SecurityTube, Wireless Lan Security Megaprimer notes: part 7 (MAC Filtering)

The SecurityTube video is here.

MAC filtering comes from wired networking. MAC addresses can be spoofed easily. We can sniff packets and find mac addresses. This way we can easily get a valid MAC, spoof it and get access to the network.

0. Turn on MAC filtering on your AP and allow a client (e.g. your iPhone)

1. Perform a capture with wireshark as before.
1.1 Add a filter on the AP address it should look like this: “wlan.addr == APMACADDRESS”
1.2 Add a filter to remove beacon frame (right click type/subtype on a beacon frame, and apply as “and not” filter.

2. Attempt to connect using aireplay:

aireplay-ng --fakeauth 10 -e ESSIDNAME (e.g. SecurityTube) mon0

2.1 Run wireshark while doing the above.
2.2 Check that you can see “Unspecified failure (0x0001)”.

3. Fire up aerodump again, montioring the channel that your AP is on:

aerodump-ng mon0 --channel XX

You should see your AP listed in the first list. Note it’s BSSID here. Then look down the second list, which shows station, you should see the same BSSID. Next to this BSSID will be a station MAC address. Make a note of this MAC address, it’s the client connected to the AP.

4. Try to authenticate using that MAC address:

aireplay-ng --fakeauth 10 -e ESSIDNAME mon0 -h MACADDRESSFROM3

Fire up wireshark while you’re doing this, check that you can see “Successful (0x0000)”.

MAC address filtering is useless!