Jump to content

Recommended Posts

Posted

As the title says I'm tinkering with Mac Addresses. I'm writing a simple python script that just takes in a Mac Address as a string and tries to figure out as much information about the device given nothing but that address (not even network access).  However, I'm not sure what all that Mac can tell me or how to determine it.  

I know Mac Addresses can be spoofed.

I know that the first 3 octets usually represent the OUI (Organizational Unique Identifier) but beyond that what can a Mac Address tell me? What other useful information can I extract? (any details or resources about how would be nice too)

Thanks in advance. 

Posted
On 8/1/2018 at 5:37 PM, haze1434 said:

Generally they are only spoofed on most devices when they are not connected to an AP. As soon as they connect, they show their true MAC.

I hate to say it but I don't think this is correct..

The AP can only see what your phone is programmed to send with it's connection broadcast.

I've spoofed my own MAC many times, usually with a randomiser for each WiFi. There would be no point randomising your MAC for every WiFi network you connect to if it only broadcasts the true MAC.

Posted (edited)
6 hours ago, Dave-ee Jones said:

I hate to say it but I don't think this is correct..

IIRC it is, - I think iOS 8 and Adroid 6 onward's started doing this to avoid tracking.

EDIT:   However there seems to be methods around it to see real MAC addresses https://arxiv.org/pdf/1703.02874v1.pdf   @Sebkinne  would/could that be a potential feature that the pineapples could use?

Edited by Just_a_User
Posted
7 hours ago, Dave-ee Jones said:

I hate to say it but I don't think this is correct..

The AP can only see what your phone is programmed to send with it's connection broadcast.

I've spoofed my own MAC many times, usually with a randomiser for each WiFi. There would be no point randomising your MAC for every WiFi network you connect to if it only broadcasts the true MAC.

Agreed, however I said generally. Of course us techies know you can use things like macchanger to spoof your MAC, but I believe the OP was looking at 'normal' users, rather than unscrupulous individuals :ph34r:

Apple phones, for example, do iterate through spoofed MACs when out in the wild, to stop access points in monitoring mode from tracing them, however when they actually connect to an access point, their real MAC address shows. I can confirm this via personal testing.

Posted

Your getting into a concept called arp spoofing. MITM would arp spoof mac addrrsses bettween arp requestes. Disgusing one  mac address from the other. When connected in a network your mac address is only shown as say 00:00:00:00:02 and so on. Arp spoof would change to xx:xx:xx:xx:xx between a network of machines.arp requests would look fir the spoofed mac.

Posted
On 8/3/2018 at 6:10 PM, haze1434 said:

..however when they actually connect to an access point, their real MAC address shows. I can confirm this via personal testing.

That's just Apple being Apple.

And it depends on the MAC changer. I've had a few that don't affect much at all, and then I've had a really good one (the one that is used by Nethunter for Android) that does work properly, causing even the smartest routers to believe you're a completely different device.

Of course, I don't recommend doing this for small networks as one day the admin's going to log onto the router and go "hmm, 21 unknown devices.." and get really paranoid and lock the network down even more.

Posted
10 hours ago, Dave-ee Jones said:

That's just Apple being Apple.

And it depends on the MAC changer. I've had a few that don't affect much at all, and then I've had a really good one (the one that is used by Nethunter for Android) that does work properly, causing even the smartest routers to believe you're a completely different device.

Of course, I don't recommend doing this for small networks as one day the admin's going to log onto the router and go "hmm, 21 unknown devices.." and get really paranoid and lock the network down even more.

You bring up a good point, plus they wont even really worry about the MAC addresses really. Who would take the time to record this. Maybe in the future.

Posted

Thanks for all the replies, it has given me a lot to think about.  I was just interested in taking any MAC (spoofed or not) and trying to extract as much information as possible from it.  Including possibly checking to see if it is legit or not. 

The reasoning behind my project is as follows: I lived in a college community and regularly have people trying to connect to my wifi network. I regularly check my network for new devices trying to see who/what is trying to connect.  I know how to white/black list and do as necessary.  But I like to know what is trying to connect. I know tools out there exist that can do this for me, but I wanted to work on my programming some and figure this would be a nice project.

 

Posted
13 hours ago, Bigbiz said:

You bring up a good point, plus they wont even really worry about the MAC addresses really. Who would take the time to record this. Maybe in the future.

I know I do at home, haha.

I go, "what in the world are these 5 unknown devices..." and then glance at my brand new Switch..

"Well, that's 1.."

  • 2 months later...
Posted (edited)

You can get MAC addresses from a file with a statement like this.

grep -io '[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}:[A-Z0-9]\{2\}' /root/air/NPC-01.csv | sort -u > /root/air/NPC.txt

And you can get the manufacturer information with a statement like.

grep $(echo 00:20:8C:30:40:60 | cut -d ':' -f 1,2,3 | sed 's/:/-/g') /etc/unicornscan/oui.txt | cut -d ':' -f 2

I was trying to figure out a way to loop through the text file containing the MACs and grepping each line from oui.txt. But I can't figure out a way to get grep to play nice with variables and loops.

Edited by vailixi
  • 3 weeks later...
Posted
On 8/3/2018 at 2:42 PM, Just_a_User said:

IIRC it is, - I think iOS 8 and Adroid 6 onward's started doing this to avoid tracking.

EDIT:   However there seems to be methods around it to see real MAC addresses https://arxiv.org/pdf/1703.02874v1.pdf   @Sebkinne  would/could that be a potential feature that the pineapples could use?

Thank you, my brother. I've been looking for somewhere to get me started on this. I'm not sure if these methods still work but I will definitely give them a go. I'll let you guys know how it goes.

  • Like 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...