LabEx
Log InJoin Free

Spoof MAC Addresses in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, we will explore how to spoof MAC addresses using Nmap. Spoofing a MAC address allows you to disguise your network identity during a scan, which can be useful for evading detection or testing network security.

The lab covers specifying a custom MAC address using the --spoof-mac option, randomizing the MAC address with --spoof-mac 0, adding verbosity with the -v flag, saving the spoofed scan output to a file, and comparing the results with a normal scan in the Xfce terminal.

Spoof MAC with nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

In this step, we will explore how to spoof a MAC address using Nmap. Spoofing a MAC address allows you to disguise your network identity during a scan. This can be useful for various reasons, such as evading detection or testing network security.

Before we begin, let's briefly discuss what a MAC address is. A MAC (Media Access Control) address is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. It's like a physical address for your network card.

Now, let's use Nmap to spoof our MAC address. We'll use the --spoof-mac option followed by the desired MAC address and the target IP address.

Open your Xfce terminal.

Execute the following command:

sudo nmap --spoof-mac 00:11:22:33:44:55 192.168.1.1

This command tells Nmap to use the MAC address 00:11:22:33:44:55 during the scan of the target IP address 192.168.1.1. You will likely see output similar to a normal Nmap scan, but the source MAC address used for the scan will be the spoofed one.

The output will show the results of the scan, including open ports and other information about the target.

Example output (the specific output will vary depending on the target):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:00 UTC
Nmap scan report for 192.168.1.1
Host is up (0.00020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Nmap done: 1 IP address (1 host up) scanned in 0.10s

In this example, Nmap scanned 192.168.1.1 using the spoofed MAC address 00:11:22:33:44:55.

Randomize MAC with nmap --spoof-mac 0 127.0.0.1

In the previous step, we learned how to spoof a MAC address with a specific value. In this step, we'll explore how to randomize the MAC address using Nmap. This is useful when you want to avoid being tracked by using a predictable MAC address.

Nmap allows you to randomize the MAC address by using 0 as the argument for the --spoof-mac option. This tells Nmap to generate a completely random MAC address for each scan.

Open your Xfce terminal.

Execute the following command:

sudo nmap --spoof-mac 0 127.0.0.1

This command tells Nmap to use a random MAC address during the scan of the target IP address 127.0.0.1 (localhost).

The output will show the results of the scan, including open ports and other information about the target. Because we are scanning localhost, the results should be relatively quick.

Example output (the specific output will vary depending on the target and system configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:05 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Loopback interface ignored, scanning 0 interfaces
All 1000 scanned ports on localhost are closed

Nmap done: 1 IP address (1 host up) scanned in 0.01s

In this example, Nmap scanned 127.0.0.1 using a randomized MAC address. Each time you run this command, Nmap will generate a different MAC address.

Add verbosity with nmap -v --spoof-mac 00:11:22:33:44:55 192.168.1.1

In this step, we will combine MAC address spoofing with increased verbosity in Nmap. Verbosity provides more detailed information about the scan process, which can be helpful for troubleshooting or understanding Nmap's behavior.

The -v option in Nmap increases the verbosity level. Using -v once provides more information than the default, and using it multiple times (e.g., -vv or -vvv) increases the verbosity even further.

Open your Xfce terminal.

Execute the following command:

sudo nmap -v --spoof-mac 00:11:22:33:44:55 192.168.1.1

This command tells Nmap to perform a scan of 192.168.1.1, spoof the MAC address to 00:11:22:33:44:55, and provide verbose output.

The output will be more detailed than in the previous steps, showing the different stages of the scan, the probes being sent, and the responses received.

Example output (the specific output will vary depending on the target and system configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:10 UTC
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 10:10
Scanning 192.168.1.1 [4 ports]
Completed Ping Scan at 10:10, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:10
Completed Parallel DNS resolution of 1 host. at 10:10, 0.00s elapsed
Initiating SYN Stealth Scan at 10:10
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Completed SYN Stealth Scan at 10:10, 0.05s elapsed (1000 total ports)
Nmap scan report for 192.168.1.1
Host is up (0.00018s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
80/tcp  open  http

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.07s
           Raw packets sent: 1001 (44.044KB) | Rcvd: 1001 (40.044KB)

Notice the additional information provided, such as the NSE script loading, the initiation of different scan phases (Ping Scan, DNS resolution, SYN Stealth Scan), and the number of packets sent and received. This level of detail can be invaluable when debugging network issues or analyzing scan results.

