MAC Hack in Windows

It is well known nowadays that MAC filters come with firewalls and routers, including virtually all commercial off the shelf products. MAC Ids are based on the assumption that MAC is unique and tagged to each piece of network equipment. Although it has been known for a long time now, consumers still tend to believe the urban legend that MAC Id protection is an effective way to protect their wireless networks. This article shows how we cloned a MAC address in windows and bypassed the firewall protection using MAC Filter. Nothing new to the experts obviously, but maybe something important for the consumer.

(This entire experiment was conducted in a controlled environment in our laboratories. No networks were attacked or entered, that didn't belong to Cerberus Network).
This article is not going to introduce what a MAC is. There are lots of wonderful articles outside that explains what a MAC is. However, along the way, there are some typical assumptions people make about the MAC:

1. It is unique and cannot be forged / faked.

2. MAC Filter will prevent anyone else from entering the network without the physical authorized hardware.

3. MAC address is linked with the manufacturer and can be traced.

In fact, based on point 2, we have even encountered enterprise wifi setup without WEP or WPA at all, but with ONLY MAC Filter on. And yet at another setup, there wasn't even a proper admin password setup because somebody thought that without an approved card, that is allowed to access the network, others can't even get into the network in the first place. Well, we are about to find out.

First, we have a simple setup on a router that allows a wired connection with a known MAC from a authorized equipment.



This network which we are about to get in is known as "Hacked". We should just verify with our Wifi card, which has a different MAC Address from the wired authorized equipment, and indeed we cannot enter the network.




OK, we are kicked out mercilessly. So we use software, which is really easily available and not particularly expensive, to change the MAC address of our Wifi card to the address of the known Wired equipment.
We restart the network and attempt to connect to 'Hacked' and ... we're in.





Just to be sure we did not by mistake allow our Wifi card in because of a misconfiguration, we checked the router settings.



With the proper equipment, attackers can easily tell what MAC Ids are connecting to your access point because MAC Ids are always transmitted in plaintext, regardless of whether or not WEP/WPA is employed. As such, this shows that it is not very difficult to hijack a network connection or even install a rouge AP into a wireless network that is not properly protected.

We're not saying that using the MAC Filter is totally useless and you should not enable it. What we are saying is that it should not be your ONLY line of defense. And remember MAC Filters only give you perhaps, a few minutes worth of protection. Although masquerading another MAC could cause the legitimate network connection to drop, thereby triggering an alarm, a good attacker would probably gather the correct MAC addresses to use, and only try his intrusion attempt when the legitimate computer or client is not connected. Neither can MAC address logs be of any use because an attacker would very likely fake a MAC address to cover his tracks. Hence, wireless networks should never rely on MAC address to perform authentication, audit, or similar functions.

Stay tuned for more security articles here.