Spoofing MAC Addresses on Windows

by Wananapaoa Uncle

As always, this information is provided for your spiritual enhancement.  Having your soul enlightened, don't use this information to create wreak and havoc.

What

There are times when you care more about your privacy, and going online is often one of them.

I'll assume you know about MAC address theory, so I won't spend time repeating things you can find on Wikipedia.  I'll only focus on one aspect: you normally read that MAC addresses are unique 48-bit addresses burnt into the device firmware.  I think this is generally correct, we only need to better define "generally."

Your hardware needs some kind of software layer to perform useful work and this software is generally called a device driver.  No matter which OS you're using, some kind of driver must talk on one side to the OS and on the other side to the hardware.  The good things lay in between.

Normally, the driver reads the MAC address from the device and passes it to the OS for use when creating network packets with high-level functions.  Of course, you can forge packets one-by-one, but this is very time consuming and requires specialized software implementing its own minimal network stack.  Piping generic network applications into them can be a mess.  So we just want Windows to believe our MAC address is the one we choose instead of the one burnt into the firmware, and to stamp it in every packet flowing to the net.

Here comes good news: Windows provides a method to achieve this, so our hack is simply to understand the way to leverage this capability.  Several built-in tools in Windows make use of fake MAC addresses.  NLBis the most famous, Hyper-V also does it, and so does every "teaming" driver I know of.

Where

As always, Windows stores information about its configuration into the registry, so we must dig into it.

Just some words about correct definitions, so as not to create confusion.  The registry is a hierarchical database, with things named in this way:

Keys  Are the yellow "folders" in REGEDIT, and compose the structure of the database.  You can see them on the left pane in REGEDIT.  Keys can have sub-keys.

Values  Are the named items that contain data.  Values appear in the right pane, along with their type (REG_SZ for strings, REG_DWORD for 32-bit integers).  Values cannot have sub-values, they have data instead, see next line.

Data  As the name suggests, it is the data effectively stored.

In Windows, fire up REGEDIT and let's jump to this key:

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

(Don't mess with CurrentControlSetXXX keys; they are "last known good configuration" backup copies.)

Here we have several sub-keys, numbered starting from 0000.

Each one represents a network adapter.  You can see a lot of keys, meaning lots of adapters.  Not all of these adapter are physical ones, NIC in the most common way we intend.  There are several "virtual" adapters, such as VPN, virtual Wi-Fi, IP tunneling, and so on, contributing to the "NIC pollution" of this sub-key.

We are interested in changing only physical ones, and there are several methods to identify them, mostly involving ANDing bits with some value; since we are lazy, we'll take a shortcut and browse each numbered sub-key looking at the DriverDesc value.

Here you can read the name the driver exposes to the system for that adapter, so you can distinguish between "WAN Miniport (SSTP)" that is a virtual adapter for Microsoft SSL VPN and "Realtek PCle GBE Family Controller" which identifies itself as our piece of hardware.

Having identified the sub-key of interest, just scroll down the values and see some of the working tunables for that device.  It depends on the vendor, so the list may vary.  Physical adapters tend to have more settings than virtual ones.

We must point straight to the NetworkAddress value of type REG_SZ.

You can have three cases here:

1.)  The value does not appear.
2.)  The value appears, but contains no data.
3.)  The value is here and contains something, say: 112233445566

The data in NetworkAddress is the MAC address of our adapter or, better, the one we want the system to use.  If it is already present (case no. 3), change it to whatever you want and disable/re-enable the network adapter from the device manager of the connections menu.  If you have doubts, reboot your system: it's always a Windows box, isn't it?

If the value is not present, just right click the right pane, select "New -> String value", and name it NetworkAddress, then double-click it and type your brand new MAC address.

And how do I get my "real" MAC address back?  It is simple enough: just enter empty data or remove the NetworkAddress value.

A little hint: the MAC address must be typed in the form 112233ABCDEF - no colons, dashes, spaces, or other garbage.  Also, your MAC should be well-formed, basically being six bytes in hex form.  Failing to set a valid MAC generally results in the real one being used.

Another even-more-simple-but-not-always-applicable method is going into your device properties sheet and looking for Network Address settings: sometimes a radio button appears with "Not Present" or a box to type the MAC address into.

To modify HKLM key, you must be an administrator of your box and run REGEDIT with elevated privileges where needed.

Why

Because we can, first of all.

Because "real" MAC addresses are boring.  Because we like to set up a contest for the best sounding valid MAC address and we need to test it!

According to a friend of mine, other uses are possible.

Once he was in a hotel, and connecting to the Internet was mediated by a captive portal.  They tend to cage your connection until you provide valid user/password/credit card and so on.  Since they block all of your network connections, not only web, they usually check packets at Layer 2, looking for authorized MAC addresses.

So when a friend of my friend got authenticated and then shut down its computer (it is often a requirement, but we'll digress another time), my friend "leased" the other person's MAC address and continued to surf, getting the same address from DHCP and having its surfing logs credited to the other person.  He said this is a workable solution also in airports, where people connect, surf for a while and then run to the check-in.

Also, some captive portals have some "always authenticated" devices like proxy servers, anti-virus, management stations, network controllers, TV, set-top boxes (like the one standing in front of you in your hotel room), and so on.  A little sniffing on the net (broadcast is your friend) may help to identify them.

Another friend of mine once told me that changing the MAC address can help while pen-testing (your) wireless networks.  Some access points have MAC filtering and only devices with a certain MAC address can connect to them.  Well, the MAC address is a Layer 2 beast, so it is not encrypted and clearly visible even on WEP/WPA networks.

Another friend (yes, I have lots of friends) told me that some wireless provider let you surf for free for a fixed amount of time before requiring some kind of sign in.  A brand new MAC address will often convince DHCP to give you a brand new IP.   And so on.  Some services require your device to be produced by some specific vendor.  As you know, changing the first three digits may transform your el-cheapo laptop into a shiny new MacBook Air.  Yes, it's magic!

Some devices on the net (PLC, SCADA), for security or compatibility reasons, may respond only to requests coming from specific ranges of MAC addresses.  Well, spoofing yours may render you very compatible.

A person who was on the plane with a friend of mine told him that some firewalls perform Layer 2 filtering because Layer 2 (IP) addresses can be spoofed.  I owe him lots of thanks.

A designer my friend knew on the beach said the CAD he used had a license based on the MAC of the network adapter.  He then was able to test drive the CAD product with its friend license, become an expert, and then finally acquire the CAD product.  He also told me he designed a famous steel tower in Paris, but I suspect he was joking me.

Last but not least, since MAC address are "immutable" characteristics of a computer, they can be part of forensics analysis.  Layer 2 devices often log them.  Using some imagination can help to keep the bad guys looking for some iPhone instead of your Vista box, if you just remember to unbind some protocols from the NIC.

Whup

Spoofing your MAC address is not so difficult and generally does not require more than five minutes.

Do not give money for some "magic" software.  Free ones are available.  Use those (if you are lazy, just look at the end of the article).

Section 2 is valid also for UNIX users.  What changes is the way to spoof the address.  In many cases, it is a matter of typing:

# ifconfig ath0 ether 112233445566 or # macchanger -r eth0 or $ sudo macchanger -m BA:AD:F0:0D:CA:FE eth1

Consult your man page for ifconfig or macchanger.

Finally, remember that MAC addresses live in your LAN, and are discarded by the first router you'll find.  Generally speaking, Internet hosts cannot see your MAC address, or not directly.

As always, play fair. Some assembly may be required and results may vary.  A lot.

And remember, if you don't trust snake oil, be aware of ARP poisoning too.

With

For a click-and-go free tool that seems to work, jump to: www.gorlani.com/portal/projects/macmakeup-for-vista-seven-2008-windows-8 and look for MacMakeup.  Probably runs Vista and Windows 7 too, but if you read Section 2 you can simply write your own tool.

For a list of MAC address vendor codes, look at the manuf file in your Wireshark installation directory, or consult: standards.ieee.org/develop/regauth/oui/public.html