New MAC Address Spoofing Tool for Linux (SirMACsAlot)

Which was followed by...

A good idea, followed by a valid point. So, proposition for a middle ground:

Whatever tool that would allow this could have an option to specify that brute forcing attempts should be restricted to known vendors of wlan cards - essentially, use the same first three octets in the MAC address, then try every possible card number after them. So if I know my target is using, say, MAC address controls with Netgear cards, a brute force attempt at the MAC address would always start with (for example) 00:09:5B, then be followed with the three-octet card number. Obviously this could be combined with random, sequential, patterned, and other techniques of deriving card numbers to further help speed the process along.

Granted, it's not a 100% reliable method, but it could cut the time taken to find a good MAC address considerably - something to consider in situations where a tool like Ethereal may not be usable due to, say, inactivity on the wireless network.

Assuming you are just looking at MAC Filtering and not WEP etc...
How about variations on broadcast MAC? Forge packets that appear to come from and go to the broadcast MAC address and see who responds. Coupled with IP Broadcast, you may be able to encourage the system to leak layer 3/4 data.

If you are able to get responses from other NIC, then you may get a vendor list of at least one NIC. If this is a corp or a home, they are likely to have the same vendor for cards, and perhaps the same model cards from the same vendor.

Even better? For a brute force system, you can easily script a DHCP request with each tested MAC address and sequence through them... all you are waiting for is a single DHCP reply with an OK for a lease. (Don't even need a dhcp client, only a packet generator/source code and a copy of tcp dmp looking for desired reply.)

Actually, skroo's idea would be pretty easy to implement. If there is actually interest in this I can add the functionality to SirMACsAlot.

Let me know.

I think the latency required send packet and listen for a response would prohibit a real full scan of the mac spectrum. I'm not full up on 802.11 spec but I didn't think you got any sort of "sync" back if you had a correct mac address... or maybe you do ?

It isn't really a matter of latency, as much as verifying the association. I don't think the brute forcing of MACs would be fast, but effective brute forcing rarely is.

Basically, it would work like this:

1. Change MAC
2. Test association
2a. If association-->exit
2b. else-->goto 1.

So it would loop until it had brute forced a legit MAC. Again, it wouldn't be fast, and as was already pointed out, this would only work once the WEP/WPA key had been snagged or if they aren't using it. And, honestly, once you have done that much, you have probably grabbed enough traffic to just choose a legit MAC to spoof.

Now, all that said, let's be realistic. MAC spoofing is very very easy. I wrote this program as more of a goof (Blackwave and I thought of the name and laughed so then I wrote a program to go with the name). I did actually use this program during my original implementation of the TAG mini game this year though. Originally, I had it set up so that the TAG contestants would need to sniff the traffic and find a legit MAC (I had 30 in the MAC table I think) and then spoof to one of them. I was calling SirMACsAlot to change the MAC that was associated and generate some traffic so they would be able to see the different MACs.

I ended up getting rid of the MAC filters on that AP because of the short time limit (3 hours) of the game. I wanted it to be winnable in the 3 hour time limit (and we all saw how effective that was ;) ).

Anyway, back to my point...let me know if you want me to add the brute forcing in. I am not going to do it if ONE person is interested, but if there are a few people I should be able to whip that up pretty quick.

Is this if any use?
pulled from kismet's /etc/ap_manuf file.

