Change the MAC address of your Linux system

Apr 13, 2021 by Thibault Debatty | 434 views

Offensive Security Sysadmin

Still today, some network monitoring tools and security systems rely on the MAC address of the host. However, a MAC address is not an authentication mechanism! It can be easily changed. More precisely, by default most operating systems will use the MAC address burnt into the network interface as the source MAC address for all emitted Ethernet frames. But you can easily reconfigure your system to change this behavior. Here is how to do that on a Linux computer.

Command line

From the command line, let's list the network interfaces and current MAC addresses:

ip link

To change the MAC address, we must actually turn the network interface down, then set the MAC address, and finally turn it up again:

sudo ip link set dev <interface> down
sudo ip link set dev <interface> address <XX:XX:XX:XX:XX:XX>
sudo ip link set dev <interface> up

But pay attention, this modification will be discarded after reboot...


macchanger is a small tool that makes it even easier to change your MAC address from the command line.

Installation is as simple as:

sudo apt install macchanger

macchanger can change your MAC address each time you plug a network cable or connect to a wifi, but I would not use this feature, so better answer "No":

macchanger has 3 main commands:

  1. assign a random MAC address to an interface;
  2. assign a provided MAC address;
  3. restore to the default MAC address.

To assign a random MAC address:

sudo macchanger -r <interface>

To assign a provided MAC address:

sudo macchanger -m <XX:XX:XX:XX:XX:XX> <interface>

Finally, to reset the default MAC address:

sudo macchanger -p <interface>
Running and Imaging with FTK Imager from a flash device
In the process of analyzing a suspicious machine, the first thing we need to do is to actually image the machine we want to investigate. There are different tools available to do this, but the one I most often use is FTK Imager by AccessData. The FTK Imager tool is easy to use and more importantly, there is a free version.
Email (in)security
Sending emails relies mainly on SMTP, the Simple Mail Transfert Protocol. This protocol is actually quite old: the first traces date back from the 70's, and the first standardisation took place in 1982 (RFC 821). It is primarily a very simple and insecure protocol, although multiple additional protocols have developed to protect emails and avoid SPAM. In this blog post we review these different protection mechanisms.
Setting up a watering hole attack with metasploit
In recent years we have witnessed multiple organised attacks against countries and companies using malicious code that was distributed via a legitimate website. These types of attacks are called "watering hole attacks" as they target well known and used websites and compromising them. You could compare this to dumping poison or other dangerous chemicals in a pond or well, where your intentions are to target any and all that use that source. One of the more famous such attacks was the CCleaner Watering Hole attack, which used the well-known tool CCleaner to distribute its malicious code.