MAC address spoofing

Credits: I did not write this tutorial, but copied & edited a document originally written by Stephen Venter (site no longer available).

This is a brief HOWTO for spoofing an Ethernet network card's MAC address. MAC addresses are used for routing packets between physical devices (i.e. network interface cards) on networks (like Ethernet networks).

Every network interface card (NIC) produced in the world has its own unique MAC address. A MAC address is made up of 6 sets of hexadecimal numbers (two-characters each), e.g. A1:B2:C3:D4:E5:F6

My scenario

Recently my ISP decided to issue all customers with a new Motorola modem. The only issue is that this modem had to be "registered" with your ethernet's MAC address. Due to a lack of Windows I could not use their provided software for this, however they do provide another solution which is a web-based registration (only one website works when a non-registered ethernet card is connected to the modem). The only catch here is that it requires a javascript-supporting browser which a is a little hard when trying to connect a server with no X onto your modem ;-)

So the idea is simple: I connected my standard workstation to the modem, set the networking to dhcp, spoofed my MAC address to match that of my server, and connected and registered.

Configuring the MAC via ifconfig

The current Ethernet configuration is viewed by issuing the ifconfig command:

ifconfig
 eth0 Link encap:Ethernet HWaddr 00:A0:C9:29:3C:68
 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
 UP BROADCAST MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:4 dropped:0 overruns:0 carrier:4
 collisions:0 txqueuelen:100
 RX bytes:0 (0.0 b) TX bytes:168 (168.0 b)
 Interrupt:11 Base address:0xdf00 Memory:df9ff000-df9ff038

 lo Link encap:Local Loopback
 inet addr:127.0.0.1 Mask:255.0.0.0
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:51719 errors:0 dropped:0 overruns:0 frame:0
 TX packets:51719 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:3521447 (3.3 Mb) TX bytes:3521447 (3.3 Mb)

The MAC address of interest here is specified as HWaddr 00:A0:C9:29:3C:68

You can simply change the MAC address of the active interface by using the command in the format:

ifconfig hw ether

So, in this example, the interface name is "eth0" and the new MAC address is "01:02:03:04:05:06":

ifconfig eth0 hw ether 01:02:03:04:05:06
ifconfig eth0
 eth0 Link encap:Ethernet HWaddr 01:02:03:04:05:06
 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
 UP BROADCAST MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:4 dropped:0 overruns:0 carrier:4
 collisions:0 txqueuelen:100
 RX bytes:0 (0.0 b) TX bytes:168 (168.0 b)
 Interrupt:11 Base address:0xdf00 Memory:df9ff000-df9ff038

This may not always work on an active (or "up") interface. In this case, de-activate (or "down") the interface first.

ifconfig eth0 down

Now bring it up again, specifying new MAC (here I changed the MAC again to a new one to accentuate the difference):

ifconfig eth0 192.168.0.1 hw ether 11:12:13:14:15:16 up
ifconfig eth0
 eth0 Link encap:Ethernet HWaddr 11:12:13:14:15:16
 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
 UP BROADCAST MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:4 dropped:0 overruns:0 carrier:4
 collisions:0 txqueuelen:100
 RX bytes:0 (0.0 b) TX bytes:168 (168.0 b)
 Interrupt:11 Base address:0xdf00 Memory:df9ff000-df9ff038

Configuring the MAC at boot time

If one often needs to switch around computers with such a modem you will have to fix your computer so that it boots up with the current MAC address already set. I don't do this as it was a once-off registration, however should you need to...

The Ethernet configuration file for interface eth0 is the file ifcfg-eth0, located at (on a RedHat system):

/etc/sysconfig/network-scripts/ifcfg-eth0

Changing / adding the line starting with HWADDR= is SUPPOSED to achieve the desired effect. Here is an example of one such a file after that line has been added at the bottom:

cat /etc/sysconfig/network-scripts/ifcfg-eth0
 DEVICE=eth0
 BOOTPROTO=static
 BROADCAST=192.168.0.255
 IPADDR=192.168.0.3
 NETMASK=255.255.255.0
 NETWORK=192.168.0.0
  HWADDR=31:32:33:34:35:36

However, when I reboot, it does NOT have the desired effect.

Also, if I try to use the command to restart the networking services ("service network restart"), i.e. to simulate what happens during a reboot of the machine, then I get the following error, and the MAC address does NOT come up as the new spoofed one that I want:

service network restart
 Shutting down interface eth0: Device eth0 has different MAC address than expected, ignoring.
 [FAILED]
 Shutting down loopback interface: [OK |]
 Setting network parameters: [OK |]
 Bringing up loopback interface: [OK |]
 Bringing up interface eth0: [OK |]

So after a little "googling" I found this discussion thread and implemented the suggestions there to get my machine to:

(a.) not enable this interface at boot time, by changing the BOOTPROTO= statement in my ifcfg-eth0 file to BOOTPROTO=none

(b.) editing the file containing LAST commands to be executed at boot time (/etc/rc.d/rc.local) to include the command to manually bring up this interface (as included within the section above):

ifconfig eth0 hw ether 31:32:33:34:35:36

(b.1.) Remember, if that interface is intented to start up by getting an automatic IP address from a DHCP server, then you need to also put in the following line within the rc.local file:

/sbin/dhcpcd eth0

So now after rebooting the machine the interface has come up correctly with the specified (i.e. spoofed!) MAC address:

ifconfig eth0
 eth0 Link encap:Ethernet HWaddr 31:32:33:34:35:36
 inet addr:192.168.0.3 Bcast:192.168.0.255 Mask:255.255.255.0
 UP BROADCAST MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:4 dropped:0 overruns:0 carrier:4
 collisions:0 txqueuelen:100
 RX bytes:0 (0.0 b) TX bytes:168 (168.0 b)
 Interrupt:11 Base address:0xdf00 Memory:df9ff000-df9ff038

Final notes

From what I recall, you cannot spoof the MAC of a secondary / aliased interfaces (like eth0:1), i.e. you can only spoof the MAC address of a primary interface (like eth0).

If all of this seems like far too much work, you may also like to use the 'macchanger' program, from alobbs.com, a nice simple way of changing your MAC address.


User Comments