8/7/2019 Changing Your MAC Address in Window XP

1/6

Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X(Sometimes known as MAC spoofing)

First let me explain a few things about MAC addresses. MAC stands for Media AccessControl and in a sense the MAC address is a computer's true name on a LAN. An Ethernet MACaddress is a six byte number, usually expressed as a twelve digit hexadecimal number (Example:

1AB4C234AB1F).

IPs are translated to MAC address by a protocol called ARP (Address Resolution

Protocol). Let's say a computer with and IP of 192.168.1.1 wants to send information to anothercomputer on the LAN that has an IP of 192.168.1.2 . First 192.168.1.1 will send out a broadcast

to all stations on the LAN asking who has the IP 192.168.1.2. Then the box that has 192.168.1.2

will respond to 192.168.1.1 with it's MAC address which is cached in 192.168.1.1's ARP tablefor later use. To put this in Socratic Dialog form (with just a touch of Stallone):

Host 1 (192.168.1.1):Yo everyone on the LAN (FF:FF:FF:FF:FF:FF), who has the IP192.168.1.2? My MAC is DE:AD:BE:EF:CA:FE so you can respond back to me.

Host 2 (192.168.1.2): Hello DE:AD:BE:EF:CA:FE, I have IP 192.168.1.2 and my MACaddress is 12:34:56:78:90:12 so you can send your IP packets to me.

You can see the ARP table of a box by dropping out to a command prompt and typing

"arp a" in Windows or just "arp" in Linux. ARP can also work the other way by a host on theLAN sending its MAC address to another machine on the LAN for preemptive caching unless

the host is configured to not accept un-requested ARP replies.

A person might want to change the MAC address of a NIC for many reasons:

1. To get past MAC address filtering on a router. Valid MAC addresses can be found bysniffing them and then the deviant user could assume the MAC of a valid host. Having

two hosts on the same network can cause some network stability problems, but much ofthe time it's workable. This is one of the reasons why MIC Address filtering on a wireless

router is pointless. An attacker can just sniff the MAC address out of the air while inmonitor mode and set his WiFi NIC to use it. Interestingly, a lot of hotels use MAC

8/7/2019 Changing Your MAC Address in Window XP

2/6

filtering in their "pay to surf" schemes, so this method can be an instant in for cheap skateroad warriors.

2. Sniffing other connections on the network. By assuming another host's MAC as their ownthey may receive packets not meant for them. However, ARP poisoning is generally a

better method than MAC spoofing to accomplish this task.

3.

So as to keep their burned in MAC address out of IDS and security logs, thus keepingdeviant behavior from being connected to their hardware. For example, two of the mainthings a DHCP server logs when it leases an IP to a client is the MAC address and host

name. If you have a wireless router look around on it's web interface for where it logs thisinfo. Luckily there are tools to randomize this information (MadMACs).

4. To pull off a denial of service attack, for instance assuming the MAC of the gateway to asub net might cause traffic problems. Also, a lot of WiFi routers will lock up if a client

tries to connect with the same MAC as the router's BSSID.

Linux

To change your MAC address in Linux (and most *nix system) is easy as pie. All it takes istwo easy to script commands:

ifconfig eth0 down hw ether 00:00:00:00:00:01

ifconfig eth0 up

These two little commands would set your eth0 interface to use the MAC00:00:00:00:00:01. Just plug in the NIC you want to set and the MAC address you want to useinto the commands above and your done. Changing your MAC address is one of those things that

is much easier to do in Linux then under Windows.

Mac OS X

For versions of OS X before Tiger (OS X 10.4) you will need this patch:

http://slagheap.net/etherspoof/

8/7/2019 Changing Your MAC Address in Window XP

3/6

Then you use a command like:

sudoifconfig en0 lladdr 00:00:00:00:00:01

I'm not much of a Macintosh guy, so I pulled most of this info from:

http://www.macgeekery.com/gspot/2006-04/mac_address_spoofing

My understanding is that there are complications with some AirPort cards so you may also wantto read:

http://rgov.org/airport-spoof/

Apparently there are some problems changing your MAC address in versions of OS X 10.5.6 andlatter. Stefan Person sent me the following note that should help you get it to work:

Due to a bug in OS X 10.5.6+, the built in mac-address spoofing

function requires the following work around:

To determine your old mac-address:

ifconfig en1 | grep ether

Do not 'Turn Airport Off', instead deactivate your wireless card by:

Click 'Join Other Network...' and enter a fake SSID. Allow it toattempt a connection and then go ahead and cancel the request. Your

card is now deactivated allowing us to proceed with the followingcommand:

sudoifconfig en1 ether 00:11:22:33:44:55

Confirm using:

ifconfig en1 | grep ether

8/7/2019 Changing Your MAC Address in Window XP

4/6

Windows 2000/XP/Vista: The Hard Way

In XP you can use the regedit to edit the registry from a GUI or the reg command to edit

it from the console, I'll be using regedit. Information on all your NICs can be found the registrykey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Class\{4D36E972-

E325-11CE-BFC1-08002bE10318}\ . Under this key you will find a bunch of sub keys labeledas 0000, 00001, 0002 and so forth. We can assume any MAC address we want by finding the key

that controls the NIC we want to change, putting in a string value called "NetworkAddress" and

setting it to the MAC address we want to use formatted as a twelve digit hex number (example:000000000001). To find out which key is which we can search through them for the value"DriverDesc" until we find the one that matches the NIC we wish to alter. After you set

"NetworkAddress" to the address you want just restart the NIC by disabling it then enabling it(or in the case of PCMCIA cards, just eject and reinsert). You can confirm the MAC address

change by using the "getmac" or "ipconfig /all" commands.

Windows 2000/XP/Vista: The Easy Way

Use Mac Makeup ( http://www.gorlani.com/publicprj/macmakeup/macmakeup.asp ),MadMACs (http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer), Smac (

http://www.klcconsulting.net/smac/ ) or Etherchange (http://ntsecurity.nu/toolbox/etherchange/ ).Mac Makeup is a cool little GUI and Command line tool that's freeware, the creator also offers a

Plugin for Bart's PE builder. MadMACs is a tool to randomize your MAC address and host nameon every reboot. Smac has a nice GUI and was free but has since gone commercial, there's no

reason to bother with it as there are free tools that are just as good. I use MadMACs since I wroteit and it lets me keep my host information randomized.

Have fun with your MAC addresses switching, but be careful not to cause network

problems. My favorite MAC address is DEADBEEFCAFE, for other interesting MACs see:

http://www.binrev.com/forums/index.php?showtopic=15942

8/7/2019 Changing Your MAC Address in Window XP

5/6

Enjoy.

After Notes:

After I posted my article Benjamin E. Pratt emailed me some other notes on changing your MAC

address on different platforms and in different ways:

BSD

1) Bring down the interface: "ifconfig xl0 down"

2) Enter new MAC address: "ifconfig xl0 link 00:00:00:AA:AA:AA"

3) Bring up the interface: "ifconfig xl0 up"

Linux

1) Bring down the interface: "ifconfig eth0 down"

2) Enter new MAC address: "ifconfig eth0 hw ether 00:00:00:AA:AA:AA"

3) Bring up the interface: "ifconfig eth0 up"

Windows 2000/XPMethod 1:

This is depending on the type of Network Interface Card (NIC) you have. If you have a card thatdoesn't support Clone MAC address, then you have to go to second method.

a) Go to Start->Settings->Control Panel and double click on Network and Dial-up Connections.

b) Right click on the NIC you want to change the MAC address and click on properties.

c) Under "General" tab, click on the "Configure" button

d) Click on "Advanced" tab

e) Under "Property section", you should see an item called "Network Address" or "Locally

Administered Address", click on it.

8/7/2019 Changing Your MAC Address in Window XP

6/6

f) On the right side, under "Value", type in the New MAC address you want to assign to your

NIC. Usually this value is entered without the "-" between the MAC address numbers.

g) Goto command prompt and type in "ipconfig /all" or "net configrdr" to verify the changes. Ifthe changes are not materialized, then use the second method.

h) If successful, reboot your system.

Method 2:

This should work on all Windows 2000/XP systems

a) Go to Start -> Run, type "regedt32" to start registry editor. Do not use "Regedit".

b) Go to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}". Double click on it to expand

the tree. The subkeys are 4-digit numbers, which represent particular network adapters. Youshould see it starts with 0000, then 0001, 0002, 0003 and so on.

c) Find the interface you want by searching for the proper "DriverDesc" key.

d) Edit, or add, the string key "NetworkAddress" (has the data type "REG_SZ") to contain thenew MAC address.

e) Disable then re-enable the network interface that you changed (or reboot the system).

Method 3:

Use the program Etherchange from http://ntsecurity.nu/toolbox/etherchange/

Windows 9x

Use the same method as Windows 2000/XP except for the registry key location is"HKEY_LOCAL_MACHINE\System\ CurrentControlSet\Services\Class\Net" and you must

reboot your system.