Bypass weak MAC-based access control


#1

I’m currently riding a bus from a bus line that is offering customers an onboard wifi.
That’s great, except there is a quota on the amount of data we can use, despite the network connection supporting unlimited data.

With 100MB, you can’t really do much.

Good news though, the quota is enforced based only on the unique mac addresses of the devices connected to the onboard WiFi.

Even more good news, the incredibly handy tool named macchanger that had stopped working around the days of the overly optimistic Unicorn has finally been fixed (at least in 18.04, up-to-date).

So here’s how it’s used. Pretty straightforward:

  • Bring the network interface down
  • Deploy the macchanger shroud
  • Bring the network interface back up.

Implemented in a shell script for a WiFi interface wlp2s0, this is the result:

#! /bin/bash

# Bypass Mac enforced quota.

sudo ifconfig wlp2s0 down

sudo macchanger -r wlp2s0

sudo ifconfig wlp2s0 up

Save the payload in a file named for instance quand_yen_a_plus_yen_a_encore.sh, then make it executable with the command:

chmod +x quand_yen_a_plus_yen_a_encore.sh

Execute, and you’re good to go.

[email protected]:~$ ./quand_yen_a_plus_yen_a_encore.sh 
Current MAC:   1e:55:e3:c7:39:5f (unknown)
Permanent MAC: XX:XX:XX:XX:XX:XX (unknown)
New MAC:       66:38:c3:bb:60:8c (unknown)