What is a MAC Address?

According to Burke (2019), MAC (Media Access Control) addresses act as the “physical” or “hardware” addresses of different devices on the same local network. They do not change, compared to IP addresses which usually do change and help identify a computer on a global network, where both are required for a packet to get to its intended destination. MAC addresses are utilized at Layer 2 of the OSI model, and IP addresses are used at Layer 3 of the OSI model. According to Wikipedia contributors (2021), MAC address filtering is a basic security control that utilizes a device’s MAC address to allow or deny access to a network.

How does a switch (or router) even find a MAC Address?

Regarding how a switch can determine a MAC address, Harmoush (2019) explains that a switch utilizes an internal table called a “MAC Address Table.” This table starts empty, and the switch records each connected device’s MAC address when it receives a frame from the device (e.g., when the device is trying to communicate to another device). Harmoush (2019) also notes that when a switch comes across a frame where it does not know a destination address (one that is not in the MAC Address Table), it ends up sending out the frame to every device on every port. Networking and communication at Layer 2 of the OSI model are pretty limited, and since a standard switch is just a Layer 2 device, methods like these have to be utilized.

My experience and background

I have a lot of career experience when it comes to identifying a computer’s MAC address, and there are a variety of methods you can use, but I typically utilize the command line. For instance, on my MacBook Pro at home, MacOSX uses the same commands that most Linux and Unix systems do. To find the MAC address, you use the command “ifconfig,” which returns both MAC address and IP address information for all network interfaces you have available. Similarly, on Windows, when you open a command prompt, you can use the command “ipconfig /all” you are returned with a similar set of information. There is also another helpful command for discovering your own MAC address and the MAC addresses of other computers (on a network that you are already connected to). This command only applies to Mac OSX (and some variants of Linux), but if you use “arp -a,” you can utilize the ARP protocol to determine what the MAC addresses are of other computers on your same network.

Why MAC address filtering isn’t the only way to go

To determine how easy it was for an attacker to bypass MAC address filtering, I used a search engine to see how hard it would be to find a guide. The first search result (a guide from Hacking Tutorials cited below) was a detailed guide on discovering MAC addresses on a wireless network but did not cover the actual WiFi password cracking steps. I am familiar with Aircrack-NG by name, but not by use, so it was interesting to learn more about using it. In this tutorial from Hacking Tutorials (2015), the author breaks down the process of using the Aircrack-NG toolset to find wireless NIC MAC addresses on a WiFi network they could connect to with a password but not utilize due to MAC address filtering. They also showed how to use a tool called “macchanger” to make the MAC address switch to an allowed address authorized to connect. With some basic command line knowledge and a computer running Kali Linux, I would consider the process of bypassing MAC address filtering as “trivial” even for those who are just in the “script kiddy” level of knowledge. In my opinion, MAC address filtering is something you could add to a layered defensive approach. Still, it’s more of an incidental “nice to have” and shouldn’t be considered a primary layer protection by any means. In some ways, it’s another protection that can “keep the honest people honest.”


References: