The content of the article
In this article I will show you some simple and common, but quite effective tricks from the practice of the Pentest of Wi-Fi networks: hiding the MAC address when scanning the network and attacking WPA2, identifying “hidden” networks, bypassing MAC filtering and jamming someone else’s access point.
All tips are highly recommended for educational purposes only. The blocking of data transmission and the use of the considered means may be prosecuted by law. Penetration tests require a written confirmation from the customer. Remember that deauthorization data is stored in the logs of the router.
Change and automatic generation of a new MAC address with a new connection to Wi-Fi
MAC (Media Access Control) is a unique identifier that is issued to each unit of active equipment (that is, a network adapter, router, switch, and so on) or some of their interfaces.
The MAC is flashed into the equipment during manufacture and is used on the network to identify the sender and receiver of the frame. It is assumed that when a new device appears on the network, the administrator does not have to manually set the MAC for him.
A MAC is unique (or at least should be) for each network interface. At the same time, the device may have several of them – for example, laptops have at least two: one for the controller with a wired Ethernet connection, and the second for the Wi-Fi adapter. For a router or a switch, addresses are unique for each port, and if it is a Wi-Fi router, then the addresses for each wireless interface will be different (for modern routers it is 2.4 GHz and 5 GHz).
Why change MAC?
MAC allows you to uniquely identify the device and does not change when changing the operating system – it is flashed into a chip that provides a network interface.
Pentesters and hackers hide their MAC to prevent identification of equipment during an attack. I think you understand why this may be necessary: if you use a real MAC, then it can be lit when connected to other networks. There are also means for comparing MAC with geographic coordinates – for example, the iSniff-GPS script from the Kali suite.
So, suppose you are using Linux. Let's see how to change the MAC without using additional programs.
Open a terminal and enter a command
$ ifconfig | grep HWaddr
If you use Ethernet, you can see the addresses of the adapters as follows:
$ ifconfig | grep ether
To temporarily change your MAC, you need to turn off the corresponding network interface. For example, for the eth1 interface, the command would be:
$ ifconfig eth1 down
Now you can create a new MAC.
$ ifconfig eth1 hw ether 00:00:00:00:00:11
Numbers, as you know, you can substitute any in this template.
Now you need to raise eth1 again.
$ ifconfig eth1 up
And the last thing – you need to check whether the changes have entered into force. If you look at the MAC list again, you will see that the interface has changed. However, after restarting the computer, the old MAC value will return.
It would be convenient if the MAC changed every time it connected to the network. The package will help us with this. Networkmanager. Starting with version 1.4, this program supports MAC spoofing, and it has many useful options.
For each group, “wired” (ethernet) and “wireless” (wifi) MAC rules are configured separately.
Also remember that a wireless adapter can be in one of two states:
- scanning – set using the property
yes, that is, during the scan, an arbitrary MAC address will be set. If you choose
nothen this will not happen;
- connected to the network – set by property
wifi.cloned-mac-address, by default its value is
For a wired interface (property
ethernet.cloned-mac-address) and the wireless interface is connected (
wifi.cloned-mac-address) the following options are available:
- explicit MAC – that is, you can set your permanent MAC;
- permanent – use the MAC address embedded in the device (by default);
- preserve – do not change the MAC of the device after activation (for example, if the MAC was changed by another program, the current address will be used);
- random – generate a random value for each connection.
NetworkManager is configured through a file
/etc/NetworkManager/NetworkManager.conf. Alternatively, you can add an additional file with the extension .conf to the directory
/etc/NetworkManager/conf.d (the config can be called in this case as you like). I recommend the second method, since NetworkManager usually replaces the main .conf when updating, and if you make changes to it, they will be gone.
Turn on the automatic generation of random MAC addresses
If you want the MAC address to be changed every time you connect, but the same MAC is used when connecting to the same network, you need to add a couple of lines to the config. Here they are:
wifi.cloned-mac-address can be set individually or together.
You can check the values by typing
ip a, and for the changes to take effect, you need to restart NetworkManager:
$ sudo systemctl restart NetworkManager
Now connect to the wireless network and check the MAC values again.
For the same networks the same addresses will be generated. If you want the addresses always to be different, the settings will be like this:
Install a specific MAC
Suppose we need to use some specific MAC. To do this, we will edit again
To specify the MAC for the wired interface, add the following lines:
To set the MAC for a wireless connection, these are:
<новый MAC>Of course, you should write the desired MAC address. And of course, you can configure the settings for both wired and wireless connections at the same time.
Please note that when using this method, the MAC will change only after you connect to the network. Prior to this, the interfaces will have their source addresses. Wi-Fi may be an exception if you have already configured spoofing, as shown above. To cancel spoofing, add the following lines to the config:
And restart the service for the change to take effect.
Other ways to programmatically change the MAC
Not only NetworkManager can change MAC. In fact, there are many ways to do this using both third-party programs and system services. So that we can track the results, change the NetworkManager settings:
Now it will not spoof the MAC while scanning wireless networks.
Since no settings are specified in the NetworkManager settings
wifi.cloned-mac-address, the default value will be used (
preserve), even if the MAC has been modified by other programs.
I will carry out further examples in Kali Linux and change the settings for the Wi-Fi adapter. The peculiarity of all these methods is that changes will be lost after a system reboot or after reconnecting the adapter.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the Xakep.ru community.
Join the Xakep.ru Community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of Xakep.ru