(Sometimes known as MAC spoofing)
First let me explain a few things about MAC addresses. MAC stands for Media Access Control and in a sense the MAC address is a computer's true name on a LAN. An Ethernet MAC address is a six byte number, usually expressed as a twelve digit hexadecimal number (Example: 1AB4C234AB1F).
IPs are translated to MAC address by a protocol called ARP (Address Resolution Protocol). Let's say a computer with and IP of 192.168.1.1 wants to send information to another computer on the LAN that has an IP of 192.168.1.2 . First 192.168.1.1 will send out a broadcast to all stations on the LAN asking who has the IP 192.168.1.2. Then the box that has 192.168.1.2 will respond to 192.168.1.1 with it's MAC address which is cached in 192.168.1.1's ARP table for later use. To put this in Socratic Dialog form (with just a touch of Stallone):
Host 1 (192.168.1.1): Yo everyone on the LAN (FF:FF:FF:FF:FF:FF), who has the IP 192.168.1.2? My MAC is DE:AD:BE:EF:CA:FE so you can respond back to me.
Host 2 (192.168.1.2): Hello DE:AD:BE:EF:CA:FE, I have IP 192.168.1.2 and my MAC address is 12:34:56:78:90:12 so you can send your IP packets to me.
You can see the ARP table of a box by dropping out to a command prompt and typing "arp –a" in Windows or just "arp" in Linux. ARP can also work the other way by a host on the LAN sending its MAC address to another machine on the LAN for preemptive caching unless the host is configured to not accept un-requested ARP replies.
A person might want to change the MAC address of a NIC for many reasons:
- To get past MAC address filtering on a router. Valid MAC addresses can be found by sniffing them and then the deviant user could assume the MAC of a valid host. Having two hosts on the same network can cause some network stability problems, but much of the time it's workable. This is one of the reasons why MIC Address filtering on a wireless router is pointless. An attacker can just sniff the MAC address out of the air while in monitor mode and set his WiFi NIC to use it. Interestingly, a lot of hotels use MAC filtering in their "pay to surf" schemes, so this method can be an instant in for cheap skate road warriors.
- Sniffing other connections on the network. By assuming another host's MAC as their own they may receive packets not meant for them. However, ARP poisoning is generally a better method than MAC spoofing to accomplish this task.
- So as to keep their burned in MAC address out of IDS and security logs, thus keeping deviant behavior from being connected to their hardware. For example, two of the main things a DHCP server logs when it leases an IP to a client is the MAC address and host name. If you have a wireless router look around on it's web interface for where it logs this info. Luckily there are tools to randomize this information (MadMACs).
- To pull off a denial of service attack, for instance assuming the MAC of the gateway to a sub net might cause traffic problems. Also, a lot of WiFi routers will lock up if a client tries to connect with the same MAC as the router's BSSID.
Linux
To change your MAC address in Linux (and most *nix system) is easy as pie. All it takes is two easy to script commands:
ifconfig eth0 down hw ether 00:00:00:00:00:01
ifconfig eth0 up
These two little commands would set your eth0 interface to use the MAC 00:00:00:00:00:01. Just plug in the NIC you want to set and the MAC address you want to use into the commands above and your done. Changing your MAC address is one of those things that is much easier to do in Linux then under Windows.