-----------ap_manuf-------------
00:01:03:00:00:00/FF:FF:FF:00:00:00 3Com Unknown 0
00:01:24:00:00:00/FF:FF:FF:00:00:00 SMC Unknown default 6 192.168.2.1
00:01:24:24:00:00/FF:FF:FF:FF:00:00 SMC SMC7004AWBR default 6 192.168.2.1
00:02:2D:00:00:00/FF:FF:FF:00:00:00 Lucent Unknown 0
00:02:6F:00:00:00/FF:FF:FF:00:00:00 Senao Unknown 0
00:02:A5:00:00:00/FF:FF:FF:00:00:00 Compaq Unknown 0
00:03:2F:00:00:00/FF:FF:FF:00:00:00 Linksys Unknown 0
00:04:3A:3A:00:00/FF:FF:FF:FF:00:00 Avaya ad-01444 0
00:04:5A:0E:00:00/FF:FF:FF:FF:00:00 Linksys WAP11 linksys 6 192.168.1.1
00:04:5A:5A:00:00/FF:FF:FF:FF:00:00 Linksys BEFW11S4 linksys 6 192.168.1.1
00:04:5A:2E:00:00/FF:FF:FF:FF:00:00 Linksys BEFW11S4 linksys 6 192.168.1.1
00:04:5A:00:00:00/FF:FF:FF:00:00:00 Linksys Unknown linksys 6 192.168.1.1
00:04:75:00:00:00/FF:FF:FF:00:00:00 3Com Unknown 0
00:04:75:75:00:00/FF:FF:FF:FF:00:00 3Com 3CRWE20096A AP2000 Version 1 3Com 0 169.254.0.1
00:04:E2:00:00:00/FF:FF:FF:00:00:00 SMC Unknown 0
00:04:E2:E2:00:00/FF:FF:FF:FF:00:00 SMC 7004AWBR default 6 192.168.2.1
00:05:5D:00:00:00/FF:FF:FF:00:00:00 D-Link Unknown default 6
00:05:5D:5D:00:00/FF:FF:FF:FF:00:00 D-Link DWL-1000AP default 6
00:06:25:00:00:00/FF:FF:FF:00:00:00 Linksys Unknown linksys 6 192.168.1.1
00:06:25:25:00:00/FF:FF:FF:FF:00:00 Linksys BEFW11S4 v2 linksys 6 192.168.1.1
00:06:25:25:00:00/FF:FF:FF:FF:00:00 Linksys WET11 linksys 6 192.168.1.225
00:07:0E:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:07:50:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:08:21:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:09:43:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:09:5B:00:00:00/FF:FF:FF:00:00:00 Netgear Unknown 0
00:09:7C:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:09:92:92:00:00/FF:FF:FF:FF:00:00 Sweex LC000010 wireless 11 192.168.0.1
00:09:E8:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:0A:41:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:0A:8A:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown 0
00:0A:8A:8A:00:00/FF:FF:FF:FF:00:00 Cisco AIR-AP1200 0
00:30:65:00:00:00/FF:FF:FF:00:00:00 Apple Unknown 0
00:30:65:65:00:00/FF:FF:FF:FF:00:00 Apple Snow Base Station 1
00:30:AB:00:00:00/FF:FF:FF:00:00:00 Netgear Unknown 0
00:30:AB:AB:00:00/FF:FF:FF:FF:00:00 Netgear MR314NA Wireless 1 192.168.0.1
00:30:BD:00:00:00/FF:FF:FF:00:00:00 Belkin Unknown 0
00:30:BD:BD:00:00/FF:FF:FF:FF:00:00 Belkin F5D6230-3 0
00:40:05:05:00:00/FF:FF:FF:FF:00:00 D-Link DI-614+ default 6 192.168.0.1
