This is a continuance of WiFi hacking guide, for the first guide which involved cracking WEP protected WiFi can be viewed here
MAC Address
MAC stands for Media Access Control, in which Wikipedia defines it as "a unique identifier assigned to network interfaces for communications on the physical network segment." Further read on MAC Address topic shows that each networking device has a unique MAC Address, hard-coded in the device's hardware possibly during chip assembly.
MAC Address Filtering
Most modern WiFi routers support MAC filtering function, and can be used in collaboration with packet encryption ie. WEP & WPA cipher for added security (presumably). The underlying idea of MAC address filteration is that, if the packet encryption has been breached and deciphered, MAC address filter will kick in and block connection to 'rogue' wireless adapter. It is some sort of Identification Friend or Foe (IFF) in radar concept. The WiFi router will be registered with a list of MAC address of 'friendly' WiFi adapters and only connection from this registered adapters will be accepted even if you have the password for the WiFi connection. Sounds unbreakable isn't it? Well not really.
Cracking the MAC Address Filtering
The problem with MAC address is that it is broadcasted freely over the air when 'friendly' WiFi adapters is connected with the router. Anyone with compatible hardware and packet capturing software (airodump) can obtain the MAC address of connected device
Supposedly, MAC address should be unique to every networking device, however the software to change the MAC address is freely available and can be done in mere seconds. In other words, you can change your WiFi adapter's MAC address similar to that of the registered device's MAC address
MAC Address Filtering attack works around the 2 flaws as discussed above, (1) sniffing the connected "friendly" MAC address and (2) applying the MAC address to 'rogue' adapter and is detected as registered device.
Tools Needed:
Disclaimer: The author does not condone hacking or similar act in anyway whatsoever. This post is intended for educational purpose and to create awareness for a better and stronger wireless security. The practice done by the author was made on the author's own network infrastructure
1) Backtrack OS 5 (guide)
2) Compatible wifi adapter with airodump (I use Atheros AR5007EG)
3) MAC changer software, some adapters support MAC Address change in Windows, which will be discussed later
4) Patience, of course
(I strongly recommend you to read the WEP cracking guide posted earlier for detailed tutorial on how to enter monitor mode for your wifi etc..)
1) Preparing the Wifi Adapter in monitor mode using airmon-ng - airmon-ng start wlan0
2) Start capturing packets of available access points airodump-ng
- airodump-ng mon0
3) Capturing packets of target WiFi access points
- airodump-ng -w wep(if any) -c (channel number) --bssid (bssid number) mon0
4) Copying registered MAC Address
5) Applying registered MAC Address
the Windows 7 driver for atheros AR5007EG fully supports MAC address change, known as network address. If you happen to have the same function, just type the MAC address without the ":". Look for the setting in device manager.
After that, just click ok and try to connect to the access point. Fill in the password for WEP/WPA if there's any.
Troubleshoot
- If the access point is encrypted with wep/wpa, you need to crack that first before changing the MAC address
- If you cannot change MAC address within the device manager setting, try 3rd party software. Google is your best friend
