DæmonNews: News and views for the BSD community
Daemon News Ezine BSD News BSD Mall BSD Support Forum BSD Advocacy BSD Updates

MAC address spoofing on FreeBSD using netgraph

David Yeske <dyeske@yahoo.com>

All network cards come with a hardware address stamped on them. This address is unique, or supposedly unique, and allows computers and other network hardware to identify a particular interface on a machine on their local network. This hardware address is referred to as a MAC (Media Access Control) address and has nothing do to with Macintosh computers; nor does it have anything to do with Mandatory Access Controls used in Security protocols.

Much like the DNS protocol which binds a human readable name to an IP address, ARP (Address Resolution Protocol) associates an IP address with the inscribed MAC address of a network card. ARP requests are only used by computers on the same IP subnet to determine which computer has the right IP address, so it can send it a packet.

Because of the uniqueness of MAC addresses, there may be times when it is desirable to advertise a MAC address other than the one your network card was born with. However, physically changing the MAC address located on your network card may be more difficult than its worth.

The MAC address is usually burned into an EEPROM (Electrically Erasable Programmable Read-Only Memory) on the ethernet card at the factory. It usually contains a prefix that identifies it as having come from a specific manufacturer. This helps limit the possibility of duplication.

Some ethernet cards are able to have their MAC address changed. This should normally be avoided as it often requires special hardware, and it could possibly damage the card. On certain network cards the ifconfig utility can be used to change the MAC address: however this does not always work. Other ethernet card vendors offer a software utility to do this, but it generally must be run in DOS. In summary, it is not usually convenient and sometimes not possible to change a MAC address on most network cards.

There is another solution. This article explains how to spoof a MAC address using FreeBSD. This is commonly known as "MAC cloning", and is offered as a feature on some commercial routers and wireless access points.

The Netgraph system, an in-kernel networking subsystem built into FreeBSD, provides all the required tools to properly spoof MAC addresses. The attached code will work on a FreeBSD 5.2.1-RELEASE system "out of the box" and has only been successfully tested with FreeBSD 5.2.1-RELEASE.

The paranoid in the room will already have a long list of reasons to want to spoof MAC addresses, as will the hackers/crackers who read this article. However there are legitimate reasons to spoof your MAC address:

  • A firewall could be set to only accept traffic from a certain MAC address by using a list of one time pads. An administrator could generate a list of MAC addresses that would change every certain number of days, hours, or minutes. The user would then have to set their MAC address within the time window in order to send packets to the firewall. This is a simple example of layer 2 authentication, but more advanced scenarios are possible.
  • Some Internet Service Providers keep track of the MAC address that a subscriber is using. These providers only allow registered addresses to connect to the internet, and they charge more money for additional IP addresses. Users often use some type of firewall or appliance that implements NAT. However it becomes inconvenient to be limited to a particular MAC address. Occasionally a user will need to change the gateway or change cards in the gateway temporarily and really don't want to go through the hassle of re-registering a new MAC address just to move some equipment around for a few days. As long as the gateway MAC address is the same as the registered address, the user is free to move their equipment around as they please.
  • This technique can be used to implement functionality similar to VRRP or HSRP.
  • A more creative usage could set the MAC address to a pre-assigned address which has a special meaning. This is a simple example of layer 2 messaging or stenography. The MAC address could be the message content, rather than the message being in some type of tcp, udp, or icmp packet.

MAC address spoofing directions

The following steps will create the Netgraph bridge and the virtual ethernet interface.

  • Verify the physical interface has no IP address. 
    # ifconfig dc0 delete
  • Create the virtual ethernet interface 
    # ngctl mkpeer . eiface hook ether
  • Verify the interface exists, observe the MAC address is zeroed out 
    # ifconfig ngeth0
ngeth0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
        ether 00:00:00:00:00:00
  • Bring up the virtual ethernet interface 
    # ifconfig ngeth0 up
ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::2d0:9ff:fe4c:9e5f%ngeth0 prefixlen 64 scopeid 0x4
        ether 00:00:00:00:00:00
  • Create the bridge and connect the lower link of the virtual interface 
    # ngctl mkpeer ngeth0: bridge lower link0
  • Name the bridge 
    # ngctl name ngeth0:lower mybridge
  • Connect the lower link to the physical interface 
    # ngctl connect dc0: mybridge: lower link1
  • Connect the upper link to the physical interface 
    # ngctl connect dc0: mybridge: upper link2
  • Connect the upper link to the virtual interface 
    # ngctl connect ngeth0: mybridge: upper link3
  • Set the physical interface to not overwrite its source route 
    # ngctl msg dc0: setautosrc 0
  • Set the physical interface into promiscous mode 
    # ngctl msg dc0: setpromisc 1
  • Set the MAC address of the virtual interface 
    # ifconfig ngeth0 link 00:5c:16:10:dd:79
  • Set the IP address of the virtual interface 
    # dhclient ngeth0
# ifconfig ngeth0
ngeth0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet6 fe80::2de:adff:fe12:1212%ngeth0 prefixlen 64 scopeid 0x4
        inet 192.168.1.21 netmask 0xffffff00 broadcast 192.168.1.255
        ether 00:5c:16:10:dd:79

The following script is modified from one of the netgraph example scripts. It will help automate the steps provided above.

To help determine what a spoofed MAC address should be set to, you could consult the relevant section of the IEEE standards web site.

Results

The physical interface now has no IP address, and it is promiscuous. It will not send or receive frames with its hardware MAC address. The virtual interface has an IP address, and all frames that pass through the physical interface will use the MAC address of the virtual interface.

The hardware MAC address of the physical ethernet interface does not have to be used. Any MAC address that the user wants to use with the virtual interface is possible.

Acknowledgments

I would like to thank the authors of netgraph and the various people that gave me feedback.
Google
Web daemonnews.org

More Articles
  • Interview with Jan Schaumann
  • Interview with Theo de Raadt
  • Book Review: Virtualization with VMware ESX Server
  • Editorial: Not Quite Dead Yet
  • The Design of OpenBGPd
  • Interview with der Mouse
  • Letter to Steve Jobs
  • Interview with Manuel Bouyer on Xen
  • Apple and Open Source
  • BSDCan 2006
  • BSD Certification Survey Results
  • Lab in a Box
  • Ike Notes on BSDCan 2005
  • BSDCan 2005 Photos
  • FreeBSD Developer Summit Pictures

    • Advertisements



    Author maintains all copyrights on this article.
    Images and layout Copyright © 1998-2006 Dæmon News. All Rights Reserved.