Save spoofed scan with nmap --spoof-mac 0 -oN spoof.txt 127.0.0.1

In this step, we will learn how to save the output of an Nmap scan to a file. This is useful for later analysis or for generating reports. We will also continue to use MAC address spoofing.

Nmap provides several options for saving scan results. The -oN option saves the output in a "normal" format, which is human-readable. The -oG option saves the output in a grepable format, which is useful for scripting. The -oX option saves the output in XML format, which is useful for importing into other tools.

Open your Xfce terminal.

Execute the following command:

sudo nmap --spoof-mac 0 -oN spoof.txt 127.0.0.1

This command tells Nmap to perform a scan of 127.0.0.1, randomize the MAC address, and save the output in normal format to a file named spoof.txt in your current directory (~/project).

After the scan is complete, you can view the contents of the spoof.txt file using the cat command:

cat spoof.txt

The output will show the scan results in a human-readable format, similar to what you see on the terminal.

Example output (the specific output will vary depending on the target and system configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:15 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Loopback interface ignored, scanning 0 interfaces
All 1000 scanned ports on localhost are closed

Nmap done: 1 IP address (1 host up) scanned in 0.01s

The spoof.txt file now contains the results of the Nmap scan, which you can review at your convenience.

Review scan output in Xfce terminal

In this step, we will review the scan output that we saved to the spoof.txt file in the previous step. This will give you practice in interpreting Nmap scan results.

Open your Xfce terminal.

Use the cat command to display the contents of the spoof.txt file:

cat spoof.txt

The output will show the Nmap scan report. Let's break down the key parts of the report:

  • Starting Nmap: This line shows the Nmap version and the date and time the scan was started.
  • Nmap scan report for: This line indicates the target of the scan (in this case, localhost or 127.0.0.1).
  • Host is up: This line confirms that the target host is reachable. The latency (round-trip time) is also shown.
  • Ports: This section lists the ports that were scanned and their status (open, closed, filtered). In the previous step, if all ports were closed, you'd see "All 1000 scanned ports on localhost are closed". If any ports were open, they would be listed here with their service name (e.g., 80/tcp open http).
  • Nmap done: This line summarizes the scan, including the number of IP addresses scanned and the total scan time.

Example output (the specific output will vary depending on the target and system configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:20 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Loopback interface ignored, scanning 0 interfaces
All 1000 scanned ports on localhost are closed

Nmap done: 1 IP address (1 host up) scanned in 0.01s

Take some time to examine the output and understand what it tells you about the target system. In the next step, we will compare this output with the output of a normal scan (without MAC address spoofing) to see if there are any differences.

Compare with normal scan in Xfce terminal

In this step, we will perform a normal Nmap scan (without MAC address spoofing) and compare its output with the spoofed scan output from the previous steps. This will help you understand if MAC address spoofing affects the scan results.

Open your Xfce terminal.

First, run a normal Nmap scan of 127.0.0.1:

sudo nmap 127.0.0.1

This command will perform a standard Nmap scan of the localhost.

Carefully examine the output of this scan. Note the following:

  • The Nmap version and start time.
  • The target of the scan (127.0.0.1).
  • Whether the host is up.
  • The list of scanned ports and their status (open, closed, filtered).
  • The scan completion time.

Example output (the specific output will vary depending on the target and system configuration):

Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:25 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000090s latency).
Loopback interface ignored, scanning 0 interfaces
All 1000 scanned ports on localhost are closed

Nmap done: 1 IP address (1 host up) scanned in 0.01s

Now, compare this output with the contents of the spoof.txt file, which contains the output of the spoofed scan. You can view the contents of spoof.txt using the cat command:

cat spoof.txt

Are there any differences between the two scan results? In most basic scenarios, the scan results will be identical. However, in more complex network environments, MAC address spoofing might affect how the target system responds to the scan, potentially leading to different results. This is because some network devices or firewalls might use MAC addresses for filtering or access control.

In this simple lab environment, the primary purpose of MAC address spoofing is to obscure the origin of the scan, not necessarily to alter the scan results.

Summary

In this lab, we explored how to spoof MAC addresses using Nmap. We learned to use the --spoof-mac option to specify a particular MAC address, such as 00:11:22:33:44:55, during a scan of a target IP address. This allows us to disguise our network identity and potentially evade detection.

Furthermore, we began to investigate how to randomize the MAC address using Nmap, which is useful for avoiding tracking by using a predictable MAC address. The lab demonstrated the basic syntax for both specifying a MAC address and randomizing it, setting the foundation for more advanced network scanning techniques.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux