tzi Posted August 1, 2018 Posted August 1, 2018 As the title says I'm tinkering with Mac Addresses. I'm writing a simple python script that just takes in a Mac Address as a string and tries to figure out as much information about the device given nothing but that address (not even network access). However, I'm not sure what all that Mac can tell me or how to determine it. I know Mac Addresses can be spoofed. I know that the first 3 octets usually represent the OUI (Organizational Unique Identifier) but beyond that what can a Mac Address tell me? What other useful information can I extract? (any details or resources about how would be nice too) Thanks in advance. Quote
0phoi5 Posted August 1, 2018 Posted August 1, 2018 2 hours ago, tzi said: I know Mac Addresses can be spoofed. Generally they are only spoofed on most devices when they are not connected to an AP. As soon as they connect, they show their true MAC. Wikipedia actually covers quite a lot on this page; https://en.wikipedia.org/wiki/MAC_address Quote
0phoi5 Posted August 1, 2018 Posted August 1, 2018 Also, here's a nice text-only list of which companies own which OUIs: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf Quote
Bigbiz Posted August 1, 2018 Posted August 1, 2018 Mac address will tell you the manufacturer of device https://macvendors.com/ Quote
Dave-ee Jones Posted August 3, 2018 Posted August 3, 2018 On 8/1/2018 at 5:37 PM, haze1434 said: Generally they are only spoofed on most devices when they are not connected to an AP. As soon as they connect, they show their true MAC. I hate to say it but I don't think this is correct.. The AP can only see what your phone is programmed to send with it's connection broadcast. I've spoofed my own MAC many times, usually with a randomiser for each WiFi. There would be no point randomising your MAC for every WiFi network you connect to if it only broadcasts the true MAC. Quote
Just_a_User Posted August 3, 2018 Posted August 3, 2018 (edited) 6 hours ago, Dave-ee Jones said: I hate to say it but I don't think this is correct.. IIRC it is, - I think iOS 8 and Adroid 6 onward's started doing this to avoid tracking. EDIT: However there seems to be methods around it to see real MAC addresses https://arxiv.org/pdf/1703.02874v1.pdf @Sebkinne would/could that be a potential feature that the pineapples could use? Edited August 3, 2018 by Just_a_User Quote
0phoi5 Posted August 3, 2018 Posted August 3, 2018 7 hours ago, Dave-ee Jones said: I hate to say it but I don't think this is correct.. The AP can only see what your phone is programmed to send with it's connection broadcast. I've spoofed my own MAC many times, usually with a randomiser for each WiFi. There would be no point randomising your MAC for every WiFi network you connect to if it only broadcasts the true MAC. Agreed, however I said generally. Of course us techies know you can use things like macchanger to spoof your MAC, but I believe the OP was looking at 'normal' users, rather than unscrupulous individuals Apple phones, for example, do iterate through spoofed MACs when out in the wild, to stop access points in monitoring mode from tracing them, however when they actually connect to an access point, their real MAC address shows. I can confirm this via personal testing. Quote
Bigbiz Posted August 3, 2018 Posted August 3, 2018 Your getting into a concept called arp spoofing. MITM would arp spoof mac addrrsses bettween arp requestes. Disgusing one mac address from the other. When connected in a network your mac address is only shown as say 00:00:00:00:02 and so on. Arp spoof would change to xx:xx:xx:xx:xx between a network of machines.arp requests would look fir the spoofed mac. Quote
Dave-ee Jones Posted August 6, 2018 Posted August 6, 2018 On 8/3/2018 at 6:10 PM, haze1434 said: ..however when they actually connect to an access point, their real MAC address shows. I can confirm this via personal testing. That's just Apple being Apple. And it depends on the MAC changer. I've had a few that don't affect much at all, and then I've had a really good one (the one that is used by Nethunter for Android) that does work properly, causing even the smartest routers to believe you're a completely different device. Of course, I don't recommend doing this for small networks as one day the admin's going to log onto the router and go "hmm, 21 unknown devices.." and get really paranoid and lock the network down even more. Quote
Bigbiz Posted August 6, 2018 Posted August 6, 2018 10 hours ago, Dave-ee Jones said: That's just Apple being Apple. And it depends on the MAC changer. I've had a few that don't affect much at all, and then I've had a really good one (the one that is used by Nethunter for Android) that does work properly, causing even the smartest routers to believe you're a completely different device. Of course, I don't recommend doing this for small networks as one day the admin's going to log onto the router and go "hmm, 21 unknown devices.." and get really paranoid and lock the network down even more. You bring up a good point, plus they wont even really worry about the MAC addresses really. Who would take the time to record this. Maybe in the future. Quote
tzi Posted August 6, 2018 Author Posted August 6, 2018 Thanks for all the replies, it has given me a lot to think about. I was just interested in taking any MAC (spoofed or not) and trying to extract as much information as possible from it. Including possibly checking to see if it is legit or not. The reasoning behind my project is as follows: I lived in a college community and regularly have people trying to connect to my wifi network. I regularly check my network for new devices trying to see who/what is trying to connect. I know how to white/black list and do as necessary. But I like to know what is trying to connect. I know tools out there exist that can do this for me, but I wanted to work on my programming some and figure this would be a nice project. Quote
Dave-ee Jones Posted August 7, 2018 Posted August 7, 2018 13 hours ago, Bigbiz said: You bring up a good point, plus they wont even really worry about the MAC addresses really. Who would take the time to record this. Maybe in the future. I know I do at home, haha. I go, "what in the world are these 5 unknown devices..." and then glance at my brand new Switch.. "Well, that's 1.." Quote
vailixi Posted October 16, 2018 Posted October 16, 2018 (edited) You can get MAC addresses from a file with a statement like this. grep -io '[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}' /root/air/NPC-01.csv | sort -u > /root/air/NPC.txt And you can get the manufacturer information with a statement like. grep $(echo 00:20:8C:30:40:60 | cut -d ':' -f 1,2,3 | sed 's/:/-/g') /etc/unicornscan/oui.txt | cut -d ':' -f 2 I was trying to figure out a way to loop through the text file containing the MACs and grepping each line from oui.txt. But I can't figure out a way to get grep to play nice with variables and loops. Edited October 16, 2018 by vailixi Quote
icarus255 Posted October 31, 2018 Posted October 31, 2018 On 8/3/2018 at 2:42 PM, Just_a_User said: IIRC it is, - I think iOS 8 and Adroid 6 onward's started doing this to avoid tracking. EDIT: However there seems to be methods around it to see real MAC addresses https://arxiv.org/pdf/1703.02874v1.pdf @Sebkinne would/could that be a potential feature that the pineapples could use? Thank you, my brother. I've been looking for somewhere to get me started on this. I'm not sure if these methods still work but I will definitely give them a go. I'll let you guys know how it goes. 1 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.