MAC Spoofing and

Counter measures
What is MAC address?
• A MAC address is a series of characters that identifies a
particular device on a network.
• MAC stands for Media Access Control.
• When a device is produced, the manufacturer assigns it a
MAC address.
• Unlike IP addresses, which can be dynamic, MAC addresses
never change. It’s easier to identify a device on a network
by looking at the MAC addresses.
• The MAC address is hardcoded onto a device so it cannot be
changed at the hardware level. It can be changed at the
software level, though.
What is a MAC address (media access
control address)?
• A MAC address (media access control address) is a 12-
digit hexadecimal number assigned to each device connected to the
network.
• Primarily specified as a unique identifier during device manufacturing,
the MAC address is often found on a device's network interface card (
NIC).
• A MAC address is required when trying to locate a device or when
performing diagnostics on a network device.
• Each device on a network has a unique media access control (MAC)
address, sometimes called a physical address.
• Networking two devices requires an IP and MAC address. Every device’s NIC
has a Media Access Control (MAC) address.
• As a cybersecurity professional, you should know that no two devices may have
the same MAC address since this identification is unique. The hexadecimal
encoding 00:0a:95:9d:67:16 is present in every device.
• The 12-digit alphanumeric identifier comprises 48 bits, with the initial 24 bits
allocated for the OUI (Organization Unique Identifier), while the remaining 24
bits are designated for NIC/vendor-specific data.
• It operates on the OSI model’s data link layer.
• It is supplied by the device’s manufacturer and included in its NIC, which is
ideally fixed and cannot be modified.
• A logical address is connected to a physical or MAC address using the ARP
protocol.
• You can fake a device’s MAC address so it cannot be seen by
public networks. This is known as MAC spoofing.
What is spoofing?
• In the context of cybersecurity, spoofing is the act
of impersonating another entity to earn our trust,
obtain access to our systems, steal data, steal
money, or transmit malware.
What is MAC Spoofing?
• Each network-connected device possesses a distinct Media Access
Control (MAC) address, which serves as an exclusive identifier
assigned to its network interface card.
• Malicious actors possess the ability to utilize the method commonly
known as MAC spoofing to modify the MAC address of a device in
order to imitate another device present on the network.
• The vulnerability in question allows the attacker to bypass network
security protocols that are dependent on MAC addresses, such as
MAC filtering or access control based on MAC addresses.
Is spoofing a MAC address bad?
• Spoofing a MAC address is legal and can be used for
legitimate purposes, such as avoiding being tracked.
• You can also do it safely without having to use any
external software.
• Often, however, MAC address spoofing is used for
wicked purposes. It’s called a MAC spoofing attack
MAC Filtering
• MAC filtering is a security method used in computer
networks to restrict access to network resources based
on the MAC address, a distinctive number that is
provided to each network interface card (NIC)
• Organizations can improve their network security by
limiting unauthorized devices from connecting to the
network and accessing critical data or resources by
filtering network access at the MAC address level.
MAC spoofing is a commonly employed tactic by malicious actors to alter the Media Access
Control (MAC) address of their device to mimic that of another device present on the
network. The aforementioned vulnerability enables the assailant to surpass network security
measures such as MAC filtering and MAC-based access controls.
Techniques Used in MAC Spoofing Attacks
Cloning
• The act of cloning involves the replication of a legitimate device’s MAC
address for the purpose of masquerading as that device on the network.
In instances where a perpetrator has unfettered physical access to a
target device, such as a router or switch, this method is often employed.
Techniques Used in MAC Spoofing Attacks
Randomizing a MAC address
• Randomization involves generating a new MAC address and using it to
impersonate a network device. When an attacker lacks access to a
trusted device to copy its MAC address, they frequently apply this
method.
Tools and Software Used for MAC Spoofing Attacks
MAC spoofing attacks are carried out by hackers using a range of
tools and software, some of which are easily accessible online:
• MAC address changer
• The utilization of a freely available software, namely MAC Address
Changer, empowers users to alter the MAC address of their network
interface card (NIC). MAC address spoofing is a potential vulnerability
that can be leveraged by threat actors to compromise the network and
obtain unauthorized access.
• Ettercap
• Ettercap is a robust software application utilized for scrutinizing
network traffic and conducting security assessments. Additionally, by
manipulating MAC addresses and intercepting network traffic,
cybercriminals can carry out MAC spoofing attacks.
• Other tools: Cain and Abel, Netcut, and SMAC are additional popular tools
for MAC spoofing attacks. MITM attacks can be conducted using these
tools, which can also be used to clone or randomize MAC addresses.

