Difference between revisions of "MAC address spoofing"

From ArchWiki
Jump to: navigation, search
m (style/updated a bit)
m (French link)
 
(74 intermediate revisions by 20 users not shown)
Line 1: Line 1:
 
[[Category:Networking]]
 
[[Category:Networking]]
 
[[Category:Security]]
 
[[Category:Security]]
[[cs:MAC Address Spoofing]]
+
[[cs:MAC address spoofing]]
 
[[de:MAC-Adresse abfragen und setzen]]
 
[[de:MAC-Adresse abfragen und setzen]]
[[es:MAC Address Spoofing]]
+
[[es:MAC address spoofing]]
[[ru:MAC Address Spoofing]]
+
[[fr:Changement d'adresse MAC]]
[[zh-CN:MAC Address Spoofing]]
+
[[ja:MAC アドレス偽装]]
 +
[[ru:MAC address spoofing]]
 +
[[zh-cn:MAC address spoofing]]
 
This article gives several methods to spoof a Media Access Control (MAC) address.
 
This article gives several methods to spoof a Media Access Control (MAC) address.
{{Note|In the examples below is assumed the ethernet device is {{ic|enp1s0}}. Use {{ic|ip link}} to check your actual device name, and adjust the examples as necessary}}
 
  
 
== Manually ==
 
== Manually ==
  
There are two methods for spoofing a MAC address using either {{Pkg|iproute2}} (installed by default) or {{Pkg|macchanger}} (available on the [[Official Repositories]]).  
+
There are two methods for spoofing a MAC address using either {{Pkg|iproute2}} (installed by default) or {{Pkg|macchanger}} (available on the [[official repositories]]). Both of them are outlined below.
 
+
Both of them are outlined below.
+
  
 
=== Method 1: iproute2 ===
 
=== Method 1: iproute2 ===
 +
 
First, you can check your current MAC address with the command:
 
First, you can check your current MAC address with the command:
  
  # ip link show enp1s0
+
  # ip link show ''interface''
 +
 
 +
where {{ic|''interface''}} is the name of your [[network interface]].
  
 
The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:
 
The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:
Line 24: Line 26:
 
  link/ether 00:1d:98:5a:d1:3a
 
  link/ether 00:1d:98:5a:d1:3a
  
The first step to spoofing the MAC address is to bring the network interface down. You must be logged in as root to do this. It can be accomplished with the command:
+
The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:
  
  # ip link set dev enp1s0 down
+
  # ip link set dev ''interface'' down
  
Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with a vendor. Therefore, unless you control the network(s) you are connecting to, it is a good idea to test this out with a known good MAC rather than randomizing it right away.
+
Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read [[Wikipedia:Organizationally unique identifier]].
  
 
To change the MAC, we need to run the command:
 
To change the MAC, we need to run the command:
  
  # ip link set dev enp1s0 address XX:XX:XX:XX:XX:XX
+
  # ip link set dev ''interface'' address ''XX:XX:XX:XX:XX:XX''
  
Where any 6-byte value will suffice for 'XX:XX:XX:XX:XX:XX'.
+
Where any 6-byte value will suffice for {{ic|''XX:XX:XX:XX:XX:XX''}}.
  
 
The final step is to bring the network interface back up. This can be accomplished by running the command:
 
The final step is to bring the network interface back up. This can be accomplished by running the command:
  
  # ip link set dev enp1s0 up
+
  # ip link set dev ''interface'' up
  
If you want to verify that your MAC has been spoofed, simply run {{ic|ip link show enp1s0}} again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.
+
If you want to verify that your MAC has been spoofed, simply run {{ic|ip link show ''interface''}} again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.
  
 
=== Method 2: macchanger ===
 
=== Method 2: macchanger ===
  
Another method uses {{Pkg|macchanger}} (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.  
+
Another method uses {{Pkg|macchanger}} (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.
  
[[Pacman|Install]] the package {{Pkg|macchanger}} from the [[official repositories]].
+
[[pacman#Installing specific packages|Install]] the package {{Pkg|macchanger}} from the [[official repositories]].
  
After this, the MAC can be spoofed with a random address. The syntax is {{ic|macchanger -r ''<device>''}}.  
+
The spoofing is done on per-interface basis, specify [[network interface]] name as {{ic|''interface''}} in each of the following commands.
  
