spoofing the Mac addresses. Generally these systems only use Mac addresses as a filter, but some more advanced systems use fingerprinting via canvas, however this can be tempermental and is generally not widely used.

2 Likes

Absolutely. But we don’t care, cause we do what we want. XD

3 Likes

@Cx2H, to answer your questions:

  • Regarding the -r flag, the reason I chose that flag was because I was thinking about if someone were to scan to scan your network and see your manufacturer (let’s say it’s Toshiba), they could use an exploit that’s it’s well know for Toshiba machines, so by hiding the original manufacturer (Usually it’s lested as “Unkown Vendor”), you are a little bit more protected.

  • Regarding the other subjects, even though it happened to me, I didn’t notice it. I’ll definetily look into and see what I can find. If I do find anything relevant, I’ll post it here (sorry for not giving any solution right now).

1 Like

Well, is there not packet splicing taking place since identical MACs would confuse the router/switch/whatever ?

Perhaps. But your machine wouldn’t acknowledge their traffic and vice versa since it isn’t waiting for it, it hasn’t opened a TCP connection. Perhaps UDP?

@unh0lys0da knows more about low level networking than me.

My point is: If you have the same MAC, then the router/DHCP will give you the same IP as the machine off of which you are spoofing. Right? I mean, a TCP stream would be alright if the connection is constant, but if you’re just shooting UDP’s then what happens?

@airth: care to chime in?

I’m in a rush at the moment but @oaktree tagged me so I will try to give some insight from what I know at least(not much). I haven’t read the whole convo but it seems like @oaktree is confused on how 2 machines can have the same MAC address. @pry0cc I don’t know how this MAC spoofing technique works exactly but theoritically speaking you can’t just hijack a MAC address of a machine that is connected to that so called “purchased” hotspot and surf the web. Most routers nowadays are Layer 3 switches. Meaning, they learn MAC addresses as well, they don’t route traffic only. After they learn the MAC address there is this so called address cache, where the MAC is being saved for a certain time. The only possible and logical manoeuvre to me seems like to hijack the cache/CAM table where the MAC addresses are stored and then use that MAC address when the machine you wan’t to spoof from is offline. If it’s online, there will be issues. Moreover @oaktree, your IP is dynamic in most cases. Meaning, it changes once in a while and there is no mapping between MAC and IP when you boot up your machine. I hope I didn’t misunderstand the issue. If anyone has more to add, please do.

Hmm. Well it still works? Surely the switch/router has no way of determining between each device? I’m guessing that they continue working, or something sketchy happens with ARP.

I think you may have misunderstood the concept. You can simply spoof your Mac address, I’ve done it before. I don’t know what exactly happens under the hood, but it works.