00:40:05:05:00:00/FF:FF:FF:FF:00:00 D-Link DWL-900AP+ default 6 192.168.0.50
00:40:26:00:00:00/FF:FF:FF:00:00:00 Buffalo Unknown 0
00:40:26:26:00:00/FF:FF:FF:FF:00:00 Buffalo WLAR-L11G-L 0
00:40:96:00:00:00/FF:FF:FF:00:00:00 Cisco Unknown tsunami 6
00:40:96:96:00:00/FF:FF:FF:FF:00:00 Cisco AIR-AP342E2R tsunami 6 192.168.1.1
00:40:96:96:00:00/FF:FF:FF:FF:00:00 Cisco AP-350 tsunami 7
00:40:96:96:00:00/FF:FF:FF:FF:00:00 Cisco Aironet 350 tsunami 6
00:50:08:00:00:00/FF:FF:FF:00:00:00 Compaq Unknown 0
00:50:8B:8B:00:00/FF:FF:FF:FF:00:00 Compaq WL400 - ETSI region compaq 11
00:50:DA:00:00:00/FF:FF:FF:00:00:00 3Com Unknown 0
00:50:DA:DA:00:00/FF:FF:FF:FF:00:00 3Com 3CRWE747A 0
00:50:F2:F2:00:00/FF:FF:FF:FF:00:00 Microsoft MN-500 MSHOME 6 192.168.0.1
00:60:01:00:00:00/FF:FF:FF:00:00:00 Lucent Unknown 0
00:60:1D:00:00:00/FF:FF:FF:00:00:00 Orinoco Unknown 0
00:60:1D:1D:00:00/FF:FF:FF:FF:00:00 Orinoco RG1000 0
00:60:6D:00:00:00/FF:FF:FF:00:00:00 Cabletron Unknown 0
00:60:B3:00:00:00/FF:FF:FF:00:00:00 Proxim Unknown 0
00:80:37:37:00:00/FF:FF:FF:FF:00:00 Ericsson A11 (AP-4121-105M-ER-EU) 0
00:80:C6:00:00:00/FF:FF:FF:00:00:00 SOHOware Unknown
00:80:C6:C6:00:00/FF:FF:FF:FF:00:00 SOHOware NetBlaster II
00:90:4B:4B:00:00/FF:FF:FF:FF:00:00 Linksys BEFW11S4 linksys 6 192.168.1.1
00:90:D1:00:00:00/FF:FF:FF:00:00:00 SMC Unknown WLAN 11
00:90:D1:D1:00:00/FF:FF:FF:FF:00:00 SMC SMC2652W WLAN 11
00:90:D1:D1:00:00/FF:FF:FF:FF:00:00 SMC SMC2682W BRIDGE 11
00:A0:04:00:00:00/FF:FF:FF:00:00:00 3Com Unknown
00:A0:04:04:00:00/FF:FF:FF:FF:00:00 3Com 3CRWE51196
00:A0:F8:00:00:00/FF:FF:FF:00:00:00 Symbol Unknown
00:E0:29:00:00:00/FF:FF:FF:00:00:00 OEM Unknown
08:00:46:00:00:00/FF:FF:FF:00:00:00 Sony Unknown
00:50:F2:00:00:00/FF:FF:FF:00:00:00 Microsoft Unknown MSHOME 6 192.168.2.1
00:09:5B:00:00:00/FF:FF:FF:00:00:00 Netgear Unknwon NETGEAR 11 192.168.0.1
00:30:BD:00:00:00/FF:FF:FF:00:00:00 Belkin Unknown WLAN 11 0.0.0.0
00:09:5B:00:00:00/FF:FF:FF:00:00:00 Netgear Unknown Wireless 11 192.168.0.2
00:30:BD:00:00:00/FF:FF:FF:00:00:00 Belkin Unknown belkin54g 11 0.0.0.0
00:0D:88:00:00:00/FF:FF:FF:00:00:00 D-Link Unknown default 6 192.168.0.1
00:80:C8:00:00:00/FF:FF:FF:00:00:00 D-Link Unknown default 6 192.168.0.1
00:40:05:00:00:00/FF:FF:FF:00:00:00 ANI Unknown default 6 192.168.0.1
00:0C:41:00:00:00/FF:FF:FF:00:00:00 Linksys Unknown linksys 6 192.168.1.1
00:04:E2:00:00:00/FF:FF:FF:00:00:00 SMC Unknown SMC 6 192.168.2.1
00:06:25:00:00:00/FF:FF:FF:00:00:00 Linksys Unknown linksys-g 6 192.168.1.1