Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X
(Sometimes known as MAC spoofing)
There is a network issue related to ARP in OS X which causes significant packet loss in redundant Cisco Networks. If you are running OS X 10.9 or 10.10 on a Mac mini colocated with us, this issue needs to be patched in the OS X networking stack. The 1.9 version of arp-scan for Mac is available as a free download on our software library. Our built-in antivirus checked this Mac download and rated it as 100% safe. The actual developer of this free Mac application is Roy Hills. The application lies within Developer Tools, more precisely IDE. Type arp -a (to display all of the current ARP entries) The resulting output displays the IP address and a corresponding MAC address The ARP table is cached, which is why a ping is needed to refresh it for that IP address entry. To update the ARP table with all active network devices, ping the broadcast address (eg, x.x.x.255).
First let me explain a few things about MAC addresses. MAC stands for Media Access Control and in a sense the MAC address is a computer's true name on a LAN. An Ethernet MAC address is a six byte number, usually expressed as a twelve digit hexadecimal number (Example: 1AB4C234AB1F).
IPs are translated to MAC address by a protocol called ARP (Address Resolution Protocol). Let's say a computer with and IP of 192.168.1.1 wants to send information to another computer on the LAN that has an IP of 192.168.1.2 . First 192.168.1.1 will send out a broadcast to all stations on the LAN asking who has the IP 192.168.1.2. Then the box that has 192.168.1.2 will respond to 192.168.1.1 with it's MAC address which is cached in 192.168.1.1's ARP table for later use. To put this in Socratic Dialog form (with just a touch of Stallone):
Host 1 (192.168.1.1): Yo everyone on the LAN (FF:FF:FF:FF:FF:FF), who has the IP 192.168.1.2? My MAC is DE:AD:BE:EF:CA:FE so you can respond back to me.
Host 2 (192.168.1.2): Hello DE:AD:BE:EF:CA:FE, I have IP 192.168.1.2 and my MAC address is 12:34:56:78:90:12 so you can send your IP packets to me.
You can see the ARP table of a box by dropping out to a command prompt and typing 'arp –a' in Windows or just 'arp' in Linux. ARP can also work the other way by a host on the LAN sending its MAC address to another machine on the LAN for preemptive caching unless the host is configured to not accept un-requested ARP replies.
A person might want to change the MAC address of a NIC for many reasons:
- To get past MAC address filtering on a router. Valid MAC addresses can be found by sniffing them and then the deviant user could assume the MAC of a valid host. Having two hosts on the same network can cause some network stability problems, but much of the time it's workable. This is one of the reasons why MIC Address filtering on a wireless router is pointless. An attacker can just sniff the MAC address out of the air while in monitor mode and set his WiFi NIC to use it. Interestingly, a lot of hotels use MAC filtering in their 'pay to surf' schemes, so this method can be an instant in for cheap skate road warriors.
- Sniffing other connections on the network. By assuming another host's MAC as their own they may receive packets not meant for them. However, ARP poisoning is generally a better method than MAC spoofing to accomplish this task.
- So as to keep their burned in MAC address out of IDS and security logs, thus keeping deviant behavior from being connected to their hardware. For example, two of the main things a DHCP server logs when it leases an IP to a client is the MAC address and host name. If you have a wireless router look around on it's web interface for where it logs this info. Luckily there are tools to randomize this information (MadMACs).
- To pull off a denial of service attack, for instance assuming the MAC of the gateway to a sub net might cause traffic problems. Also, a lot of WiFi routers will lock up if a client tries to connect with the same MAC as the router's BSSID.
Linux
To change your MAC address in Linux (and most *nix system) is easy as pie. All it takes is two easy to script commands:
![Arp mac os x Arp mac os x](/uploads/1/1/9/5/119509470/237473399.jpg)
ifconfig eth0 down hw ether 00:00:00:00:00:01
![Mac Mac](/uploads/1/1/9/5/119509470/171166882.png)
ifconfig eth0 up
Arp Scan Mac Os X
These two little commands would set your eth0 interface to use the MAC 00:00:00:00:00:01. Just plug in the NIC you want to set and the MAC address you want to use into the commands above and your done. Changing your MAC address is one of those things that is much easier to do in Linux then under Windows.
