5 – Bypassing MAC Filters

MAC filtering is very much like hiding your SSID as it just does not work and instead lulls you into a false sense of security, often thought of as security through obscurity. It is an old security access control used for authentication and authorization in the wired world but fails miserably in the wireless world as you will soon see in the following lesson.

The MAC address is stored in a table on the router and referred to for authentication, if the MAC trying to connect exists you are granted access and if not you are refused.

First configure MAC filtering on the access point in order to continue, we will keep the previous open configuration settings used in the previous lesson.

1 - router configure MAC address filteringNow only the two MAC addresses that have been added can connect to the access point, if we try to connect to the access point as we did previously it will show as not associated:

2 - iwconfig not associatedLet’s put the card into monitor mode to see what is going on here and have a look with airodump-ng as we did previously but this time be a little bit more exact about our filters in order to remove as much noise as possible from our airodump-ng output.

airodump-ng -c 6 -a –bssid AP_MAC mon0

“-c 6” sets the channel

“-a” ensures that the clients only associated with the access point are displayed

“–bssid” is used for setting the access point MAC address

3 - airodump-ng connected devicesOutput then looks a lot cleaner as you can see:

4 - airodump outputLooking at the above output we can see the MAC of the access point and an associated client MAC address which we can now use to connect to the access point and spoof it.

Spoofing the MAC can be done a few different ways and there are tools out there that will do this for you very easily, lets look at one option by using built in system tools and connect to the access point to verify it is working.

Lets check our current card MAC address first with ifconfig and grep

“ifconfig” runs ifconfig

“| grep wlan0” Using a pipe to continue and search for “wlan0” to display that line which also has the “HWaddr” associated with it.

5 - MAC address check

Using the client MAC found with airodump-ng we can now spoof the MAC address and connect

Put the interface down:
ifconfig wlan0 down

Change the MAC address of the card:
ifconfig wlan0 hw ether F4:09:D8:XX:XX:XX

Put the interface back up:
ifconfig wlan0 up

Check the MAC has been changed:
ifconfig | grep wlan0

6 - MAC changedLet’s try and connect to the access point again:

7 - Connected with MACExcellent, we have now fully authenticated with the open access point that has MAC filtering enabled and bypassed this feature which doesn’t really add any security to stop an attacker.

Lesson Learned:

Don’t rely on MAC filtering to protect your network from attackers, as you can see it does not provide any security to protect you on a wireless network as an attacker can find a client connected in the air and spoof them in order to authenticate and connect.

 

Leave a Reply