How to spoof a MAC address on Mac OS X Leopard 10.5.6

Lots of people have been having problems spoofing their MAC addresses on their Macs with Leopard 10.5.6. The technique has changed just a bit in the last couple of OS updates, but its really, really easy. There’s a couple of gotchas that can make it confusing, so I’m going to lay those out. Make sure you read everything first.

First, this can all be done from the terminal. This example is for changing the MAC address of your wireless (Airport) card. Don’t try this yet or it probably won’t work.

sudo ifconfig en1 lladdr  00:11:22:33:44:55:66

The address I show here is just made up. A MAC addresses uses hex notation and needs all 7 fields. If you’re not sure what hex notation is, Google.

Ok, so the gotchas:

1) Your wireless card has to be ON. Turned on, not turned off.
2) You CANNOT be connected to an existing network.

The biggest problem (and most confusing) that I ran into was simply how to disconnect from my current connection without turning off Airport. I first did a weird process of trying to connect to a neighbor’s secure network, typing in a crap password, and hitting connect. This disconnected me from my router but its not really an elegant way of doing it. Since we’re already using the terminal, lets keep everything in that vain.

It turns out there’s a command-line utility for working with the Airport, called “airport”. Only its buried pretty deep in the system. Visit this article to find out more. I’ll show you how to add this to your PATH to make sure its always available. We can use this utility to easily disconnect from your current wireless connection. That command looks like this:

airport -z

Finally, I will tell a short story about how my need to figure all of this out came about. Essentially, this is also partly a tutorial for how to knock someone on your local network offline.

Making “airport” available in Terminal

Open up a Terminal. By default, you will be in your user account’s home directory.

I use Pico. Other people use vi or emacs. Pico is much easier to use for the average person. In the terminal, type the following, then your password if asked:

sudo pico .bash_profile

Anywhere in the file, copy/paste/type the following:

export PATH="/system/library/privateframeworks/Apple80211.framework/versions/current/resources":$PATH

Hit “control-o” to save the changes. Close the terminal window and open a new one. To verify that this worked, type the following and you should get some information about your Airport card.

airport -I

Assuming that worked(if it didn’t, do it again), you can do “airport -h” for more options. I’m not covering that in the scope of this article.

What’s My MAC?

To find out what your current MAC address is for the Airport, type the following into terminal:

ifconfig en1 | grep ether

You should see something like “ether 00:01:02:03:04:05”. This is your MAC address for your wireless connection. To view it for other connections, just change “en1” to “en0” or “en2”, depending on what network devices your have available. Type “ifconfig en1” if you want to see a lot of other info.

Changing Your MAC (and some other crap)

Ok, so by this point you should know:

  1. That you want to change your MAC address for one or more of your network connectors.
  2. You have another MAC address you want to use.
  3. How to make the “airport” terminal command accessible.
  4. Your Airport has to be on and NOT connected to a network.

On to the fun stuff.

Open up a new terminal window. Lets disconnect from any networks that might be active:

airport -z

If you were connected to a network, you should be disconnected now. Next, spoof your MAC with that first command mentioned above. Change the MAC in the command to match the one you want, or use this one just to see.

sudo ifconfig en1 lladdr  00:11:22:33:44:55:66

That’s It!

Assuming everything was done correctly, your you’ve just spoofed your MAC address. You should be able to reconnect to your wireless network and you’ll use the new MAC on the network.

Well, That’s Not Everything

Ok, so there’s a couple things to be aware of. When you use the command “ifconfig en1 | grep ether” to view your MAC address, it will show up properly. However, this is the only place on your MAC that you’ll see it. It appears that Mac OS X caches the physical MAC address during the startup process. So, if you use the Network Utility, Airport network, or System Profiler (among others) to view your MAC address, they will all show the physical one. However, rest assured that the rest of the world will see your spoofed address.

If you have access to the router you’re connected to, you should be able to login and view the spoofed MAC address that you just set. I’ll also explain a couple of other mechanisms I used to verify it was working, as well.

Bittorrent and Roommates

So I have a couple of roommates. Love these guys to death. Hmm… to death… Anyway, we have a kickass 50mb/s cable connection and it always rocks. Except today. One of the guys recently learned about bittorrent… but not about capping upload rates. See, even though we have a massive downstream rate our upload is still somewhat limited in comparison, around 5mb/s. So if you max out your upstream it increases the latency so much that your downstream is really fucked, no matter how big the pipe is.

So he had apparently started up about 15 pretty big downloads last night and didn’t wake up until pretty late in the afternoon. This guy was impossible to wake up and his door was locked. God bless the heavy sleeper.

His torrents were all finished but were still seeding. I was tracking our latency at being around 300ms, and multiple speed tests were showing our fat 50mb/s clocking in at around 1.5mb/s. Upload was so low its not even worth mentioning.

So I needed a way to solve the problem that was pretty easy to implement. I had no access to the router, so that option was out. MAC spoofing was the 3rd thing that came to mind after the 2nd being to turn the power in the house off for 6 hours to wait for his laptop battery to drain. Sure, it would have been a good excuse to clean the refrigerator but I didn’t think it would have been looked upon too kindly. And it wouldn’t have really solved the problem.

So, the problem was 2-fold.

  1. Get my delinquent buddy’s LAN ip
  2. Get DB’s MAC address

My choice of network scanners in this case is Zenmap. This is a GUI front-end for the rather well known nmap network security analyzer.

I grabbed a copy of Zenmap(slowly) and got the IP of our router, aka the default gateway, from my network settings. In this case, 192.168.1.1. This told me the range of IPs to search. In Zenmap, I set my target as 192.168.1.* and had it run an “Intensive scan”. This searched every machine connected to our network. It even found my iPhone!

After parsing through the logs, I found his machine at 192.168.1.104. I also found his MAC address, which at this point was like finding the last Blue M&M at the bottom of a bowl of brown ones.

So after a couple minutes of fiddling, I spoofed my MAC on my Mac using his MAC. Sorry, couldn’t resist.

It took a couple of minutes fo
r
our router to sort itself
out. I had started a ping to his .104 address previously. While it was running, once I disconnected the pings started failing as expected. Once I spoofed and reconnected, I started getting “No route to host” errors. Then after another minute or so, my pings started failing again. This was exactly what I was expecting. It basically meant that my machine had been assigned a new IP (.108 in this instance) and that .104 was no longer on the network.

As further evidence, the obvious speed of different web sites immediately improved. My new speed tests came in at full force, close to 50mb/s. I re-ran Zenmap and confirmed that the MAC address for .108 matched the one I had just spoofed from my roomie. Lastly, he apparently woke up and walks out asking, “Hey, is everyone else’s internet connection down?”

Ahh, success.

Leave a Reply

Your email address will not be published. Required fields are marked *