MAC address spoofing

 

Identify your MAC address in linux

Identify the name used by your computer to refer to its network interface. It is most likely eth0, but could be eth1 or other number, or possibly em1. Use the command "ifconfig eth0" (or use your interface's name accordingly if it isn't eth0). Write the MAC or "ether" address down. Note also your IP or "inet" address (which is different from your MAC address). Normally, the MAC address shown is the one that was burned into a ROM (read-only) chip on your NIC (network interface card ) by its manufacturer.


Identify your neighbor's MAC address, and he yours

Ask your neighbor for his/her IP address, so you can use it to ping him. Now, if not already in the GUI, invoke it ("startx &"). Bring up 1) Wireshark,  2) a terminal window.

In Wireshark set a filter so it will only caputre certain packets, including ping packets (Menus: Capture/Options/Capture Filter field - enter "icmp" and press the Start button.

In the terminal window execute "ping -c 1 <neighbor's IP>". Then make Wireshark stop capturing (Capture/Stop). Wireshark displays what it captured. Within the display, locate your MAC and your neighbor's. Make sure they agree with the values you determined before, when you used ifconfig locally.


Re-educate your computer about the MAC address

Tell your computer its MAC address is a different one. Make it up. The format is 6 colon-separated fields, each containing a byte represented in the hexadecimal number system (i.e., 2 digits, each in the range 0-9 or A-F). For example 63:B2:99:EB:A8:12, or A1:B2:C3:55:66:77. First, take your interface out of service:

ifconfig <name of your interface> down

Now you can use either of 2 commands to misinform your machine about its address. Execute one or the other:

ifconfig <name of your interface> hw ether AA:BB:CC:DD:EE:FF
  or
ip link set <name of your interface> address AA:BB:CC:DD:EE:FF

Put your interface back in service:

ifconfig <name of your interface> up

Repeat the ping to your neighbor, sniffing it with Wireshark again, and note the value of the MAC address that has been placed in the source MAC field of your ping request by your ethernet software. It will also appear in the destination MAC field of your neighbor's reply to you (since he repeats back whatever source MAC he gets from you). Note also the value in the destination MAC field of your ping request and source field of his reply. These will be the address his ethernet software has in place.

 

This exercise demonstrates the manipulability of MAC addresses, sometimes called spoofing. Secondarily, it shows MAC addresses' separation and independence from IP addresses. Different animals. The only reason IP addresses figure in this exercise is that you want to ping, and ping only speaks IP not MAC. But notice that the IPs were invariant while the MACs shifted beneath them.