But actually do people still bother with mac-spoofing in 2020? It's from a security/nw-admin pov next to useless (whitelist/filtering nor does it boost privacy of end-users). IMHO it gives people false sense of security and as a "practice" seems like a relic from the 90ies.
I don't know how it is now, but I remember a lot of generic/no-name Androids using the Mediatek platform would have random MAC addresses (which change every time you re-enable WiFi) because the manufacturer didn't bother writing a fixed one, so the firmware automatically generates a random one to use.
Plenty useful back when Panera limited you to 30 minutes of wifi; no idea if they still do.
Their wifi solution tracked you by MAC -- I think it was Sonicwalls? -- so when you hit the 30-min limit you'd spoof the MAC, re-connect, then back to business as usual.
I'd usually comply when the place was bumping -- hard to work when it's loud and crazy -- but most of the time it was empty in the mornings and the 30-min-limit was pointless.
This is not about privacy but access restriction (wifi in public hotspot limited to e.g. 30mins). And there it is still a very inexpensive solution i guess.
I chose Silicon Graphics (08:00:69) and it's fascinating to see that anyone else did, for any reason. For reference, my ISP hands out 2-8 IPv4 addresses, expiry indefinite (unless I power down), to clients connected to the cable modem. So my stack looks like
Depending on the mood of the ISP, I can have several other networks running from the 4-port switch. If I spoof those MACs repeatedly, I can get an arbitrary (within range) block of public IPs, and there's some seriously weird behavior in allocating those IPs (change my MAC 48 times in a row, end up on the same IP I had just lost from a power outage?)
I always use Sage (the accounting software folks) one of 00-80-2c as it's burned into my memory 30 years later after working on Sage Mainlan back in the days...
Cray computers were very famous in the 1970s and 1980s as highly specialist, highly parallel super computers with a fantastic marketing gimmick: not only were they the same size as 5 large refrigerators, they also came with their own built-in couch.
My high school provided MacBook Pros to students that would only connect to the network if the MAC address was whitelisted. Since I wanted to use my own newer Mac, I spoofed the address of my school provided one.
Since it was an open network, it was simple scraping the network for other connected devices and spoofing one at random, and I was surprised when the same technique worked in say, hotels with open networks.
My university required registration of MAC addresses for whitelisting & bandwidth metering. My enterprising roommate and I worked out that we could bypass all bandwidth limitations by spoofing the MAC addresses of machines in the computer labs as long as the machine was turned off. We eventually got caught for using something like 90% of the university's total bandwidth - the security admin was thrown for quite a loop when he tracked down the machines that were supposedly using all of the bandwidth and found that they were turned off at the time. Apparently it took some creative techniques to figure out where the traffic was actually coming from.
Our punishment was something like two weeks with all internet access revoked (except for the use of lab machines for classwork), plus a written apology, plus a signed agreement not to violate the acceptable use policies again or else face the real punishment for what we did.
The school administrator in charge of the punishment asked the security admin what we were downloading (this was when the MPAA/RIAA were cracking down hard on people uploading files on sharing networks), but the security admin had mercy on us and told her he didn't think it was relevant, thank god!
> Apparently it took some creative techniques to figure out where the traffic was actually coming from.
probably they did lookup the MAC address on the switches and saw it on a port that did not match expectations. if you were using a wired connection this would trivially lead to you... on wireless you would have to narrow it down further by monitoring signal strength of the station :)
My university dorms didn't allow XBox 360s or other gaming systems on the network, so I did the same thing by spoofing my laptop's address. I wasn't much of a "HACKERMAN" growing up, but this was one accomplishment that really drew me in and caused me to start studying OSI.
This was ~15 years ago. The bandwidth metering was in place to throttle people doing big downloads via the internet. We had something like 1gb per week at 100mbps, then gradually got brought down to something like dialup. Internet2 was not metered.
There were people running internal torrent trackers and file indexing/sharing sites on the LAN that could saturate the network infrastructure between the various dorms and buildings on campus. I guess the whitelisting also helped figure out who was doing what when problems happened.
Yes but if they were connected to the same router.