Here is an example command for spoofing the MAC address of a device named enp1s0.
+
The MAC address can be spoofed with a fully random address:
  
  # macchanger -r enp1s0
+
  # macchanger -r ''interface''
  
To randomize all of the address except for the vendor bytes (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:
+
To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:
  
  # macchanger -e enp1s0
+
  # macchanger -e ''interface''
  
 
To change the MAC address to a specific value, you would run:
 
To change the MAC address to a specific value, you would run:
  
  # macchanger --mac=XX:XX:XX:XX:XX:XX enp1s0
+
  # macchanger --mac=''XX:XX:XX:XX:XX:XX'' ''interface''
  
Where {{ic|XX:XX:XX:XX:XX:XX}} is the MAC you wish to change to.
+
Where {{ic|''XX:XX:XX:XX:XX:XX''}} is the MAC you wish to change to.
  
 
Finally, to return the MAC address to its original, permanent hardware value:
 
Finally, to return the MAC address to its original, permanent hardware value:
  
  # macchanger -p enp1s0
+
  # macchanger -p ''interface''
  
 
{{Note|A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.}}
 
{{Note|A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.}}
Line 72: Line 74:
 
== Automatically ==
 
== Automatically ==
  
=== Netcfg ===
+
=== Method 1: systemd-networkd ===
[[Pacman|Install]] the package {{Pkg|macchanger}} from the [[official repositories]]. Read the [[#Method 2: macchanger]] method for more information.
+
  
Put the following line in your [[netcfg]] profile to have it spoof your MAC address when it's started:
+
[[systemd-networkd]] supports MAC address spoofing via [[systemd-networkd#link files|link files]] (see {{ic|man systemd.link}} for details).
  
PRE_UP='macchanger -e enp1s0'
+
To set a static spoofed MAC address:
  
You may have to replace {{ic|enp1s0}} with your interface name.
+
{{hc|/etc/systemd/network/00-default.link|2=
 +
[Match]
 +
MACAddress=''permanent MAC''
  
=== Systemd unit ===
+
[Link]
 +
MACAddress=''spoofed MAC''
 +
NamePolicy=kernel database onboard slot path
 +
}}
  
{{hc|/etc/systemd/system/macspoof@.service|
+
To randomize the MAC address on every boot, set {{ic|1=MACAddressPolicy=random}} instead of {{ic|1=MACAddress=''spoofed MAC''}}.
 +
 
 +
=== Method 2: systemd-udevd ===
 +
 
 +
[[Udev]] allows you to perform MAC address spoofing by creating the [[Udev#Writing udev rules|udev rule]]. Use {{ic|address}} attribute to match the correct device by its original MAC address and change it using the ''ip'' command:
 +
 
 +
{{hc|/etc/udev/rules.d/75-mac-spoof.rules|2=
 +
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="XX:XX:XX:XX:XX:XX", RUN+="/usr/bin/ip link set dev %k address YY:YY:YY:YY:YY:YY"
 +
}}
 +
 
 +
where {{ic|XX:XX:XX:XX:XX:XX}} is the original MAC address and {{ic|YY:YY:YY:YY:YY:YY}} is the new one.
 +
 
 +
=== Method 3: systemd unit ===
 +
 
 +
==== Creating unit ====
 +
 
 +
Below you find two examples of [[systemd]] units to change a MAC address at boot, one sets a static MAC using ''ip'' and one uses ''macchanger'' to assign a random MAC address. The systemd {{ic|network-pre.target}} is used to ensure the MAC is changed before a network manager like [[Netctl]] or [[NetworkManager]], [[systemd-networkd]] or [[dhcpcd]] service starts.
 +
 
 +
===== iproute2 =====
 +
 
 +
[[systemd]] unit setting a predefined MAC address:
 +
 
 +
{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
 
[Unit]
 
[Unit]
Description&#61;MAC address change %I
+
Description=MAC Address Change %I
Before&#61;dhcpcd@%i.service
+
Wants=network-pre.target
 +
Before=network-pre.target
 +
BindsTo=sys-subsystem-net-devices-%i.device
 +
After=sys-subsystem-net-devices-%i.device
  
 
[Service]
 
[Service]
Type&#61;oneshot
+
Type=oneshot
ExecStart&#61;/usr/sbin/ip link set dev %i address 36:aa:88:c8:75:3a
+
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart&#61;/usr/sbin/ip link set dev %i up
+
ExecStart=/usr/bin/ip link set dev %i up
  
 
[Install]
 
[Install]
WantedBy&#61;network.target}}
+
WantedBy=multi-user.target
You may have to edit this file if you do not use dhcpcd.
+
</nowiki>}}
  
{{Note|This works without netcfg. If you are using netcfg, see above.}}
+
===== macchanger =====
  