Mac OS X
For versions of OS X before Tiger (OS X 10.4) you will need this patch:
Then you use a command like:
sudo ifconfig en0 lladdr 00:00:00:00:00:01
I'm not much of a Macintosh guy, so I pulled most of this info from:
My understanding is that there are complications with some AirPort cards so you may also want to read:
Apparently there are some problems changing your MAC address in versions of OS X 10.5.6 and latter. Stefan Person sent me the following note that should help you get it to work:
Due to a bug in OS X 10.5.6+, the built in mac-address spoofing function requires the following work around: To determine your old mac-address: ifconfig en1 | grep ether Do not 'Turn Airport Off', instead deactivate your wireless card by: Click 'Join Other Network...' and enter a fake SSID. Allow it to attempt a connection and then go ahead and cancel the request. Your card is now deactivated allowing us to proceed with the following command: sudo ifconfig en1 ether 00:11:22:33:44:55 Confirm using: ifconfig en1 | grep ether |
Windows 2000/XP/Vista: The Hard Way
In XP you can use the regedit to edit the registry from a GUI or the reg command to edit it from the console, I'll be using regedit. Information on all your NICs can be found the registry key HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl Class{4D36E972-E325-11CE-BFC1-08002bE10318} . Under this key you will find a bunch of sub keys labeled as 0000, 00001, 0002 and so forth. We can assume any MAC address we want by finding the key that controls the NIC we want to change, putting in a string value called 'NetworkAddress' and setting it to the MAC address we want to use formatted as a twelve digit hex number (example: 000000000001). To find out which key is which we can search through them for the value 'DriverDesc' until we find the one that matches the NIC we wish to alter. After you set 'NetworkAddress' to the address you want just restart the NIC by disabling it then enabling it (or in the case of PCMCIA cards, just eject and reinsert). You can confirm the MAC address change by using the 'getmac' or 'ipconfig /all' commands.
Windows 2000/XP/Vista: The Easy Way
Use Mac Makeup ( http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp ), MadMACs (http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer), Smac ( http://www.klcconsulting.net/smac/ ) or Etherchange (http://ntsecurity.nu/toolbox/etherchange/ ). Mac Makeup is a cool little GUI and Command line tool that's freeware, the creator also offers a Plugin for Bart's PE builder. MadMACs is a tool to randomize your MAC address and host name on every reboot. Smac has a nice GUI and was free but has since gone commercial, there's no reason to bother with it as there are free tools that are just as good. I use MadMACs since I wrote it and it lets me keep my host information randomized.
Have fun with your MAC addresses switching, but be careful not to cause network problems. My favorite MAC address is DEADBEEFCAFE, for other interesting MACs see:
Enjoy.
After Notes:
After I posted my article Benjamin E. Pratt emailed me some other notes on changing your MAC address on different platforms and in different ways:
BSD 1) Bring down the interface: 'ifconfig xl0 down' 2) Enter new MAC address: 'ifconfig xl0 link 00:00:00:AA:AA:AA' 3) Bring up the interface: 'ifconfig xl0 up' Linux 1) Bring down the interface: 'ifconfig eth0 down' 2) Enter new MAC address: 'ifconfig eth0 hw ether 00:00:00:AA:AA:AA' 3) Bring up the interface: 'ifconfig eth0 up' Windows 2000/XP Method 1: This is depending on the type of Network Interface Card (NIC) you have. If you have a card that doesn't support Clone MAC address, then you have to go to second method. a) Go to Start->Settings->Control Panel and double click on Network and Dial-up Connections. b) Right click on the NIC you want to change the MAC address and click on properties. c) Under 'General' tab, click on the 'Configure' button d) Click on 'Advanced' tab e) Under 'Property section', you should see an item called 'Network Address' or 'Locally Administered Address', click on it. f) On the right side, under 'Value', type in the New MAC address you want to assign to your NIC. Usually this value is entered without the '-' between the MAC address numbers. g) Goto command prompt and type in 'ipconfig /all' or 'net config rdr' to verify the changes. If the changes are not materialized, then use the second method. h) If successful, reboot your system. Method 2: This should work on all Windows 2000/XP systems a) Go to Start -> Run, type 'regedt32' to start registry editor. Do not use 'Regedit'. b) Go to 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSet ControlClass{4D36E972-E325-11CE-BFC1-08002BE10318}'. Double click on it to expand the tree. The subkeys are 4-digit numbers, which represent particular network adapters. You should see it starts with 0000, then 0001, 0002, 0003 and so on. c) Find the interface you want by searching for the proper 'DriverDesc' key. d) Edit, or add, the string key 'NetworkAddress' (has the data type 'REG_SZ') to contain the new MAC address. e) Disable then re-enable the network interface that you changed (or reboot the system). Method 3: Use the program Etherchange from http://ntsecurity.nu/toolbox/etherchange/ Windows 9x Use the same method as Windows 2000/XP except for the registry key location is 'HKEY_LOCAL_MACHINESystem CurrentControlSetServicesClassNet' and you must reboot your system. |
History:
6/29/2009: Added note sent to me by Stefan Person.
