MAC Spoofing - why does it (sometimes) fail?

[michael_kent123]

Hi,

I have been playing around with MAC spoofing on my WPA-2 network. I am confused!

Here are the commands I use to change my MAC (using Ubuntu 10.04).

sudo ifconfig wlan0 down hw ether [new MAC address]

sudo ifconfig wlan0 up

I use valid OUI addresses from the oui.txt file from: http://standards.iee...oui/public.html

However, I cannot connect to my router with a spoofed MAC and I have tried many different OUIs.

Here is what dmesg shows:

[20604.754981] wlan0: direct probe to AP 00:14:6c:12:66:c0 (try 1)

[20604.759226] wlan0: direct probe responded

[20604.759240] wlan0: authenticate with AP 00:14:6c:12:66:c0 (try 1)

[20604.766951] wlan0: authenticated

[20604.767007] wlan0: associate with AP 00:14:6c:12:66:c0 (try 1)

[20604.770980] wlan0: RX AssocResp from 00:14:6c:12:66:c0 (capab=0x411 status=0 aid=1)

[20604.770997] wlan0: associated

[20612.392073] wlan0: deauthenticating from 00:14:6c:12:66:c0 by local choice (reason=3)

I looked up what this meant in the "IEEE Standard for Information technology — Telecommunications and information exchange between systems — Local and metropolitan area networks — Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications" manual specifically Table 7-22 "Reason Codes" (pages 92-93)

Reason 3 is "Deauthenticated because sending STA is leaving (or has left) IBSS or ESS"

What does "by local choice" for "reason=3" mean?

The STA, I believe, is the client (me) but I am not mobile.

Or, less often:

[20496.710623] wlan0: deauthenticated from 00:14:6c:12:66:c0 (Reason: 15)

Reason 15 is a "4-Way Handshake timeout".

I connect in exactly the same way as I do when I connect normally (with a non-spoofed MAC). I have not setup any policies that restrict MAC addresses (there is no MAC filtering). When I re-spoof my MAC back to the 'real' MAC it immediately connects as normal.

I have successfully spoofed my MAC and connected to numerous open wireless networks. I have also connected to a few WPA networks but have noticed that sometimes (not always) certain networks will either never allow a spoofed MAC to connect or sometimes will and sometimes will not. My router is a ZyXEL AMG1202-T10A but I don't think this matters because - as mentioned - I have successfully connected to many different networks (some with WPA) with different router types after MAC spoofing.

I assume that the problem is something to do with WPA routers disliking - at times - spoofed MACs (but I do not know this).

Question: while I appreciate it is impossible to give a definitive answer - why would my own router prevent me from connecting with a spoofed MAC?

Thanks!

Edited November 8, 2012 by michael_kent123

[vector]

you tried using macchanger instead?

[digip]

If your use linux, sometimes the dhcp settings keep your original IP and MAC in a file, that has to be cleared, and keeps requesting the same IP from the router, but with a different mac, the router would say, that lease belongs to some other IP. I forget the path linux uses to store the settings, but you may have to clear it to get on with the spoofed MAC. I had this problem with backtrack, when I used to try logging on from my router normally, then with a spoofed mac after using attacks like cracking my own WEP and trying to then associate and logon, it was trying to keep getting the same IP lease, and the router was like, that belongs to this other address and dhcp would keep failing, until I found the file in backtrack that needed to be cleared. Even when connecting to other networks, with my legit mac, it kept trying to get an address in the range of my home network, which is not the same as the subnet uses on the foreign network, and I had to clear that dhcp file to get it to be able to logon to the new subnet. Just my 2 cents. Also, do you have MAC address filtering setup on your own router? If so,your spoofed address won't be able to get on if its not in the allowed list.

Other thoughts, you're attacking someone else's network, and if so, spoofing one of their mac addresses for a client already logged onto their network, won't allow you on, and the router might be smart enough to block you. If you are attacking someone else's router(not accusing you of that), thats fine, your responsibility, but if so, and trying to spoof someone's known MAC on their network, they may have used DHCP reservations for MAC addresses for their known devices, and can't get a DHCP lease if they have DHCP turned off on their router and use DHCP reservations to pre-set IP to MAC addresses for their routers network. I do this on my own router but also don't use a normal 192.168.x.x subnets. I use actual class A, internet routable IP address ranges, which since I am behind NAT, works just fine anyway, and I don't have any setup on my router to exchange routing tables with foreign routers, so there's no chance of someone speaking to my subnet from the internet, even if they are on the same Ip range externally.

[michael_kent123]

If your use linux, sometimes the dhcp settings keep your original IP and MAC in a file, that has to be cleared, and keeps requesting the same IP from the router, but with a different mac, the router would say, that lease belongs to some other IP. I forget the path linux uses to store the settings, but you may have to clear it to get on with the spoofed MAC. I had this problem with backtrack, when I used to try logging on from my router normally, then with a spoofed mac after using attacks like cracking my own WEP and trying to then associate and logon, it was trying to keep getting the same IP lease, and the router was like, that belongs to this other address and dhcp would keep failing,

I don't really understand this. I thought that if you changed the MAC then the router would assume you were a different client and award you a different IP?

As for this file with IP and MAC - I've asked and the only one is /proc/net/arp. Is that what you mean?

Finally, the WPA networks I am connecting to are legitimate e.g. in coffee shops and suchlike. So they are designed for people like me to connect. What I do not understand is that when I connect with my real MAC there is no problem but once I spoof the MAC I can never get a connection. Whereas, with open networks, I can always connect whether spoofed or not which suggests that - for whatever reasons - WPA networks do not like spoofed MAC addresses but I have no idea why. I always make sure the MAC is a valid OUI.

Thanks again - any more ideas?

[michael_kent123]

bump...

[digip]

I don't remember the path, but there is something with the name dhcp in the path that stores your IP and Gateway settings once you've already connected to a network. I had this problem in backtrack before, but not sure if its backtrack only related, or a dhcpd thing in linux or why it didn't flush. I had to go in and manually delete the files to connect to a different access point for example. It kept trying to connect with my home lan's gateway IP, which for the life of me couldn't figure out to this day why it does it. Might of been wicd that caused it, who knows, but thats just my experience. May be completely unrelated to your issue.