Most of these systems are distributed and having multiple APs connected to some central Radius server.
Because modern systems optimize for roaming between nodes, you can join network, use dns-sd to gather mac addresses of the computers which are not physically connected to your AP (in conjuction with 'tcpdump -I')
Then voila, 2 devices using same MAC without any problems.
PS. I personally use "printer" addresses for 2 reasons:
1: generally everyone forgets to nicely setup firewall for them since they're infrastructure objects.
2: they have relatively less traffic and probably located some obsecure room with an AP for them.
i was less concerned about authentication issues and more about routing issues as ARP would lead to results depending on time and location inside the network topology...
DO NOT generate a random MAC Address in the manner suggested here. You have a change of setting the "Locally administered address" bit, or worse the unicast/multicast bit. This will cause some network switches to silently drop your packets and you won't know why.
I learned this at 2 in the morning trying to bring up a second FPGA. Couldn't work out why it didn't work when the first one did, and it turned out to be because someone (possibly me) had picked the MAC Address 01:02:03:04:05:06 (we were on a private network).
Instead, pick an OUI you like (the first 3 bytes), and then randomly generate the last 3.
Actually this is effectively a broadcast/multicast MAC address.
The first byte of your MAC address should always be an even number. The value of the second bit is supposed to indicate if the MAC is "burned-in" and basically doesn't matter. The LSB of the first byte, however, should always be zero.
A very useful thing that I automated recently is changing my router’s MAC address and subsequently rebooting the modem. For my ISP (xfinity) this has the amazing benefit of getting me a new IP. For a home connection, your IP is the easiest way to track you. Yes VPNs exist and are better (depends on provider, latency, blahblah), but if you don’t mind your ISP seeing your traffic and instead just want to avoid an IP representing your identity, it’s a very easy way to accomplish this.
I learned this back in the day when running into daily transfer limits on free file sharing websites. Big hassle when trying to download multi-part zip archives on a weekend.
Nowadays people upload to Google Drive, plus other hosts have more relaxed limits, so I haven't had the need to do it as often. But it's still useful to know.
I always wondered what happend to the rapidshare/megaupload space that existed if that’s what you mean by “free file sharing websites”. Curious where people moved to/what are the major indexes now?
Author here - Sorry about that! I'm still running an older (2017-era) MBP, but honestly I think many other solutions kicked around in the comments here are better than what I'd come up with.
(I'd really wanted to write a bash script, this seemed like a good option.)
It’s not an issue with Big Sur, rather it’s a hardware issue with Macs starting around 2018. I had the same problem on a 2020 MacBook Aid running Catalina.
"The link-level ("link") address is specified as a series of
colon-separated hex digits. This can be used to, for example,
set a new MAC address on an Ethernet interface, though the mecha-
nism used is not Ethernet specific. Use the ("random") keyword
to set a randomly generated MAC address. A randomly-generated
MAC address might be the same as one already in use in the net-
work. Such duplications are extremely unlikely. If the inter-
face is already up when this option is used, it will be briefly
brought down and then brought back up again in order to ensure
that the receive filter in the underlying Ethernet hardware is
properly reprogrammed."
This works on other system menu bar icons, as well as on menus in some apps. For example, holding option down with the File menu open in most Apple apps gets you the "save as" item.
Now you'll spend your next hour option-clicking random stuff. Sorry.
Option is the most irritating feature of mac UX, everywhere it keeps popping new hidden features, it is true even for top menu and simple navigations.
Most irritating for me is if all windows of an app are hidden (minimized), simple Cmd+Tab doesn't brings anything to focus, but some gymnastics with Option and voila now you can see your Slack.
Author here! Yeah, that menu option was super useful to find, too. I've not really used this shell script for a while (I spend a lot less time in coffee shops now because Covid) but I still use the option-click thing regularly.
This has been sitting in my ~/scripts/ folder for the past 3.5 years. Just changing randomly the last pair was enough to do the trick in most situations.
Also it requires understanding the first time which one is your WiFi interrface.