Video Link: https://www.youtube.com/watch?v=ogtWS6MfiWM

Warning Signs of MAC Spoofing Attacks
• Duplicate IP addresses: The presence of a common IP address among
various network devices may suggest that a malevolent actor is
leveraging MAC spoofing techniques to impersonate a legitimate device.
• Unknown MAC addresses: It is imperative for network administrators to
maintain a record of the MAC addresses of all connected devices. The
presence of unfamiliar MAC addresses on the network may suggest the
possibility of MAC spoofing.
• Unusual network activity: MAC spoofing attacks frequently include
intercepting and altering network traffic. Network activity that is irregular
or unexpected could be a symptom of a MAC spoofing attack.
• Inconsistent device behavior: Devices that are being spoofed could act
strangely or react differently than planned. This might be because the
attacker was manipulating and intercepting network traffic.
• Unexpected network failures: MAC spoofing attacks can cause network
failures or disturbances. Unexpected network disruptions might be an
indication of a MAC spoofing attack.
How to prevent MAC Spoofing
• Using encryption technologies to protect network data could make it
much harder for an attacker to perform a MAC faking attack.
• Access Control Lists (ACLs) let network managers limit access to
only media access control (MAC) addresses that have been approved.
• You must be mindful of port security as well.
• Dynamic ARP Inspection (DAI) is a security mechanism that enables
the validation of Address Resolution Protocol (ARP) requests and
responses within a network.
 Types of Spoofing
• Email Spoofing
• IP Spoofing
• Website Spoofing
• Phone Spoofing
• Text Message Spoofing
• ARP Spoofing
• DNS Spoofing
• GPS Spoofing
• Facial Spoofing
Email spoofing
• Email spoofing is one of the most common types of cyberattacks. It happens when the
sender forges email headers so that client software shows the false sender address,
which most users accept at face value. Unless email receivers read the title thoroughly,
they presume the bogus sender sent the message. If consumers recognize the brand,
they are more inclined to trust it.
• Fake emails often seek a money transfer or access to a system. In addition, they may
include attachments that, when opened, install malware, such as Trojans or viruses. In
many instances, malware is meant to infect the whole network in addition to your
machine.
• Email spoofing mainly depends on social engineering — the capacity to persuade human
users that what they see is authentic, inciting them to take action by opening an
attachment, transferring money, etc.
IP Spoofing
• In contrast to email spoofing, IP spoofing is mainly directed toward a network.
• IP spoofing includes an attacker attempting to obtain unauthorized access to a system
by sending messages with a phony or spoofed IP address to make it seem as if the
message originated from a trustworthy source, such as a computer on the same internal
network.
• Cybercriminals do this by stealing the IP address of a trustworthy host and modifying the
packet headers transmitted from their system to make it look like they originated from
the trusted machine. IP spoofing assaults are often part of DDoS (Distributed Denial of
Service) attacks, which may take a whole network down. Therefore, it is crucial to detect
them as soon as possible.
Website Spoofing
• Website spoofing is impersonating a genuine website with a fraudulent one. The faked
website will have a recognizable login page, stolen logos and comparable branding, and a
URL that first looks to be correct.
• Hackers create these websites to steal your login information and maybe infect your
machine with malware. Frequently, website spoofing occurs in tandem with email
spoofing; for instance, fraudsters may send you an email including a link to the bogus
website.
Caller ID or Phone Spoofing
• Caller ID spoofing, also known as phone spoofing,
occurs when con artists misrepresent the information
supplied to your caller ID to conceal their identity.
They do this because they are aware that you are more
likely to answer your phone if it seems to be a local
number rather than an unfamiliar one.
Text Message Spoofing
• Text message spoofing, also known as SMS spoofing, occurs when the text message’s
sender provides false information. Sometimes, legitimate firms replace a lengthy
number with a short, easy-to-remember alphanumeric identifier to make it simpler for
consumers. Scammers, on the other hand, conceal their true identity behind an
alphanumeric sender ID, often posing as a reputable business or institution. These
counterfeit messages often include links to SMS phishing (also known as “smishing“)
websites or malware downloads.
ARP Spoofing
• ARP is a mechanism that allows network messages to reach a particular network
device. ARP spoofing, also known as ARP poisoning, happens when an adversary
transmits forged ARP packets over a local area network. This situation connects the
MAC address of the attacker to the IP address of a genuine network device or service.
This connection allows the attacker to intercept, alter, or even block any data destined
for the IP address.
DNS Spoofing
• DNS spoofing, also known as DNS cache poisoning, is an
attack in which updated DNS records are used to
redirect internet traffic to a sham website that closely
mimics the actual destination. Spoofers do this by
changing the IP addresses recorded on the DNS
server with the IP addresses desired by the hackers.
GPS Spoofing
• GPS spoofing happens when a GPS receiver is misled into transmitting false signals that
seem to be authentic. This indicates that the fraudsters are faking their location while
being in another. This may be used to hack a car’s GPS and send you to the incorrect
area or, on a much larger scale, to interfere with the GPS signals of ships or airplanes.
Numerous mobile applications depend on location data from smartphones, making
them susceptible to this kind of spoofing attack.
Facial Spoofing
• Facial recognition technology is utilized in law enforcement, airport security,
healthcare, education, marketing, and advertising, as well as to unlock mobile devices
and computers. Facial recognition spoofing is possible using unlawfully acquired
biometric data from an individual’s online profile or compromised system.
 Counter measures
1. Activate your spam filter. This will prevent the vast majority of faked emails from reaching your inbox.

2. Do not click on links or download files in unsolicited emails from unknown senders. If there is a possibility that the email is accurate, contact the

sender through an alternative route and validate the email’s contents.

3. Sign in from a different window or tab. Do not click the offered link if you get a suspicious email or text message demanding that you log in to

your account and perform some action, such as verifying your details. Instead, create a new tab or window and browse the site. Alternatively, you

may log in with the app on your smartphone or tablet.

4. Utilize the telephone. If you’ve received a strange email purportedly from a friend, don’t be hesitant to phone or text the sender to verify that they

sent the email. This is particularly true if the sender makes an unusual request, such as, “Please purchase 100 iTunes gift cards and provide me the

card numbers by email. Thanks, Your Employer.”

5. Windows displays file extension names. By default, Windows does not display file extensions, but you can alter this by choosing the “View” tab in

File Explorer and selecting the checkbox to display file extensions. While this will not prevent fraudsters from spoofing file extensions, you will at

least be able to identify faked extensions and avoid opening infected files.

6. Invest in reliable antivirus software. Don’t panic if you click on a malicious link or file; a competent antivirus application will warn you of the

danger, block the download, and prevent malware from infiltrating your system or network. Malwarebytes, for instance, offers free trials of its