What are MAC addresses?

What are MAC addresses?

When you click on a link or open a website. Information from that website finds it’s way to your device, even if you are thousands of miles away on the other side of the planet. The information is forwarded one hop at a time from router to router until eventually your Wi-Fi router sends your ‘3 hours of cats being dumb’ YouTube video to your phone.

Have you ever wondered how each router along the way knows where to forward the information to next?

Well IP addresses tell each router what the next stop is along the journey but to actually be ready to send the internet packet, another very important piece of information is needed… The Mac address.

MAC stands for: Media Access Control and is used to uniquely identify the Network Interface Card(NIC) of every device in the world that can connect to a network! It’s burned into the NIC while still in the factory by the manufacturer, and every MAC address is unique, that’s why they are also sometimes called hardware addresses.

Here’s what one looks like:

84:B3:86:6:13:38

The MAC address is a 12 digit hexadecimal number that is most often displayed with a colon or hypen separating every two digits (an octet), making it easier to read.

IP addresses on the other hand can change regularly. The IP address of your phone for example changes every time you switch to a new Wi-Fi.

So in order to figure out which way to send the information every router has a table in it’s memory… It’s called the ARP cache. This table matches every known IP address on the network to a MAC address.

So when a network packet needs to be sent out, it finds the destination IP address in the ARP cache, finds it’s corresponding MAC address and puts that MAC address in the ethernet header as the destination of the network packet and finally we know which device we need to send it to.

But of course we need to figure out which network interface we need to send it down. Afterall we wouldn’t want to send the signal down ethernet if we were connected only by WiFi would we?

To do that we need to check one more table in memory, this is called the MAC table. In a similar way to the ARP cache this table matches MAC addresses to network interfaces.

Ok now our packet has the correct destination MAC address and we know the correct interface, we send the packet to the Interface and away it goes 📨

But what if the the IP address isn’t in the ARP cache? Then that’s where ARP comes in.

ARP – Address Resolution Protocol

Ok so picture the scene, a new computer walks into the network. His IP address is 192.168.13.37. Another computer in the network wants to start a conversation with 192.168.13.37 so naturally he checks his ARP cache in memory, but it’s not there, he doesn’t know him as he’s never met him before🤔.

So he proceeds to stand up and broadcast his voice to all in the network. He shouts:”HEY WHO IN HERE IS 192.168.13.37″. A voice replies from across the network: “Yes That’s me mate I’m 192.168.13.37 my name is: 8F:96:7A:33:37:CE”. Everyone in the network heard the conversation as they weren’t exactly discreet about it, so everyone now knows that 192.168.13.37 is 8F:96:7A:33:37:CE and they write that down in memory in their ARP cache.

That in a nutshell is ARP. Devices communicate ARP messages on the broadcast channel. Which makes sense really.

Let’s use Wireshark to watch a real ARP conversation take place:

  • Download and install Wireshark on your computer
  • Start Wireshark listening on your Wi-Fi NIC
  • Now you will see a lot of network chatter but we can add a filter using the filter bar at the top of the screen. Type ‘arp’ into the filter bar
  • Now disconnect from the Wi-Fi and reconnect. Watch as your computer sends out ARP broadcasts trying to connect to the default gateway.

You can see here the computer asked ‘Who has 192.168.1.1?’ and it got a reply!

Using MAC in network reconnaissance

Every hacker knows the importance of Reconnaissance (getting to know your target) before launching an attack. What information can we gain from a MAC address?

Remember we said earlier in this article that every MAC address is burned into the NIC by the manufacturer. Well the MAC addresses that they burn into their products aren’t totally random and we can use them in network recon to work out certain details about other devices on the network by listening to their ARP broadcasts.

Let me explain, NIC manufacturers are assigned huge blocks of MAC addresses that they can put into their products. They are assigned their blocks of MAC addresses via an authoritative organisation known as the Institute of Electrical and Electronics Engineers (IEEE). All the addresses in their block start with the same numbers, essentially giving every networked device a “made by so-and-so” label.

You can find online MAC address lookup tools to help you find out who made the devices on the network. Here’s a good example:

maclookup.app

Try it.. on your Computer, find your MAC address:

  • Windows: Open: CMD and type ipconfig /all. Then look for your MAC following “Pysical Address”
  • Linux/MacOS: Open: Terminal and type ifconfig. Then look for your MAC Following “ether”

Once you know your computer’s MAC address, go to maclookup.app and put it in and see what information you can ascertain from a MAC address.

ARP poisoning

Remember when 192.168.13.37 walked into the network and broadcast his ARP, letting everyone know his MAC address? Well what do you think would happen if instead of giving his real MAC address, he gave everyone a fake one? Of course everyone listening in the network would hear it and record whatever he said into their ARP cache.

Thus he would have the power to manipulate where network traffic goes. This is called ARP poisoning. ARP poisoning can be used to eavesdrop in on someone else’s internet connection picking up traffic meant for someone else. He broadcasts an ARP telling everyone to send information meant for his victim, to him. He can then read what it says and forward it back to victim so his victim will be non the wiser.

This is how Man In The Middle Attacks are possible.

Stay tuned for future articles explaining how to perform ARP poisoning attacks and Man In The Middle Attacks!

Avoiding detection

Hackers can use MAC spoofing(setting a fake MAC address) to avoid detection, passing under the Radar. Remember that the first few numbers of a MAC address show us who the manufacturer is? A security Analyst looking for unusual activity in his network might see an unusual MAC address on the network and this might raise his suspicions… So a hacker might try to blend into the network by spoofing his MAC address so that he looks like he belongs in the Network.

So there it is! Now you know what MAC addresses are, how they work in networking and how hackers might try to use them! So next time you’re sitting there watching your ‘3 hours of cats being dumb’ video on YouTube, you can think of what takes place behind the scenes to bring it to you.

Thanks for Reading!

Josjuar Lister
https://tegosec.com

Leave a Reply