HakTip 5 – Media Access Control 101: Fundamentals and Spoofing
Continuing the fundamentals series we’re going over more then you ever needed to know about MAC addresses, OUIs and Spoofing.
Every computer on a network needs an interface with a unique identifyer, else how would Alice known the difference between Bob and Charlie? So that’s where we get:
Media Access Control address
otherwise known as a MAC address, physical address, or hardware address. They
They’re identifiers unique to ever NIC on the planet.
MAC addresses schemes come in three flavors, MAC-48, EUI-48 and EUI-64. Now EUI is just short for Extended Unique Identifier and cover other devices and software — not necessarily networking hardware. For example FireWire.
The 48-bit identifiers have an address space containing about 281 trillion possible addresses (281,474,976,710,656) and aren’t expected to run out until the year 2100. EUI-64 addresses should be with us until, well, we colonize Eden Prime. Or Risa. Or new caprica. Take your pick.
Now I mention NICs, so what are those?
Network Interface Controller. Also known as a network or LAN adapter, or simply a Network Interface Card since they’re typically an add-on cards that plug right into a motherboard.
So how do NICs get MACs?
IEEE – the Institute of Electrical and Electronics Engineers. They’re a pretty hip bunch of geeks dedicated to advancing technological innovations, and stuff. And since the 1960s this non-profit professional association has been making standards for stuff we love, like Ethernet, which goes by IEEE 802.3, or Wifi, which you’ve probably seen as IEEE 802.11
Well the thing is these cool cats dole out whats known as an OUI – or Organizationally Unique Identifier – to companies who manufacture networking products. The OUI is a the first three octets of a MAC address and, as the name implies, it’s unique to each manufacturer.
For example, The Linksys Group has an OUI of 00-04-5A in Hex, among a few others cause they’re a really big manufacturer. Netgear on the other hand has an OUI of 00-09-5B.
Tangent: Here’s a fun little bit of trivia. MAC addresses were originally born out of a Xerox ethernet addressing scheme, which is why the OUI for Xerox Corporation is 00-00-00 through 00-00-09.
Now this is pretty cool becasue the MAC address is “burned into” the NIC, meaning it’s stored in the cards hardware. Sometimes it’s in read-only-memory, sometimes it’s part of rewritable firmware.
So suffice it to say if you run across a MAC address starting with Netgear’s OUI the device was manufactured by Netgear. Or was it?
I begin in BackTrack Linux by issuing the ifconfig command, which will tell me all sorts of information about my network interfaces, and using what we learned the other week I’ll pipe its output to another command, grep, which will show me just what I want — which in this case is anything on the same line as the word HWaddr.
ifconfig | grep HWaddr
I can see here I have two NICs; eth0, which is my Ethernet adapter and wlan0 which is my wireless adapter. Wlan0’s hardware address has the first three octets of 00:c0:ca — which I can lookup and find is the OUI of ALFA Inc.
Now I can actually change the MAC address of my wireless interface and there are a few reasons why. For example, if were a network administrator I might want to setup what’s known as locally administered addresses, rather than the universally administered addresses that came from the factory. Say, if I operated a large network and wanted to make restrictions based on MAC addresses.
On the black hat side of things I may wish to bypass restrictions imposed by administrators, or I might want to conseal my NICs true identity when performing attacks.
I’ll give you a real world example. If you go to the San Francisco airport they’ve got complimentary WiFi — for up to 40 minutes. After 40 minutes the system kicks you off. But if you change your MAC address and rejoin you get another 40 minutes of access. I know this because my flight got delayed once and the 3G service in that area wasn’t too great.
So back in Linux, to change the MAC address, I simply issue these three commands.
ifconfig wlan0 down ifconfig wlan0 hw ether de:ad:be:ef:c0:fe ifconfig wlan0 up
Run ifconfig again and there we go — a brand new MAC address
Show Notes Outro (HTML):
Now there’s a lot more to this that we’ll cover in future haktips, such as multicast vs unicast and a whole lot more in these fundamentals series.
But first, I’d like to hear your feedback. What programs or commands are rocking your world? What technologies are tickling your technolust? Hit me up — [email protected]
And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.
Episode Keywords (Comma separated): mac addeess, oui, media access control, mac, mac 48, eui 48, eui 64, hardware address, physical address, mac spoofing, spoofing, mac change, change mac