When I used something like this on macOS, it confused software like OmniFocus that used the MAC address for licensing and synchronization. I'm not sure if that's still the case, but worth keeping an eye on.
If you're using wpa_supplicant (most linux distros and probably android), you can automatically randomise the MAC address, even before association, using
set mac_addr 1
set preassoc_mac_addr 1
set gas_rand_mac_addr 1
On a home network you may want to disable this to avoid emptying the DHCP address pool. I do this using a dhcpcd run hook that check the network SSID against a whitelist.
Maybe use a /8 subnet with reasonable DHCP lease durations to avoid that possibility. I know not all home gear can do it (old WRT54G with stock firmware can’t; thinking more along the lines of pfSense or Ubiquiti routers).
Hey, author here! Imagine my surprise to check HN this morning and see one of my posts up! (Thanks, u/mooreds!)
Besides being riddled with typos, as I've scanned through these comments I'm finding many _far better ways_ of accomplishing what I set out to accomplish.
I might update my script (and consequently the post)! sometime soon. Unfortunately with Covid, I've spent far less time in coffee shops than I once did.
I’ve always wanted to try this on airplane wifi to (1) avoid the ridiculous charges and (2) see what happens when I share a MAC address with someone who already paid and is on the network ... I’m guessing nothing good.
Of course I need to first use wire shark or something to get a MAC address that’s already connected to the network. This is where I’m hazy.
Since most paid wifi networks let you log in without a network password and then gate internet access by redirecting HTTP/DNS requests to a captive portal, it should be possible to launch an ARP spoofing attack [0] to impersonate the default gateway, causing all clients to route their traffic to your device, whereupon you can examine it with WireShark or tcpdump to get at their MAC addresses. I've tried something similar while bored on a flight, but sadly the Surface Pro 7's Windows network drivers don't seem to let you change your MAC address.
If it's an open (unencrypted) network you don't even need to ARP spoof. Their MAC address will already be in cleartext in the packets - just start your interface in monitor mode on the proper channel and capture some traffic.
Then I use someone who's idle but has legimitate connection.
Please note that those networks are not encrypted/secured at all. So anyone within range (or with large antenna) can essentially capture or inject something...
ifconfig en0 | grep ether # one of these will return a MAC address that matches
ifconfig en1 | grep ether # the value you saw when looking for your current
ifconfig en2 | grep ether # mac address.
ifconfig en3 | grep ether # Keep incrementing the `en0` value until you run out of
# devices
I would have solved this by running “ifconfig -a | less” and then typing “/ether”. I’m curious if anyone has a different way of doing it!
I would like to see, something that would change/ask for a new IPv6 address for each application on your computer, or for each browser tab a different IPv6 address.
I have to always do this to pass those hotel wifi login portals.
What I will do is spoof my mac address to match my laptop, and then pass the login wall to create a session. Then restore the original mac address, and then I can finally use my apple tv on the hotel wifi...
Don't just randomly pick numbers for a mac address. Make sure the bit 1 of the leftmost octet is set to 1, which indicates a "locally administered" mac address, and that bit 0 of that same octet is set to zero, which indicates a non-multicast address.
At most you'll annoy your internet service provider. MAC addresses don't leave the immediate network they're used on, so you can do whatever you want within your home network.
I gave it a try and couldn't get it to change. It will show as the new address in the terminal window but when I hit option + wifi it shows me the prior address.
I am actually suprised this was possible even in Mavericks. Using it since then...
Yes UI shows original address and existing connection will use existing address (ie not changed) But if you re-connect (turn off then on WiFi) it will use new one.
Weirdly "disconnect" was always using whatever set in the ifconfig. Meaning that I could "deauthenticate" other people by spoofing their address.
”We’ve got a problem; someone’s misusing the crap out of the free wifi”
”Lets narrow it down by hardware: what kind of device are they using?”
”How should I know!?”
”Check the first three bytes of their MAC address; it’ll tell you the mfr”
”OK... checking now... yeah I see them... looking up their MAC... bingo... hey, what is ‘Cray Inc’?”
—
Better versions of this joke are available here:
http://standards-oui.ieee.org/oui/oui.txt