By Tony Lee
In our previous articles we used TP-Link’s TL-WN722N and a Kali Virtual Machine (VM) to perform wireless discovery and attack against a Wired Equivalent Privacy (WEP) network, WPA (Pre-Shared Key) PSK network, and a network hiding its SSID to showcase the abilities of this inexpensive and flexible setup.
Hidden SSID: http://securitysynapse.blogspot.com/2014/01/wireless-pentesting-on-cheap-kali-hiddenSSID.html
In this article we will continue to test our setup by attacking a home router that is implementing MAC address filtering--walking you through the attack from start to finish.
Figure 1: Our setup
Consult our previous article WEP for the following topics as they are omitted from this article due to similarity:
- Tips and tricks
- Version of Workstation
- Screen Resolution
- Simple Text Editor
- Connecting the USB Device
- Find a Client
- MAC spoof
NetworkManager (included in the default Kali Linux) can cause problems when trying to complete simple tasks such as connecting to wireless networks. To prevent any interference, we will disable it ahead of time.
root@kali:~# service network-manager stop
[ ok ] Stopping network connection manager: NetworkManager.
In the previous article, we mentioned that the simplest way to ensure that the wireless card is working is to do some light discovery. After all, the first step in a wireless engagement is to identify targets of interest.
Let’s check out the networks using the iwlist command as we can stay in “Managed” mode.
root@kali:~# iwlist wlan0 scanning | grep -A 30 30:46:9A:16:ED:CE
Cell 16 - Address: 30:46:9A:16:ED:CE
Frequency:2.437 GHz (Channel 6)
Quality=63/70 Signal level=-47 dBm
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
9 Mb/s; 12 Mb/s; 18 Mb/s
Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
For this scenario, we have discovered an access point of arbitrary protection and we either know or have actively discovered the required information to connect to the access point. However, even after entering the information correctly, we still cannot associate to the access point.
Figure 2: No matter how many times we try to associate, the AP will not allow it
At this point we believe that the access point is performing MAC address filtering (aka whitelisting). We will now look at how easy this is to set up and also examine ways that we can bypass this protection mechanism.
Access points can use MAC address filtering to prevent unknown hosts from connecting to the network. Even our inexpensive Netgear router can utilize MAC address filtering--it is enabled through the Wireless Card Access List option as shown below:
Figure 3: The screenshot above shows the checkbox to enable broadcasting the SSID. Uncheck the box to hide it.
After clicking on the “Setup Access List” button, we are taken to another screen which allows us to turn the access control on and also add, edit, and delete devices contained within the access list. In the screenshot below, we only have one client that is allowed to access this access point.
Figure 4: Only one wireless card is authorized to connect to our test access point.
This may seem like a secure configuration, however the key weakness in MAC address filtering is that MAC addresses can be changed (spoofed) to any value an attacker wishes. The administrator will know the list of approved clients, however the attacker will generally not know who is allowed to connect. Since it is possible to discover clients that are already connected to access points, it is possible to select one of those in which to masquerade. Thus, an attacker must first find an already associated client and then spoof their MAC address to connect to the access point.
Find a Client
This time we will use Kismet to find a wireless client. We will need far less information than what we had in the previous article:
- MAC address of a wireless client
root@kali:~# kismet -c wlan0
Figure 5: Kismet allows us to easily find our wireless client to spoof
Examining the Kismet screenshot, we determined that the client MAC address that we want to spoof is:
There are a couple of ways in which we can change our MAC address in Linux:
The ifconfig command can be used to change our MAC address using the syntax below:
ifconfig <INT> down
ifconfig <INT> hw ether <XX:XX:XX:XX:XX:XX>
ifconfig <INT> up
ifconfig wlan0 down
ifconfig wlan0 hw ether 24:77:03:8C:D3:44
ifconfig wlan0 up
Figure 6: Changing the wireless card’s MAC address using ifconfig
Macchanger is rightfully described in the man pages as “a Linux utility for viewing/manipulating the MAC address for network interfaces”. It is simplistic in usage by allowing a user to change their hardware address to a random value or one of their choosing.
root@kali:~# macchanger --help
GNU MAC Changer
Usage: macchanger [options] device
-h, --help Print this help
-V, --version Print version and exit
-s, --show Print the MAC address and exit
-e, --ending Don't change the vendor bytes
-a, --another Set random vendor MAC of the same kind
-A Set random vendor MAC of any kind
-p, --permanent Reset to original, permanent hardware MAC
-r, --random Set fully random MAC
-l, --list[=keyword] Print known vendors
--mac XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX
Report bugs to email@example.com
macchanger -m XX:XX:XX:XX:XX:XX wlan0
macchanger -m 24:77:03:8C:D3:44 wlan0
Figure 7: Changing the wireless card’s MAC address using macchanger
Since we are using our WEP setup from the previous article (same WEP key) and we have spoofed our whitelisted client, we can finally connect to the access point using the command line steps outlined below:
Check the status of the card:
root@kali:~# iwconfig wlan0
Enter the network information:
root@kali:~# iwconfig wlan0 essid "QX3A7" key 55:70:9E:69:0D:A0:9B:E1:18:DB:3A:7E:D9
Bring the Interface up:
root@kali:~# ifconfig wlan0 up
Check the Association:
root@kali:~# iwconfig wlan0
Obtain an IP:
root@kali:~# dhclient wlan0
Reloading /etc/samba/smb.conf: smbd only.
Verify an IP is obtained:
root@kali:~# ifconfig wlan0
Figure 8: Putting it all together: Spoofing the MAC, connecting to the AP, pinging Google
One interesting thing to note is that our victim and attacker could not be associated at the same time. The Netgear router may have some additional capabilities that detects a wireless client that is attempting to connect when there is already one connected with the same MAC address. We also tried changing the IP address of the second wireless client, but no dice. If this were a thin client setup, we would attempt to connect to a different AP. Once the victim logged off, we were able to bypass MAC address filtering and access the Internet. Access Points handle this differently, so your mileage may vary.
Even though the intention of this article is not to warn about the dangers of relying on MAC address filtering as a sole means of security, we feel that doing so is worth noting. MAC filtering as a sole defensive mechanism is security through obscurity, however when used as part of a layered defense, it can deter entry level hackers. The problem with using this as part of a layered defense in a corporate environment is that it does not scale very well because it often requires manual configuration--thus we do not see it often. However, when it is used, it is on a select few networks which have legacy clients (usually required for hand scanners or some other one-off devices).
For networks that cannot utilize WPA-Enterprise, in addition to MAC filtering, we recommend the following additional defensive measures:
- Turn off the network if it is no longer needed
- Air gap the wireless network from the corporate network
- Use WPA-PSK with a REALLY long and complex password - change frequently if possible
- Segment the wireless network from the wired network via Firewall and IPS
In this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by uncovering defeating MAC address filtering. For just $16 and no reboot required you can place a wireless adapter into monitor mode and start assessing wireless networks. More testing needs to be done with this setup to determine other capabilities; however as of right now, it appears that it can provide quick, portable, flexible, and inexpensive wireless testing. Feedback below is always appreciated.
If you try this with different cards and run into issues, check the following excellent resource: http://docs.kali.org/troubleshooting/troubleshooting-wireless-driver-issues