Wednesday, October 26, 2005


The technique is called MAC address cloning. To do this, you just issue a command to the Ethernet or WiFi card to change its MAC address (which is simply 48 bits stored inside the card's static memory). Not all Ethernet and WiFi cards support this feature (for example, the Apple Airport card does not. But, a non-Apple 802.11b PCI card with the open-source WiFi card driver available from SourceForge and the Terminal ifconfig command can be used to do this.).

On a WiFi network, to determine the MAC address you want to steal, you simply need to run a sniffer application (on the Mac, KisMac or iStumbler or MacStumbler; but more commonly on a Windows or Linux system, Kismet.) Use this to collect the MAC addresses of computers using the Network. Then just tell the wireless card driver to reset the MAC address of the card on the intruder computer to match the MAC address of a valid system that was observed. It takes less than a minute.

There are quite valid uses for MAC address cloning. For example, my Linksys router supports MAC address cloning, and I have used it to assign it the same MAC address as my primary Macintosh. This means my ISP and their relevant configuration do not notice if I switch between the Macintosh and the router connected to the broadband modem (this technique and the most useful with some cable ISPs that provision the modem with the authorized MAC address.)

By the way, WEP encryption is not necessarily a protection from this, though it will slow the intruder down. The same tools that monitor the MAC address, Kismet or KisMac, can be used to collect the encrypted traffic and crack the WEP keys after a certain amount of data has been collected and time. (The newer WPA encryption is not so easily cracked, but is not supported on all WiFi routers and cards. On the Mac you need Airport Extreme and OS X 10.3) Your best defense with WEP is to change the WEP key/passphrase frequently.

Here's a good O'Reilly article on the cracking process.
Dispelling the Myth of Wireless Security

On the MAC OS, in, notably the general purpose ipconfig utility (for example ipconfig set en1 DHCP will get you a new DHCP license if needed), but I recommend you check out Mac OS X Unwired, written by my friends Dori & Tom, for lots of good information on this subject.

No comments: