|
Mac GeekeryGet your geek on. |
|
blog advertising is good for you
recent popular content
User login
|
Joe Peterson asks: QuestionHow would one go about spoofing their MAC address? Can you tell when an address is being spoofed? AnswerThis is easier than you might think. In versions of Mac OS X prior to Tiger, you’d need to install this patch to the kernel to allow userspace programs to alter the MAC address of outbound ethernet packets. Mac OS X 10.4 lets you do this without such patches. As a user you can do it painlessly with First, you probably want to get your current MAC address so you don’t have to restart to get the old one back (though later I’ll show you how to get it from a nearby machine).
$ ifconfig en0
...
ether 00:0d:43:10:00:0c
On the sudo ifconfig en0 lladdr [new MAC] A simple check with arp -a | grep [new MAC] should return your computer’s name on both your computer and another on the same physical ethernet subnet. As for detecting such a change, if you’re on the local subnet then every machine will enter a kernel: arp: 10.10.10.10 moved from 00:00:00:00:00:01 to 00:00:00:00:00:02 on eth0 Using previous articles on converting logfiles to RSS, you should be able to make an RSS feed locally that tracks this and then put a link in your Safari bookmark bar for it to notify you when someone on the network has switched their MAC address. However, this only works if you see the change. If someone changes the MAC address of a secondary interface that has been dormant and then enables it, you will not see such a notification. Instead, you get to enter the wild world of MAC address spoof detection, and it’s not fun. There’s a really nice white paper [PDF] on it that helps, but it’s generally for network geeks more than hobbyists.
About Adam Knight
 Author Biography Adam Knight is one of the founders of Mac Geekery and is a geek at heart. Programmer by day, hacker by night, his daily life revolves around the Macintosh platform, which he has been a user and programmer for since the early days of System 7 when his LCII replaced his Apple //c. In-between tech jobs, he’s managed to learn the basics of any web hacker: PHP, MySQL, Perl, Apache, Linux, *BSD, and the intricacies of ./configure —prefix=~/bombshelter/. Today, codepoet is concentrating on blogging again, writing some software for the Mac by himself (including Notae) and for his company (such as Switchblade) and has a few other toys coming out soon. Bug him over AIM or email [link fixed]. |
IIRC, that trick only works for wired ethernet interfaces. There’s a patch somewhere to let you do it for wireless as well, but I can’t recall the URL off-hand.
Yep, that would be right.
You should not need a patch for wireless. There’s a command line utility that should let you set the MAC address for the airport card located at /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport. In fact, this utility will let you perform a number of tasks, including manually scan for wireless networks in a pinch.
While there is no manual page for the utility, you can obtain a listing of arguments with the —help argument and it will happily give you a listing of arguments.
As far as detecting when someone is using a spoofed MAC address, changing the built-in MAC address should set the device into promiscuous mode. Rather than duplicate a lot of effort, I will refer you to the Wikipedia page on the subject.
Note Bene: This utility is present on my iBook G4 with a built-in Airport Extreme card on Mac OS X 10.4. I do not have a machine with an older Airport card (i.e. only 802.11b instead of 802.11b/g). Additionally, this is part of a private framework, which means it may disappear, change location, or be radically changed in future versions of the operating system.
—
unxgeek@unxgeek.us
“Smile,” they said, “it could be worse.”
So I did, and it was.
You know, I actually already have a symlink to the airport utility in /usr/local/bin but I never noticed it could change the MAC address!
Somebody should write a man page so it shows up in “man -k MAC”…
The following command didn’t work for me:
sudo airport -m [NEW MAC]
The MAC address as inferred via my router and ifconfig did not change
I’ve tried using the ifconfig “method” as well:
sudo ifconfig en1 ether [NEW MAC]
(I guess this just doesn’t work for airport cards on en1… as previously described)
as well as some programs that purportedly edit the airport driver extension at:
/System/Library/Extensions/AppleAirPort2.kext
(http://aspoof.sourceforge.net/)
to no avail! Next attempt will be trying to directly edit the HEX in the driver as described at:
http://www.suspekt.org
But really don’t want to have to bust out a HEX editor for this. Any help would be much appreciated with regard to understanding why the former methods aren’t working!
Thanks,
-x
(btw-running a G4 PoweBook with 10.4.6)
yeah, got the exact same problem with the exact same setup!
got a 12” 867Mhz Powerbook G4 running 10.4.6….
nothing seems to work for me, also tried some tool that crashed my card so the system said “No Airport Card connected” until I restarted(“SpoofMAC”)…
that airport -m thingy doesn’t work too, I simply press enter and nothing happens…
anybody got a clue whats happening here?
I also am unable to change the mac address of en1 (airport card). I’ve tried using -m & —mac with the airport utility listed above, but it doesn’t seem to do anything. I’ve tried is as sudo, still nothing. I’ve also tried it with the airport enabled & disabled, no difference. I would really like to know how to do this if anyone can come up with a possibility other than a hex editor.
Hello,
Anyone knows how to spoof airport MAC address on new intel macs?
I would do it in a macbook with OSX Tiger (10.4.7)
I’ve spend some time searching this on inetrnet but haven’t found anything.
Any idea?
Thanks a lot!
I installed Jas Mac OS X 10.4.7 on ibm thinkpad t42.
after exec “sudo ifconfig en0 lladdr [new MAC]”
nothing changed on my box.
the mac address is just as it before.
it’s t42’s problem or Mac OS X 10.4.7 ‘s problem or something else’s?
any lights? much appreciated!
I tried this method today and found on a 2007 MacBook Pro it DID work.
At first it looked like my laptop was running on my stock and spoofed MAC at the same time, but after waiting a bit for my router to update it’s ARP cache, my stock MAC disappeared from the station list, leaving only the spoofed MAC.
Roll on anonymous laptop…
I have tried it on Mac Mini, Intel.
And it worked until very recently.
Something has happened in the kernel….
I have a 1st generation MacBook Pro… and up until recently, I could NOT spoof the MAC Address of my airport card.
But, about a week ago, I tried again… YES! It worked…. and it has ever since! I don’t know why!
I did it first in single-user mode, and thought that was why it worked, but it didn’t on any of my other Apples.
Then, I thought it might have been the 10.4.10 update, so I updated all of my computers and nothing…….
I used:
sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
I have also tried this on a PowerMac G5, an Intel iMac, and a PowerBook G4 all running the latest OS X 10.4.10
But, it ONLY works on my MacBook Pro. I have no clue, why this has happened, but I really want to know…. I’m afraid that updating to Leopard (whenever it comes out) will take this ability away….
this is strange .. it definatley works .. but how far im not sure
if you do an ‘ifconfig’ you get :
en1: flags=8963 mtu 1500
ether 00:11:22:aa:bb:cc
media: autoselect () status: inactive
supported media: autoselect mtu 1500
wlt1: flags=41
HOWEVER !
in the system/network preferences pane it remains the same
.. please gurus.. !!
which is correct ?
and what does it mean is happening to the appleairport2.kext ?
PS. i cant seem to cd /system/library/extensions and kextunload the appleairport2.kext anymore.. ??
whats up with that..
PPS.. for earlier versions of tiger and panther you can spoof the en1 (wifi) MAC ID, using the methods listed at :
www.suspekt.org (def works a charm, but not above 10.4.3 ish)
IT WORKS !!!!!!
OMG YAYAYAYAYAYAYAYYAYAYAYA
MAC SPOOFING ON MAC-INTEL 10.4.10 CONFIRMED !!!!!
Spoof Ethernet : sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
Spoof Wireless : sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
CONFIRMED !!!!!!!!!
the lan reads it as the spoofed MAC.. even tho it comes up as the original in the network preferences pane
SO
Wireless : sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
Ethernet : sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
OMG FINALLY !!!!!
Yeah, it works …. but only until the next restart.
did you notice the same?
That is the same issue I’m having. Works great until restart. Any suggestions. Is there a table it pulls from on boot that can be edited?
can i spoof on win XP or vista if so how? which software to use????
For vista don’t know, but xp ->
Network connections -> choose the right connection ->
properties -> configure -> advanced -> network address
and add the desired mac address and you are set
cheers
Actually, you can do this on the intel machines. I’ve only tested doing it on my MacBook, but I can do it for both the wired and WIRELESS access.
Now if I could only do it to start up at boot… so i don’t have to do it myself each time
With Tiger 10.4.10 i could spoof the MAC. Today i installed leopard and it doesn’t work anymore
Any help ?
Yes, that’s really odd isn’t it? It’s even stranger that you can spoof the wireless interface (en1) using ifconfig, whereas in pre 10.4.10, it was the exact opposite.
sigh
Are there any open source drivers for Apple’s airport cards (they’re just broadcom NICs iirc)
yea, go back to 10.4.10 or wait for leopard to be hacked
if ur spoofing u shud always tryn do it on a dedicated partition anyway.. for many reasons
I am able to spoof Airport MAC on Intel MacBookPro running Leopard using:
sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
(confirmed by checking logs on router)
However, cannot spoof Wired connection on same machine using any of the following terminal commands:
sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff
sudo ifconfig en0 lladdr aa:bb:cc:dd:ee:ff
Good thing I didn’t buy Leopard. This is probably they gheyest thing Apple has ever done. And it is UNIX certified. Heh. I may just have to go back to Tiger over this one. Absolutely ridiculous!
Another success on Leopard 10.5.1 for wireless:
sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
and my router sees me as something new.
I didn’t try ethernet spoofing, so can’t speak to that.
One thought: If you do Time Machine backups to a network volume it names the backup disk image based on your wired MAC address. If they let you change it that could cause problems. That could be why you can change the wireless but not wired address in Leopard.
sorry to ask a totally stupid question, but is the aa.bb.cc.dd.ee.ff supposed to be a number which i make up myself, ie i should do a command like
sudo ifconfig en0 ether 85:26:12:05:87:21
for example, rather than
sudo ifconfig en0 ether aa.bb.cc.dd.ee.ff
And i also guess that its worthwhile to change the MAC addres often, right?
is it possible to spoof the MAC address of an Airport Express. really important! thanks for any replies.
A
hi there, i got a mac book dual core 2 and i dont have any idea how to chnage the mac book Mac Address if any one know could they type me the steps and email me thanks (flip911@hotmail.co.uk)
I can confirm that the MAC address does not change when this is attempted under Mac OS X 10.5.2 for
en0.ifconfigreports no errors, but the MAC address is not altered. Observe:Interestingly, though changing
en1(which is the AirPort card by default) does seem to work, Apple utilities like Network Utility don’t report the change, instead reporting the original MAC address. Could this be because they are reading the MAC address straight from the firmware of the card and are bypassing Mac OS X’s BSD subsystem?I hope not! because that would mean that it will be impossible to spoof mac wired adress on leopard!!
I wait for 10.5.3 to see if something changes…
This lack of Ethernet spoofing is the current bane of my life.
At my Uni, U can only connect to broadband via ethernet…which is fine.
But they MAC filter…and i have a PS3.
I have been spoofing my PS3’s MAC on my macbook, but now Leopard’s buggrd tht.
‘gna hav to re-install Tiger, which I’m pissd about.
There was a MAC Changer program floating aroud somewhere, but it doesnt seem to work yet.
Confirmed to work on an Intel Mac running 10.5.2
Spoof Wireless : sudo ifconfig en1 ether aa:bb:cc:dd:ee:ff
Thanks guys!
I need to ask a slightly OT question:
I’ve been looking around to see if this kind of spoofing method will let me get my AppleTV to connect past the proxy server that my ISP has somewhat inconveniently put in the way. If I took a G4 Mac mini, spoofed the address to be the same as the AppleTV, authenticated out through the proxy on one port of the Apple Extreme Base Station, then switched cables and connected up the AppleTV on the same port, would the AppleTV/AEBS play along and think it had authenticated?
I have a slightly old Alcatel/Thompson Speedtouch modem – it seems I can’t go in and authenticate by port or anything, so I’m looking for alternatives to get this to work.
Thanks for any suggestions, input or redirection to info (although most of the links related to spoofing have been blocked by my ISP…).