I was reading the "How Hackers Steal Your Internet & How to Defend Against It" article for the first time (it's located at "https://null-byte.wonderhowto.com/how-to/hackers-steal-your-internet-defend-against-0130205/").
The section that I was wondering about is about the 2nd one down the page, called "Step 1 Spoofing a MAC Address". Specifically, I'm wondering about various things related to MAC address spoofing, such as: Which MAC addresses to spoof to?, How often to change the spoofed MAC address?, and things like that...
Which MAC addresses to spoof to?
I'd imagine that any randomly chosen MAC address will do, as alluded to in the article. The main point is probably that the one that you spoof to is different than your real one (the one that's on your hardware). However, are certain types of MAC addresses better to use than others? And, along the same lines, are there any MAC addresses that you'll want to avoid spoofing to?
The latter question seems to be easier for me to answer than the first question. For instance, one would probably not want to spoof to the MAC address of the: White House, CIA, FBI, NSA, or any similar entity (whether it be a federal or local entity). A MAC address that you know belongs to a school that's only several miles down the road from where you live might be another one to avoid using.
How often to change the spoofed MAC address?
One of the things that I was wondering about was what would be the best frequency to change the MAC address that one spoofs to (ie- when is it time to make up and/or use another number)? This question is much more difficult for me to think of possible answers to than the previous question.
I'd imagine that it wouldn't be necessary to change it every hour or day (maybe a daily change frequency might be warranted if one does a lot of hacking). And, at the other extreme, I'd think that it probably isn't the best policy to only change it once a year.
I'm not sure, but maybe the best time to change the "spoofed to" MAC address is just after a hacking session (if that case holds any water, then a daily change frequency might not be too often as to be a time waster).
With my answers to the above two questions, I was just brainstorming and putting ideas out there. I don't have near enough hacking experience or knowledge to be any kind of authority on the topic. However, it does give me some ideas for things to search for (maybe on Google or youtube). Anyone else have any ideas on the topic, or experiences to share, please chime in.
2 Responses
These are all great questions.
Your MAC address identifies your hardware... until you spoof it. Then it makes it look like you're using different hardware. The first six octets are the manufacturer identifier in a mac address, like 0007EF. That's for Lockheed Martin Tactical Network computers.
Let's say we're going on a government network. A Lockheed hardware MAC address would be appropriate on a network like that, but a government contractor computer showing up on Wi-Fi administered by a school or small business might be pretty alarming.
So, it depends. You can pretend to be whatever you want. You can use that to hide, or to provoke a response. If you want to pose as a device, or a person, it's essential to spoof the mac to match.
You can look up vendors, or make a fake mac address based on a vendor by running a search here. My example is the run search.
To make a fake mac address, use the first six octets of the vendor you want to spoof and then random numbers for the last six.
How often? Depends on what you're doing. All the time if you want to show up as different computers all the time and avoid being tracked. Not all the time if you don't need to and you find it annoying.
Thanks for putting some insights out there, SADMIN. I especially liked the part about, "A Lockheed hardware MAC address would be appropriate on a network like that, but a government contractor computer showing up on Wi-Fi administered by a school or small business might be pretty alarming." I hadn't thought of using one that's appropriate to the situation (very clever).
"If you want to pose as a device, or a person, it's essential to spoof the mac to match." That's a good rule of thumb to never forget. That link you provided is handy to have. It correctly identified mine. I guess a person could have a file with a list of them handy (or maybe only the 1st six octets), maybe put a half dozen of them in there for if one is ever needed and you happen to be offline or something. Of course, it's probably better to commit the vendors' octets to memory, instead of publishing them in a file (even if it is camouflaged a bit).
I wonder, do you suppose that a spoofed MAC and using a proxy chain of about length=5 is anonymous enough? Or, what would be a good threshold where: to do any more would be overkill, but to do any less would be not enough?
Share Your Thoughts