Changing your MAC

[Abs2004]

I've seen lots of stuff out there that says that you can change your MAC address, but someone told me that it only does this on the O/S level...

Is there anyway that someone can actually change their MAC address so that other devices would know that it was changed?

Abs

[rijilv]

From what I understand, under windows, MAC change occurs @ the O/S level....

[Tim_axe]

You can't really change the MAC at a hardware level...unless you can find a way to change values in your NIC's EPPROM.

But if you use the different settings your OS allows for changing the MAC address of your NIC, that pretty much overrides the default programmed MAC for that NIC when you're in that OS. So every packet your computer sends out or responds to will use that new MAC that you set in the OS... I think that is the answer you're looking for.

[Abs2004]

The person that I was talking to told me that networking devices like switches would still be able to read the actual MAC address though. Is this true?

[Moissonite]

Switches use Address Resolution Protocol (ARP) and R(reverse) ARP to identify workstations on a network. Each machine has a 32bit IP address and a 48bit mac address unique to each machine. The information linking each MAC address to its corresponding IP address is stored on a cache in the switch itself.

This means when a request is put through the switch to an IP address, information will be tied to that computers MAC address and sent. Evidently this is useful if communicating to a server. It is imperative that information from a worstation to the server cannot be intercepted (as it could with a HUB).

Anyway, back to the question. You can change your MAC address, or spoof it, and use APR poisoning to fool the switch into believing that a different machine belongs on the packet route between Machine A and B. In other words, information is sent from computer A to the switch to be sent to computer B. The switch uses the ARP cache and sends the packets to the spoofed MAC/IP address for computer X. Computer X then forwards the packets to computer B - hence not highlighting the fact to user A and B their communicae was intercepted.

So no, the switch will not be able to decypher a spoofed MAC address - believing it to be MAC address whatever-number-you-tell-it.

It is, however, worth noting that "port security" can be used by a sysadmin to prevent MAC spoofing. It basically is used by the "big boys" of the routing world such as CISCO. The switch will only respond to a set number of secure source MAC addresses. Any addition to the address numbers will be treated as a security breach and sysadmin will be notified (and the corresponding ARP cache record suspended).

Does that make any sense? lol

[slarty]

There are two ways you can change the MAC address of an ethernet device:

One way is to tell your operating system to assume a different MAC address from the one built into the card. This is quick and relatively harmless. If it doesn't work properly, you can easily undo it (by telling your operating system to instead use the original MAC address)

The other way, is to change the actual hardware address itself. To do this usually you will need a DOS program specific to the vendor - this affects a small flash memory on the NIC, changing its built in address. I do not recommend you do this.

There is normally no reason to ever want to change a MAC address.

---

The problem with the first method, is that some OSs don't support it.

The problem with the second, is it's rather permanent (the data stay in the card, even if you transfer it to another machine). And if you don't write down or record the original MAC address, there's no way of getting it back.

Switches have no idea what device is on the end of the wire - they just "Learn" what devices are on a particular port by looking at packets coming from this port.

That is, unless MAC/port security is enabled, then the switches will only send packets to/from a device whose MAC is authorised for that port.

In fact, switches don't use ARP to identify machines, because most switches don't care about IP or anything (except for an IP-based management interface if they have one), they just switch ethernet packets.

The only switches that do anything with ARP are the really fancy ones which do ARP caching, and respond to ARP packets on a device's behalf.

The person that I was talking to told me that networking devices like switches would still be able to read the actual MAC address though. Is this true?

Nope. If you've changed the MAC address, the switch sees the changed address, the original address is not visible to any device.

Slarty