a long time ago: First posted.
6/29/2009: Added note sent to me by Stefan Person.
a long time ago: First posted.
Most of the computer programs/applications use logical address (IP address) to send/receive messages, however the actual communication happens over the physical address (MAC address) i.e from layer 2 of OSI model. So our mission is to get the destination MAC address which helps in communicating with other devices. This is where ARP comes into the picture, its functionality is to translate IP address to physical address.
The acronym ARP stands for Address Resolution Protocol which is one of the most important protocols of the Network layer in the OSI model.
Note: ARP finds the hardware address, also known as Media Access Control (MAC) address, of a host from its known IP address.
Note: ARP finds the hardware address, also known as Media Access Control (MAC) address, of a host from its known IP address.
Let’s look at how ARP works.
Imagine a device wants to communicate with the other over the internet. What ARP does? Is it broadcast a packet to all the devices of the source network.
The devices of the network peel the header of the data link layer from the protocol data unit (PDU) called frame and transfers the packet to the network layer (layer 3 of OSI) where the network ID of the packet is validated with the destination IP’s network ID of the packet and if it’s equal then it responds to the source with the MAC address of the destination, else the packet reaches the gateway of the network and broadcasts packet to the devices it is connected with and validates their network ID
The devices of the network peel the header of the data link layer from the protocol data unit (PDU) called frame and transfers the packet to the network layer (layer 3 of OSI) where the network ID of the packet is validated with the destination IP’s network ID of the packet and if it’s equal then it responds to the source with the MAC address of the destination, else the packet reaches the gateway of the network and broadcasts packet to the devices it is connected with and validates their network ID
The above process continues till the second last network device in the path to reach the destination where it gets validated and ARP, in turn, responds with the destination MAC address.
The important terms associated with ARP are :
- ARP Cache: After resolving MAC address, the ARP sends it to the source where it stores in a table for future reference. The subsequent communications can use the MAC address from the table
- ARP Cache Timeout: It indicates the time for which the MAC address in the ARP cache can reside
- ARP request: This is nothing but broadcasting a packet over the network to validate whether we came across destination MAC address or not.
- The physical address of the sender.
- The IP address of the sender.
- The physical address of the receiver is FF:FF:FF:FF:FF:FF or 1’s.
- The IP address of the receiver
- ARP response/reply: It is the MAC address response that the source receives from the destination which aids in further communication of the data.
- CASE-1: The sender is a host and wants to send a packet to another host on the same network.
- Use ARP to find another host’s physical address
- CASE-2: The sender is a host and wants to send a packet to another host on another network.
- Sender looks at its routing table.
- Find the IP address of the next hop (router) for this destination.
- Use ARP to find the router’s physical address
- CASE-3: the sender is a router and received a datagram destined for a host on another network.
- Router check its routing table.
- Find the IP address of the next router.
- Use ARP to find the next router’s physical address.
- CASE-4: The sender is a router that has received a datagram destined for a host in the same network.
- Use ARP to find this host’s physical address.
NOTE: An ARP request is a broadcast, and an ARP response is a Unicast.
Test Yourself :
Connect two PC, say A and B with cross cable. Now you can see the working of ARP by typing these commands:
Arp For Mac Os X 10.13
There will be no entry in table because they never communicated with each other.
Now, entries of ARP table can be seen by typing the command.
This is how ARP table looks like:
This is how ARP table looks like:
This article is contributed by Vivek Reddy. If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to [email protected]. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please write comments if you find anything incorrect, or you want to share more information about the topic discussed above.
Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.