Ethernet cards have a special number, called a MAC address, that is used whenever it talks on the network. This MAC address is how the interface identifies packets intended for itself. Each packet transmitted on the network has a source MAC address and a destination MAC address. MAC, for inquiring minds, stands for 'Media Access Control'.

Whenever the network interface receives a packet, it checks the destination MAC address specified in the packet against its own address to determine if the packet is intended for it. If the addresses do not match the packet is discarded. Whenever the interface transmits a packet, it sets the source MAC address of the packet to its own address.

Where do these 6-digit MAC addresses come from? The memory chip on the interface card contains the number. When an operating system boots, loads a driver, or when the interface card is installed, it will read the address off the card and store it for later use.

What if you could change this number? You can. Most people involved in information security work are aware you can change it, but many people think it is complicated and difficult. Quite the opposite is true – changing your MAC address is downright trivial.

In the modern wireless world, MAC addresses are often used to control which wireless client machines can connect to a Wireless Access Point (WAP). This is a rudimentary form of security. However, it is trivial to monitor a WAP’s wireless traffic and determine MAC addresses using the system. Once a hacker knows a valid MAC address, it is rather easy to impersonate a MAC address the WAP will accept and gain access. By the way, WEP encryption does not encrypt the MAC address in the packets.

There are many issues related to MAC addresses and Ethernet packets that we could get sidetracked with, but let's skip all of that and just see how easy it is to change your MAC address on a Windows computer.

Windows MAC Spoofing

I’ve heard people suggest you desolder the ROM chip off the interface and use an EPROM burner to make a new one with the address you want. If you prefer to do things that way, you shouldn’t be reading this. I like things simple.

There are generally two ways to change the MAC address on Windows - the easy way and the slightly easier way. First, go to My Network Places, right click and pick Properties. Then right-click on the Local Area Network icon and pick Properties again. You should see something like this:

Next, click on the Configure button for a window similar to this:

When the window comes up, click the Advanced tab as shown here. If you are lucky, you will have a property listed called Network Address – as shown above. If so, by default it is set to Not Present. However, by simply specifying 6 double hex digits (12 numbers), you can specify your MAC address.

Many network card drivers don’t support setting the MAC address through this interface. For those cards, you simply need to make a quick registry edit. To find the right registry location, make a note of the interface name as Windows sees it – in the sample in figure 1, the name is AMD PCNET Family PCI Ethernet Adapter.

Next, fire up REGEDT32 or REGEDIT – I normally use Start / Run to do this. Then navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class hive.

Many registry paths make perfect sense, the names sometimes just give away the purpose. This path is an exception – it’s just about as intuitive as putting a man on the moon. The key is this – click down through the class ids shown and watch the right hand screen. The default value here describes the purpose – in the screen shot shown here, it’s Network adapters. That’s what you are looking for.

Once you’ve found the network adapters area, you will notice there are several subkeys that are numbered – in the screenshot shown here, they start at 0000 and go to 0012. Each of these has information about the various network drivers used installed (present or past) on the machine. The next thing to do is to click down through here and find the network card whose MAC address you’d like to change. Note, even though your machine only has one NIC, you will still have several entries here – entries for modems, dial-up connects, VPN software, etc.

In my case, the very first interface (0000) was the right one. Notice on the right side of the screen, the highlighted value. It is the description of the card as the operating system sees it. This should match the name observed in figure 1 (network properties screen).

To change the MAC address, click Edit and select Add Value.

For value name, put NetworkAddress – it’s all one word. Click OK.

In this box, you put the MAC address you want to change the card to – in this example, it is 01-02-03-04-05-06. Although it is common to see MAC addresses with a dash between each double hex digit, don’t put dashes in this box. Click OK and you simply need to reset the card and you are done.

Resetting the card

This is Windows, so you could always reboot, but there is an easier way on Windows 2000 and newer. Go to the Network Properties again (right click on My Network Places, select Properties.)

From this window, right click your LAN adapter, select Disable. It will take a few seconds. Then right click again and select Enable. You should be up and running with your new MAC address. Fire up Wireshark to verify.

Don't think this means you can't get caught

The first three bytes (such as 01-02-03 shown above) are a manufacturer's code – that’s how your packet analyzer knows the make of the network cards it sees and it is also the first thing an intrusion analyst will notice if it has been altered to a value that does not match a vendor ID code of some sort.

Many wireless security systems claim to be able to spot spoofed MAC addresses. I've tested a few of them and they are surprisingly good at it. If you use a random MAC without taking care to insure the vendor code is valid, you will be spotted in a heartbeat. Even if you do use a good fake, you can still get caught. The better wireless monitoring systems monitor for things like TCP sequence numbers being out of order and if two sensors a distance apart see the same MAC address, they know something is up.

The two outfits I had the pleasure of testing, that shall remain nameless, were quite difficult to get past, but both could be tricked.

Conclusion

So what does this mean for your home wireless network?