Example - Bypassing WiFi MAC Address Restriction

Among security professionals, it is a well known fact that using only MAC Address restriction is useless as a protection mechanism for WiFi. But for the general publiv, this is still a popular method. This post aims to show how easy it is to actually hijack someones MAC address and bypass this restriction.

Here is the process, as used on a Windows laptop

  1. Obtain a valid MAC address that is allowed on the network
  2. Download macshift, created by one of Internet's renaissance men - Nate True
  3. Copy macshift.exe to c:\Windows\System32\
  4. Find the windows name of your wireless connection, from the Network Connections, for example "Wireless Network Connection"
  5. Open a Command Prompt(start->run->cmd.exe)
  6. Obtain your adapter's MAC address, by typing ipconfig /all on the command prompt. The result will include the MAC address of all interfaces.
  7. Type macshift VALID_MAC_ADDRESS -i "Wireless Network Connection". Here is an example screenshot.
  8. Happy surfing
NOTE: Don't forget to change your MAC to it's original value when you are done!

The process without step 1 takes a total of 5 minutes. Now, it can be argued that it is not easy to obtain a valid MAC address, here are two scenarios:
  • If the WiFi network does not allow for unlisted MAC addresses to associate, then you can :
    • Put your WiFi card in monitor mode and capture some traffic - from there it is easy to find the MAC addresses
    • Write a brute force program that will cycle the MAC address of your adapter and try to associate with the LAN. You can optimize the brute force by finding a laptop that can connect to the network and record the actual model. Then you can just cycle through half of the MAC address bytes
  • If the WiFi network allows for unlisted MAC addresses to associate and then uses some sort of egress filtering, on the router or service selection gateway, things are much easier - just run a sniffer for 5 minutes and collect all other MAC addresses on the network. Filter out the gateway MAC, and at a later time (usually in the dead of night) try them one by one.
This example is presented just as an eye-opener to the readers with less security experience. MAC Address filtering may be used as a deterrent, but only with WPA2 encryption and minimal possible range of the WiFi access point signal.

Related posts
5 Rules to Home Wi-Fi Security

Talkback and comments are most welcome

3 comments:

Anonymous said...

"# Obtain a valid MAC address that is allowed on the network"

And that right there is the hard bit. Perhaps an article on that before declaring how easy it is.

EverybodyGeek said...

You can always guess a valid MAC address.. won't take too long ;-)

MAC address filtering is not secure, but your neighbor is probably not capable of finding a valid MAC address.
WPA is also considered to be outdated, so the only true security on Wifi is a combination of WPA2, MAC address fitlering, not broadcasting your SSID and limit DHCP.

Bozidar Spirovski said...

Actually i followed up this post with a tutorial for the less inquisitive:

http://www.shortinfosec.net/2008/07/obtaining-valid-mac-address-to-bypass.html

As EverybodyGeek says, finding a valid MAC address is really a joke. And to be truthful - even bothering with it is too much trouble. Just go with the 5 rules of home Wi-Fi security
http://www.shortinfosec.net/2008/04/5-rules-to-home-wi-fi-security.html

Designed by Posicionamiento Web