Continuing the fundamentals series we’re going over more then you ever needed to know about MAC addresses, OUIs and Spoofing.

Download HD Download MP4 Download WMV

 

Every computer on a network needs an interface with a unique identifyer, else how would Alice known the difference between Bob and Charlie? So that’s where we get:

Media Access Control address
otherwise known as a MAC address, physical address, or hardware address. They
They’re identifiers unique to ever NIC on the planet.

MAC addresses schemes come in three flavors, MAC-48, EUI-48 and EUI-64. Now EUI is just short for Extended Unique Identifier and cover other devices and software — not necessarily networking hardware. For example FireWire.

The 48-bit identifiers have an address space containing about 281 trillion possible addresses (281,474,976,710,656) and aren’t expected to run out until the year 2100. EUI-64 addresses should be with us until, well, we colonize Eden Prime. Or Risa. Or new caprica. Take your pick.

Now I mention NICs, so what are those?
Network Interface Controller. Also known as a network or LAN adapter, or simply a Network Interface Card since they’re typically an add-on cards that plug right into a motherboard.

So how do NICs get MACs?
IEEE – the Institute of Electrical and Electronics Engineers. They’re a pretty hip bunch of geeks dedicated to advancing technological innovations, and stuff. And since the 1960s this non-profit professional association has been making standards for stuff we love, like Ethernet, which goes by IEEE 802.3, or Wifi, which you’ve probably seen as IEEE 802.11

Well the thing is these cool cats dole out whats known as an OUI – or Organizationally Unique Identifier – to companies who manufacture networking products. The OUI is a the first three octets of a MAC address and, as the name implies, it’s unique to each manufacturer.

For example, The Linksys Group has an OUI of 00-04-5A in Hex, among a few others cause they’re a really big manufacturer. Netgear on the other hand has an OUI of 00-09-5B.

Tangent: Here’s a fun little bit of trivia. MAC addresses were originally born out of a Xerox ethernet addressing scheme, which is why the OUI for Xerox Corporation is 00-00-00 through 00-00-09.

Now this is pretty cool becasue the MAC address is “burned into” the NIC, meaning it’s stored in the cards hardware. Sometimes it’s in read-only-memory, sometimes it’s part of rewritable firmware.

So suffice it to say if you run across a MAC address starting with Netgear’s OUI the device was manufactured by Netgear. Or was it?

I begin in BackTrack Linux by issuing the ifconfig command, which will tell me all sorts of information about my network interfaces, and using what we learned the other week I’ll pipe its output to another command, grep, which will show me just what I want — which in this case is anything on the same line as the word HWaddr.

ifconfig | grep HWaddr

I can see here I have two NICs; eth0, which is my Ethernet adapter and wlan0 which is my wireless adapter. Wlan0’s hardware address has the first three octets of 00:c0:ca — which I can lookup and find is the OUI of ALFA Inc.

Now I can actually change the MAC address of my wireless interface and there are a few reasons why. For example, if were a network administrator I might want to setup what’s known as locally administered addresses, rather than the universally administered addresses that came from the factory. Say, if I operated a large network and wanted to make restrictions based on MAC addresses.

On the black hat side of things I may wish to bypass restrictions imposed by administrators, or I might want to conseal my NICs true identity when performing attacks.

I’ll give you a real world example. If you go to the San Francisco airport they’ve got complimentary WiFi — for up to 40 minutes. After 40 minutes the system kicks you off. But if you change your MAC address and rejoin you get another 40 minutes of access. I know this because my flight got delayed once and the 3G service in that area wasn’t too great.

So back in Linux, to change the MAC address, I simply issue these three commands.

ifconfig wlan0 down
ifconfig wlan0 hw ether de:ad:be:ef:c0:fe
ifconfig wlan0 up

Run ifconfig again and there we go — a brand new MAC address
Show Notes Outro (HTML):

Now there’s a lot more to this that we’ll cover in future haktips, such as multicast vs unicast and a whole lot more in these fundamentals series.

