Hack 43 Spoof a MAC Address
|
Even good guys can use secret identities. Okay, I know what you're thinking. There's never a legitimate reason to spoof any type of address, right? Even if there were, why would you bother to spoof a MAC address, other than to prove that it can be done? Consider the following scenario. I was administrating a small network where the ISP restricted the number of IP addresses a DHCP client was allowed to receive. Their DHCP server kept track of the leased addresses by using a combination of the client's MAC address and an OS identifier. One day I needed to replace that network's external NIC. It took me a while to figure out why the new NIC refused to pick up a DHCP address from the ISP. Once the restriction was explained to me, I contemplated my available courses of action. One was to spend the afternoon listening to Musak in the hopes that I'd eventually get to speak to one of the ISP's customer service representatives. I decided my time would be better spent if I instead took 30 seconds and spoofed the old MAC address. This provided a quick solution that allowed the owner to get back online until he could make arrangements with the ISP regarding the new MAC address. 5.3.1 Spoofing on FreeBSDBefore I could accomplish the spoof, I needed two pieces of information. The first was the MAC address for the old NIC. Fortunately, I record such things in a binder. However, I initially found out that information using ifconfig. In this scenario, the interface in question was called rl0: % ifconfig rl0 rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.2.12 netmask 0xffffff00 broadcast 192.168.2.255 ether 00:05:5d:d2:19:b7 media: Ethernet autoselect (10baseT/UTP) The MAC address is the hex number immediately following ether. Second, I needed to know the identifier used by the ISP's DHCP server. This was found in the DHCP lease: % more /var/db/dhclient.leases | grep host option host-name "00-05-5d-d2-19-b7-36-33" Some ISPs use option host-name, while others use option dhcp-client-identifier. Choose the option in the lease that is associated with the MAC address. In this example, my identifier was the MAC address, followed by -36-33. Armed with the information I needed, I could spoof the old MAC address onto the new NIC card. In my case, the new card was an ed0: # ifconfig ed0 ether 00:05:5d:d2:19:b7 # # ifconfig ed0 | grep ether ether 00:05:5d:d2:19:b7 Note that you have to be the superuser to change these settings. This particular change won't survive a reboot, as the NIC will give the kernel its burnt-in MAC address during the hardware probe that occurs during bootup. If you intend to reboot before sorting out the situation with the ISP, carefully add this line to /etc/rc.conf: ifconfig_ed0_alias0="ether 00:05:5d:d2:19:b7" This will create an alias for ed0 that uses the desired MAC address, rather than the MAC address burnt into the physical card. Think of an alias as an alternate set of instructions an interface can give to the kernel a kind of networking nickname. Next, I'll edit /etc/dhclient.conf: # vi /etc/dhclient.conf # $FreeBSD: src/etc/dhclient.conf,v 1.3 2001/10/27 03:14:37 rwatson Exp $ # # This file is required by the ISC DHCP client. # See ``man 5 dhclient.conf'' for details. # # In most cases an empty file is sufficient for most people as the # defaults are usually fine. # interface "ed0" { send host-name "00-05-5d-d2-19-b7-36-33"; send dhcp-client-identifier "00-05-5d-d2-19-b7-36-33"; }By default, this file contains only comments; I added a section for interface ed0. When editing your own file, remember to include the opening and closing curly braces ({}). Each statement must also end in a semicolon (;). Here, I've set both the host-name and the dhcp-client-identifier options to the values expected by the ISP. Now it's time to test that these changes did indeed work. You don't need to reboot in order to test that alias in /etc/rc.conf. This command will do the trick: # /etc/netstart Doing stage one network startup: Doing initial network setup:. ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.2.95 netmask 0xffffff00 broadcast 192.168.2.255 ether 00:05:5d:d2:19:b7 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 Additional routing options: ignore ICMP redirect=YES log ICMP redirect=YES drop SYN+FIN packets=YESsysctl: unknown oid 'net.inet.tcp.drop_synfin' . Routing daemons:. Excellent. The new NIC kept the spoofed MAC address. Now let's see how the DHCP server responds when I release and try to renew an address: # dhclient -r ed0 # Using -r with dhclient forces the DHCP client to give up its old address and request a new lease from the DHCP server. If this succeeds, the prompt will return without any error messages. Running ifconfig ed0 will show that the ISP's DHCP server did indeed give this interface a public IP address. 5.3.2 Spoofing on NetBSDThe current version of ifconfig that ships with NetBSD does not support this functionality. To allow MAC address changes, try Dheeraj Reddy's ifconfig patch, available from http://news.gw.com/netbsd.tech.net/%3C20030808072355.GA616%40bharati.sudheeraj.net%3E. You will need to apply this patch to NetBSD sources and build a new version of ifconfig. To begin, download the system sources, unpack them, and change the working directory to src/sbin/ifconfig. Download the patch and apply it with: # patch > ifconfig.patch Build a new binary with: # make Remember that this code is experimental and may not always work as advertised, so it is crucial that you back up the original ifconfig binary in some safe place. When you have the new binary, run it with: # ifconfig interface-name lladdr MAC-addr 5.3.3 Spoofing with OpenBSDThe standard ifconfig that ships with OpenBSD does not contain an option to change the MAC addresses of interface cards. If you need it, you will have to build your own tool for that purpose with sea.c. Download it from http://www.devguide.net/books/openbsdfw-02-ed/ Build sea as follows: # gcc -Wall -o sea sea.c -lkvm Next, boot OpenBSD into single-user mode: # reboot boot> boot -s Then, once in single-user mode, use sea to spoof the desired address on the specified NIC: # sea interface-name MAC-addr 5.3.4 See Also
|