=== Systemd unit using random address ===
+
[[systemd]] unit setting a random address while preserving the original NIC vendor bytes. Ensure that {{Pkg|macchanger}} is [[Pacman#Installing specific packages|installed]]:
A unit featuring random address, which requires macchanger:
+
 
{{hc|/etc/systemd/system/macchanger@.service|
+
{{hc|/etc/systemd/system/macspoof@.service|<nowiki>
 
[Unit]
 
[Unit]
Description&#61;Macchanger service for %I
+
Description=macchanger on %I
Documentation&#61;man:macchanger(1)
+
Wants=network-pre.target
 +
Before=network-pre.target
 +
BindsTo=sys-subsystem-net-devices-%i.device
 +
After=sys-subsystem-net-devices-%i.device
  
 
[Service]
 
[Service]
ExecStart&#61;/usr/bin/macchanger -e %I
+
ExecStart=/usr/bin/macchanger -e %I
Type&#61;oneshot
+
Type=oneshot
  
 
[Install]
 
[Install]
WantedBy&#61;multi-user.target}}
+
WantedBy=multi-user.target
 +
</nowiki>}}
 +
 
 +
A full random address can be set using the {{ic|-r}} option, see [[#Method 2: macchanger]].
 +
 
 +
==== Enabling service ====
 +
 
 +
Append the desired network interface to the service name (e.g. {{ic|eth0}}) and [[enable]] the service (e.g. {{ic|macspoof@eth0.service}}).
 +
 
 +
Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.
 +
 
 +
=== Method 4: netctl interfaces ===
 +
 
 +
You can use a [[Netctl#Using_hooks|netctl hook]] to run a command each time a netctl profile is re-/started for a specific network interface. Replace {{ic|''interface''}} accordingly:
 +
 
 +
{{hc|/etc/netctl/interfaces/''interface''|2=
 +
#!/usr/bin/env sh
 +
/usr/bin/macchanger -r ''interface''}}
 +
 
 +
Make the script executable:
 +
chmod +x /etc/netctl/interfaces/''interface''
 +
 
 +
Source: [https://blog.akendo.eu/archlinux-random-mac-for-new-wireless-connections/  akendo.eu]
 +
 
 +
=== Method 5: NetworkManager ===
 +
 
 +
You can use a script which networkmanager invokes before to bring the interface up. The path to place the script may be {{ic|/usr/local/etc/NetworkManager/dispatcher.d/pre-up.d/macspoof.sh}} or {{ic|/etc/NetworkManager/dispatcher.d/pre-up.d/macpoof.sh}}. The first argument {{ic|$1}} is the interface name.
 +
 
 +
{{bc|#!/bin/bash
 +
ip link set dev $1 down
 +
macchanger -e $1
 +
ip link set dev $1 up}}
 +
 
 +
== Troubleshooting ==
 +
 
 +
=== Connection to DHCPv4 network fails ===
 +
 
 +
If you cannot connect to a DHCPv4 network and you are using dhcpcd, which is the default for NetworkManager, you might need to [[Dhcpcd#Client ID|modify the dhcpcd configuration]] to obtain a lease.
  
 
== See also ==
 
== See also ==
  
* [http://www.alobbs.com/macchanger Macchanger project page]   
+
* [https://github.com/alobbs/macchanger Macchanger GitHub page]   
* [http://www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html Article on DebianAdmin] with more macchanger options
+
* [http://www.debianadmin.com/change-your-network-card-mac-media-access-control-address.html Article on DebianAdmin] with more ''macchanger'' options

Latest revision as of 13:26, 25 March 2016

This article gives several methods to spoof a Media Access Control (MAC) address.

Manually

There are two methods for spoofing a MAC address using either iproute2 (installed by default) or macchanger (available on the official repositories). Both of them are outlined below.

Method 1: iproute2

First, you can check your current MAC address with the command:

# ip link show interface

where interface is the name of your network interface.

The section that interests us at the moment is the one that has "link/ether" followed by a 6-byte number. It will probably look something like this:

link/ether 00:1d:98:5a:d1:3a

The first step to spoofing the MAC address is to bring the network interface down. It can be accomplished with the command:

# ip link set dev interface down

Next, we actually spoof our MAC. Any hexadecimal value will do, but some networks may be configured to refuse to assign IP addresses to a client whose MAC does not match up with any of known vendors. Therefore, unless you control the network(s) you are connecting to, use MAC prefix of any real vendor (basically, the first three bytes), and use random values for next three bytes. For more information please read Wikipedia:Organizationally unique identifier.

To change the MAC, we need to run the command:

# ip link set dev interface address XX:XX:XX:XX:XX:XX

Where any 6-byte value will suffice for XX:XX:XX:XX:XX:XX.

