My Head Hurts

Man, this weather sucks. I woke up this morning with a wierd feeling in my skull. I think it's my sinus's. Whatever the hell it is, I don't like it.

Our bud Jeremy comes over today. Which is cool because we ain't seen him in ages. I'm sure we'll get our drink on, as well as engage in some other fun activities like movie watching.

Yesterday I finally sat down and read the 30 messages that had piled up on my KisMac mailing list mail folder. A few of the questions involved "changing a MAC address". This is something that has always bothered me. Changing a MAC address in Unix is cakework. But when I tried it a few weeks ago I got some wierd error message. After some reading I find out that it's never really worked in OpenDarwin (the basis for OS X), and the only way to force it to work is to edit the kernel. Not exactly my idea of fun. So I let that one go.

Now I come to find out that with the latest OS X release (panther) it is now possible to change that MAC! Pretty good news. Now 'ifconfig' has complete standard Unix functionality. This morning I cracked open my iBook and gave it a shot.

Ray-Haques-Computer:~ rayhaque$ su
Password:
Ray-Haques-Computer:/Users/rayhaque root# ifconfig
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8010 mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863 mtu 1500
inet6 fe80::20a:27ff:fe89:a22c prefixlen 64 scopeid 0x4
inet 10.3.0.1 netmask 0xff000000 broadcast 10.255.255.255
ether 00:0a:27:89:a2:2d
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP 10baseT/UTP 100baseTX 100baseTX 100baseTX
en1: flags=8863 mtu 1500
ether 00:30:65:05:57:a1
media: autoselect () status: inactive
supported media: autoselect
Ray-Haques-Computer:/Users/rayhaque root# ifconfig en0 lladdr 00:40:01:02:03:04
Ray-Haques-Computer:/Users/rayhaque root# ifconfig
lo0: flags=8049 mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
gif0: flags=8010 mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863 mtu 1500
inet6 fe80::20a:27ff:fe89:a22c prefixlen 64 scopeid 0x4
inet 10.3.0.1 netmask 0xff000000 broadcast 10.255.255.255
ether 00:40:01:02:03:04
media: autoselect (100baseTX ) status: active
supported media: none autoselect 10baseT/UTP 10baseT/UTP 10baseT/UTP 100baseTX 100baseTX 100baseTX
en1: flags=8863 mtu 1500
ether 00:30:65:05:57:a1
media: autoselect () status: inactive
supported media: autoselect
Ray-Haques-Computer:/Users/rayhaque root#

As you can see, it worked. I changed my MAC address. Some other proof would be nice eh? How about I connect to my router, and have it tell me who it's connected to (by MAC address) using arp -a.

Ray-Haques-Computer:/Users/rayhaque root# ssh ray@router
The authenticity of host 'router (10.0.0.1)' can't be established.
DSA key fingerprint is (removed).
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'router' (DSA) to the list of known hosts.
Password:
Last login: Sun Nov 16 13:32:55 2003 from gloop

Welcome to Ray's router.

Watch your step. Don't forget to visit
our salad bar. And please, no spitting!

$ arp -a
? (10.0.0.1) at 00:20:78:05:4d:c1 on dc0 permanent [ethernet]
gloop (10.0.0.10) at 00:08:c7:6b:2c:37 on dc0 [ethernet]
tina (10.0.0.11) at 00:10:4b:71:cc:8c on dc0 [ethernet]
? (10.3.0.1) at 00:40:01:02:03:04 on dc0 [ethernet]
d60-65-(removed) (65.removed) at 00:50:57:00:a5:46 on fxp0 [ethernet]
$

You see me on that list? I am 10.3.0.1. And that is the MAC address I made up. Man, ethernet is so easily fooled.

What does this mean? Some Access Points rely on MAC filtering. That means that they have a dynamic/static list of the "hardware based" addresses they will talk to. Since hardware addresses cannot be 'changed' it's a pretty good system. As you have just witnessed though, Unix makes it easy to 'front' a new MAC address. I didn't change the physical address (thats near impossible). I am simply lying to the network. Using this same trick, I can effectively monitor a wireless network, steal away a client's MAC address, and begin using it.

The effects may not be good. I will be using their hardware address, and so will they. This will most likely confuse the hell out of a router if that PC and I are both connected. Traffic coming back from the AP will be collected by both of us. You have to wonder what that PC will be thinking when traffic comes back that it did not initiate.

Only experimentation will tell. Looks like I will have to plan a wardrive expedition.