If a MAC filter prevents you from connecting to a network, how can you break it or include your device's MAC in that filter?
Asked
Active
Viewed 1.2k times
4 Answers
15
The easiest way would be to just spoof your MAC adress. Just listen to the network, watch which MAC adresses are able to connect and then give your own device the same MAC adress.
Thanathan
- 782
- 6
- 16
-
2can 2 devices have the same MAC address on a network? – EHY Aug 31 '15 at 11:29
-
nothing will happen? the admin wont get an alert or something like that? – EHY Aug 31 '15 at 11:30
-
@EHY In theory yes. Of course it depends on the network. If there are other security meausurements taken the double Mac-Adress could be detected (Different Operating Systems from the same device at the same time for example). You can check out this [anwer](http://serverfault.com/questions/462178/duplicate-mac-address-on-the-same-lan-possible) what could happen. – Thanathan Aug 31 '15 at 11:32
-
10Since a MAC address is used to address a network card it will give problems if two systems use the same MAC at the same time. So you should restrict the use to times when the other system is not active. – Steffen Ullrich Aug 31 '15 at 12:46
-
2I'm led to suspect that a Wireless access point has trouble even knowing it's two devices. Switches get mad but they're not in a position to find out here. – Joshua Aug 31 '15 at 16:05
4
As other pointed, you first need to snoop existing mac addresses (using wireshark) and spoof them. Except that :
- You probably will not get significant packets if you plug your device behind a switch (due to the way switches function).
- You probably will not get any packets at all if the MAC filtering function is provided by a switch that filters by MAC and by port. Which means the MAC addresses are expected behind a specific switch port.
Some university admins are using this technique to prevent an uncontrolled jungle in the students network. You first need to register you MAC and your room number, otherwise your RJ45 plug is pretty useless.
Your admin filter configuration might look like this, so yes.. spoofing attempts might be detected and might lock you down.
A quote the manual HP switch Port Security feature :
Prevent Eavesdropping -- Block outbound traffic with unknown destination addresses from exiting through the port. This prevents an unauthorized device on the port from eavesdropping on the flooded unicast traffic intended for other devices
Authorized Addresses -- Specify up to eight devices (MAC addresses) that are allowed to send inbound traffic through the port. This feature: Closes the port to inbound traffic from any unauthorized devices that are connected to the port. Automatically sends notice of an attempted security violation to the switch’s Intrusion Log and to the Alert Log.
JB.
- 163
- 8
-
Re the first item: Arp requests are broadcasts, so those will be visible also behind a switch – Hagen von Eitzen Sep 01 '15 at 06:29
-
@Hagen von Eitzen If outbound traffic is not blocked, you see any broadcast. My point is just that if your admin really blocked the ports, this is game over for you. – JB. Sep 01 '15 at 07:56
1
You can use Wireshark to eavesdrop authorized MAC addresses of the devices allowed to connect to that network. The MAC addresses of your device can be easily changed (An option in Network Settings). Note that lot of Linux distributions allow you to chance the MAC address and sometimes manufacturers do mistakes by assigning the same MAC address to two or more devices. The presence of 2 MAC addresses in the same network won't cause any problem/warning that will prevent you from connecting.
0
It should also be noted that MAC addresses are not truly unique anyways. If you have a large enough network with the same NIC manufacturer there's a possibility you will get a natural collision.
That obviously gives 16 777 215 possible unique MAC addresses per manufacturer. That's quite alot, so the manufacturer shouldn't re-use one. Some are lazy though, and don't check if they have already allocated a MAC address.
It is quite often possible to change the MAC address using software, so if you do get a duplicate you can map around it.