The final step is to bring the network interface back up. This can be accomplished by running the command:

# ip link set dev interface up

If you want to verify that your MAC has been spoofed, simply run ip link show interface again and check the value for 'link/ether'. If it worked, 'link/ether' should be whatever address you decided to change it to.

Method 2: macchanger

Another method uses macchanger (a.k.a., the GNU MAC Changer). It provides a variety of features such as changing the address to match a certain vendor or completely randomizing it.

Install the package macchanger from the official repositories.

The spoofing is done on per-interface basis, specify network interface name as interface in each of the following commands.

The MAC address can be spoofed with a fully random address:

# macchanger -r interface

To randomize only device-specific bytes of current MAC address (that is, so that if the MAC address was checked it would still register as being from the same vendor), you would run the command:

# macchanger -e interface

To change the MAC address to a specific value, you would run:

# macchanger --mac=XX:XX:XX:XX:XX:XX interface

Where XX:XX:XX:XX:XX:XX is the MAC you wish to change to.

Finally, to return the MAC address to its original, permanent hardware value:

# macchanger -p interface
Note: A device cannot be in use (connected in any way or with its interface up) while the MAC address is being changed.

Automatically

Method 1: systemd-networkd

systemd-networkd supports MAC address spoofing via link files (see man systemd.link for details).

To set a static spoofed MAC address:

/etc/systemd/network/00-default.link
[Match]
MACAddress=permanent MAC

[Link]
MACAddress=spoofed MAC
NamePolicy=kernel database onboard slot path

To randomize the MAC address on every boot, set MACAddressPolicy=random instead of MACAddress=spoofed MAC.

Method 2: systemd-udevd

Udev allows you to perform MAC address spoofing by creating the udev rule. Use address attribute to match the correct device by its original MAC address and change it using the ip command:

/etc/udev/rules.d/75-mac-spoof.rules
ACTION=="add", SUBSYSTEM=="net", ATTR{address}=="XX:XX:XX:XX:XX:XX", RUN+="/usr/bin/ip link set dev %k address YY:YY:YY:YY:YY:YY"

where XX:XX:XX:XX:XX:XX is the original MAC address and YY:YY:YY:YY:YY:YY is the new one.

Method 3: systemd unit

Creating unit

Below you find two examples of systemd units to change a MAC address at boot, one sets a static MAC using ip and one uses macchanger to assign a random MAC address. The systemd network-pre.target is used to ensure the MAC is changed before a network manager like Netctl or NetworkManager, systemd-networkd or dhcpcd service starts.

iproute2

systemd unit setting a predefined MAC address:

/etc/systemd/system/macspoof@.service
[Unit]
Description=MAC Address Change %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev %i address 36:aa:88:c8:75:3a
ExecStart=/usr/bin/ip link set dev %i up

[Install]
WantedBy=multi-user.target
macchanger

systemd unit setting a random address while preserving the original NIC vendor bytes. Ensure that macchanger is installed:

/etc/systemd/system/macspoof@.service
[Unit]
Description=macchanger on %I
Wants=network-pre.target
Before=network-pre.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
ExecStart=/usr/bin/macchanger -e %I
Type=oneshot

[Install]
WantedBy=multi-user.target

A full random address can be set using the -r option, see #Method 2: macchanger.

Enabling service

Append the desired network interface to the service name (e.g. eth0) and enable the service (e.g. macspoof@eth0.service).

Reboot, or stop and start the prerequisite and requisite services in the proper order. If you are in control of your network, verify that the spoofed MAC has been picked up by your router by examining the static, or DHCP address tables within the router.

Method 4: netctl interfaces

You can use a netctl hook to run a command each time a netctl profile is re-/started for a specific network interface. Replace interface accordingly:

/etc/netctl/interfaces/interface
#!/usr/bin/env sh
/usr/bin/macchanger -r interface

Make the script executable:

chmod +x /etc/netctl/interfaces/interface

Source: akendo.eu

Method 5: NetworkManager

You can use a script which networkmanager invokes before to bring the interface up. The path to place the script may be /usr/local/etc/NetworkManager/dispatcher.d/pre-up.d/macspoof.sh or /etc/NetworkManager/dispatcher.d/pre-up.d/macpoof.sh. The first argument $1 is the interface name.

#!/bin/bash
ip link set dev $1 down
macchanger -e $1
ip link set dev $1 up

Troubleshooting

Connection to DHCPv4 network fails

If you cannot connect to a DHCPv4 network and you are using dhcpcd, which is the default for NetworkManager, you might need to modify the dhcpcd configuration to obtain a lease.

See also