But first, I’d like to hear your feedback. What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — tips@hak5.org

And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.
Episode Keywords (Comma separated): mac addeess, oui, media access control, mac, mac 48, eui 48, eui 64, hardware address, physical address, mac spoofing, spoofing, mac change, change mac

HakTip 5 – Media Access Control 101: Fundamentals and Spoofing

13 Comments

  • Knut
    Reply

    Hi!

    I watch all you’re shows and I love them.

    I would really like to know more on Proxmox, like is it possible to set up load balancing/failover by duplicating a VM?

    I would also like to know more on a virtualization technology you mentioned in an episode not long ago. It was suppose to let you run windows apps in Linux… 😀

    Knut – norway

  • Will
    Reply

    Hi Darren and Shannon,

    I wanted to know what Linux you are running at this time? I had problems jailbraking my iPhone 3G with always having the app to creash. I could not find any other terminal emulator’s that would work. So I was forced to go back and use the defaulf frfom Apple. I really wanted to root my phone. The show is great and thak you all for what you are doing.

    Will..

  • Will
    Reply

    Hi Darren and Shannon,

    I wanted to know what Linux you are running at this time? I had problems jailbraking my iPhone 3G with always having the app to creash. I could not find any other terminal emulator’s that would work. So I was forced to go back and use the defaulf from Apple. I really wanted to root my phone. The show is great and thak you all for what you are doing.

    Will..

  • Norm
    Reply

    I have been MAC spoofing with SMAC until recently but an update to my Intel 3945ABG adapter removed the option of changing your MAC address. Do you know of a work around?

    P.S. Love the information you give.

  • DTC Downer
    Reply

    I was watching this episode (Hack Tip #5 – MAC Addresses) after I downloaded it but was a little upset when it abruptly ended. That’s right! I downloaded another “hacked-up” WMV encoding which was only 16.3MB and which probably should have been a clue since WMV shows are typically about 75MB. (I’ve seen this before somewhere around Hak5 episodes 100 or so.) Anyway, could you guys please re-encode the show to it’s full length WMV so that those of use still using WMV’s can watch them in their entirety (rather than downloading the MP4 versions)? Thanks.

    P.S. Death to Facebook! (Have you heard about their latest face recognition scam they’ve been running on all of their users? That’s strike TWO if you ask me.)

  • Drenriza
    Reply

    Like the comment DTC Downer.
    [quote]P.S. Death to Facebook! (Have you heard about their latest face recognition scam they’ve been running on all of their users? That’s strike TWO if you ask me.)[/quote]
    The death to facebook should be that they don’t “force” their users to use https instead of http. All i have to say is “having fun with firesheep”.

    #1 login
    #2 post on wall (don’t forget to use https instead of http)
    #3 laugh :p
    #4 logout

    Good way to kill time at a public network (school :))

    Will
    [quote]I wanted to know what Linux you are running at this time?[/quote]
    isin’t it still ubuntu? uhm.

    Anyways cool tutorial on how to change the mac address. IEEE is also called I triple E, just easier to pronounce :p

  • victor
    Reply

    Hey darren, great cast. i wanna say thumbs up for the hak tips. these short clips are awesome for when u wanna see something brief, not to stay like 35 mins for a whole episode, not that those are bad. what i wanna suggest for the next hak tip is to break a wpa2 encrypted network, and i mean the whole process. the thing is that sometimes the aircrack-ng sucks on mine and i was really wanting to see the entire thing done by u.
    and keep up the great work

  • SEO
    Reply

    We are a group of volunteers and starting a new
    scheme in our community. Your web site offered us with
    valuable information to work on. You have done an impressive job and our
    entire community will be thankful to you.

  • Kellye
    Reply

    Hello everyone, it’s my first visit at this web
    site, and paragraph is in fact fruitful designed for me, keep up posting these articles
    or reviews.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>