About MAC spoofing in BackBox...

Started by b4d_bl0ck, March 16, 2013, 01:45:44 PM

Previous topic - Next topic

b4d_bl0ck

Ok, I know there are various topics on the argument, i searched and didn't find what i need, maybe the situation is a bit specific, so I'd like to go deeper after having some troubles in these days, and maybe get some tips if someone found a workaround.

I'll explain my issue: I tried to change the MAC address of my wireless interface (the NIC is a rtl8192se, but I think that doesn't matter) and I succeeded to spoof it via:
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether 00:11:22:33:44:55
sudo ifconfig wlan0 up

and i could see it was successfully spoofed with a:
ifconfig wlan0
But after that, when I connected to my wireless network (via network-manager) and went to the configuration panel of my AP, i saw, in the DHCP clients table, that my local IP address was associated to the original MAC address, not the spoofed one.
So a rapid check with: ifconfig wlan0 showed me that the MAC address was resetted back to the original one, maybe during the association phase.
So I downloaded the macchanger tool, obtaining the same results in the DHCP table associating to the AP, after having typed:
sudo ifconfig wlan0 down
sudo macchanger -r wlan0
sudo ifconfig wlan0 up


After this steps, I have searched on the web, and found a thread somewhere saying it was a network-manager issue, and spoofing the MAC in presence of network-manager it's not as simple as putting interface down/up before/after changing the MAC, and even if macchanger tries to solve the problem there are situations in which it fails too. So they advised to stop the network-manager and re-enable it once the MAC was spoofed and the interface again up... but this solution failed like the others. Evidently the network-manager, during the association phase, sets back the MAC to its original value, maybe it keeps it stored since the startup, but I'm not sure of this...
Now this is the route i followed: I clicked on the network-manager -> edit connections in the tray icon, selected the wireless connections tab and selected my connection. Here you can see (among the other fields) a field for the MAC address of the interface associated with that connection, and a field for a spoofed MAC. The field for the interface MAC is automatically filled with the original MAC and this let me suspect... So i edited it, and filled the field with 00:11:22:33:44:55, thus having this field matching the interface address I spoofed via ifconfig. I let the second field of the network-manager (the one for the spoofed MAC) empty.
Here is the problem... When the network-manager handles the wireless connection, it finds in the first field the spoofed MAC (that it should consider to be the authentic one, it should not know i spoofed it, even lshw shows that MAC), that now matches the network interface MAC (that we had spoofed), but for some reasons the association simply fails.
So i checked the logs, and .xsession-errors said network-manager encountered an invalid MAC address that doesn't match any interface (if I remember well).

After this, I got a confirmation there was a kind of conflict with network-manager, so I restored the original MAC to my interface:
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether i1:0v:38:4c:k8:0x  :P
sudo ifconfig wlan0 up

then I resetted the first field I told you above in the network-manager -> edit connections to the original MAC, and filled the second field (the spoofed MAC one) with 00:11:22:33:44:55.
Now the connection is properly handled, and in fact in the DHCP table of the router i can see the spoofed MAC address, the same typing:
ifconfig wlan0
When I disconnect, the MAC is automatically set back to the authentic one.

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

This was the story, maybe a bit too long. Now the questions and an advise:
Have you never experienced the same behaviour? Can you confirm this issue? Is it a problem of mine? Suggestions?
Even if it's an operation that can be easily done via network-manager configuration GUI, is there a way to successfully spoof my MAC in command line and not having to deal with network-manager?

[!] Beware: (in the case this is a common problem): be sure your MAC has been properly spoofed (via ifconfig or macchanger (if you downloaded it)) and it persists: i guess you don't want your MAC to be setted back by the network-manager, while you continue to believe you have a spoofed address. As you have seen in my case, simply putting interface down/up and changing MAC via ifconfig worked, but the MAC was resetted by network-manager, and this process was totally transparent to me. So if you use the network-manager to handle your wireless connection, be sure it doesn't interfere. As you have seen, it's working strange for me (and I wish it's only in my case)... Anyway, you could think all is fine as long as you don't check, for example, the DHCP table, or you sniff some packets from the LAN showing your real MAC. Avoid bad surprises... be sure your MAC stays spoofed.
bool secure = check_paranoia() ? true : false;

ostendali

I think what happen to you it is quite normal, because you have DHCP enabled in your system.

The easy solution to this would be using the static IP address and disable DHCP client/server in your system. Thena you won't have this problem at all.

With dhcp will happen because, dhclient always tries to poll the network and the ip address to make sure the network functionality in case of small network congestions, that process take changes into the ip configs and restores back the original mac address which reads from the hw/firmware level on device.

Hope answered to your question!

b4d_bl0ck

#2
Hi ostendali, i will give a try to the method using static IP, but i can not understand the relationship between dhcp and the changing MAC address: dhcp operates at application layer, should not interfere with the MAC at data-link layer, does it? I re-read the protocol specification but i can not see any "point of contact" between the two mechanisms...
Thanks anyway  ;)
bool secure = check_paranoia() ? true : false;

ostendali

Quote from: b4d_bl0ck on March 19, 2013, 08:33:38 PM
Hi ostendali, i will give a try to the method using static IP, but i can not understand the relationship between dhcp and the changing MAC address: dhcp operates at application layer, should not interfere with the MAC at data-link layer, does it? I re-read the protocol specification but i can not see any "point of contact" between the two mechanisms...
Thanks anyway  ;)
why not?
whatever you do, re-initiate the network you perform the complete OSI model layer stack by stack.....so, from physical to data link at data link level the mac address being detected and without what you will do then....after then to the network layer and so on...
anytime when you start dhcp on your interface in refreshes the mac, seeking for mac address...
enjoy!

b4d_bl0ck

Hi again  :)
i read the rfc 1531, and it seems the hw address is only required as parameter of a dhcp discover/request, and that's reasonable because dhcp client and server are communicating on the same subnet at data link level, or however the client doesn't have an IP address yet... but there is no mention if this parameter is read directly in the NIC firmware or "in-software", maybe it depends on the dhclient implementation.
Anyways, then, what is the sense of spoofing a MAC address, if a service at an higher layer (and what's more, in this case, the top layer, application) doesn't see the spoofed MAC and continues reading the original value? What if i don't know a service is reading into the NIC rom, and lets me un-spoofed?
Thanks for any advice!  ;)
Have fun!
bool secure = check_paranoia() ? true : false;

SaThaRiel

If you have just one interface at a time (e.g either WLAN or Ethernet, but not 2 Ethernet) you can use wicd. It won't touch the MAC.
I like it more than NetworkManager but the current version sucks if you got more than one interface (which i usually have in VMs).

nixguy

i think it's a network manager issue because it does not happen when you use WICD

not sure why, but i think it's a bug in NM...

SaThaRiel

I think NM "remembers" your MAC address and sets it once you connect with it. WICD doesn't care.
Maybe NM wants to be able to handle bonding devices - where you need to switch your MAC address to another interface.

Maybe there is a config file for NM where the Mac address is saved - sadly i haven't found it.

b4d_bl0ck

Hi SaThaRiel & nixguy,
using Network Manager is not as bad for me, it works pretty well, and as i told in the first post of the thread i can get it working, spoofing the address directly in the NM configuration GUI avoiding to spoof via command line.
The issue is: why it doesn't work via commmand line... probably it is a NM conflict, but i don't know its nature.
Moreover i'd like to make it working with NM, because in case of a live BackBox session, you may have no time or no internet connection to download wicd.
Anyways, as soon as i have some free time, i will try to:

  • stop NM
  • bring the interface down
  • spoof MAC address via ifconfig or macchanger
  • dpkg-reconfigure network-manager, thus reconfiguring the package, maybe it will "read" the spoofed MAC
  • bring the interface up

If there are some good news, i'll post the results here...
Bye.
bool secure = check_paranoia() ? true : false;