Spoofing MAC Addresses on Windows
by Wananapaoa Uncle
As always, this information is provided for your spiritual enhancement.
Having your soul enlightened, don't use this information to create wreak and
There are times when you care more about your privacy, and going online is often
one of them.
I'll assume you know about MAC address theory, so I won't spend time
repeating things you can find on Wikipedia. I'll only focus on one aspect: you
normally read that MAC addresses are unique 48-bit addresses burnt into the
device firmware. I think this is generally correct, we only need to better
Your hardware needs some kind of software layer to perform useful work and
this software is generally called a device driver. No matter which OS you're
using, some kind of driver must talk on one side to the OS and on the other
side to the hardware. The good things lay in between.
Normally, the driver reads the MAC address from the device and passes it
to the OS for use when creating network packets with high-level functions. Of
course, you can forge packets one-by-one, but this is very time consuming and
requires specialized software implementing its own minimal network stack.
Piping generic network applications into them can be a mess. So we just want
Windows to believe our MAC address is the one we choose instead of the one
burnt into the firmware, and to stamp it in every packet flowing to the net.
Here comes good news: Windows provides a method to achieve this, so our
hack is simply to understand the way to leverage this capability. Several
built-in tools in Windows make use of fake MAC addresses. NLB is the most
famous, Hyper-V also does it, and so does every "teaming" driver I know of.
As always, Windows stores information about its configuration into the
registry, so we must dig into it.
Just two words about correct definitions, so as not to create confusion:
the registry is a hierarchical database, with things named in this way:
* Keys are the yellow "folders" in REGEDIT, and compose the structure of the
database. You can see them on the left pane in REGEDIT. Keys can have
* Values are the named items that contain data. Values appear in the right
pane, along with their type (REG_SZ for strings, REG_DWORD for 32-bit
integers). Values cannot have sub-values, they have data instead, see next
* Data. As the name suggests, it is the data effectively stored.
In Windows, fire up REGEDIT and let's jump to this key:
(Don't mess with CurrentControlSetXXX keys; they are "last known good
configuration" backup copies.)
Here we have several sub-keys, numbered starting from "0000". Each one
represents a network adapter. You can see a lot of keys, meaning lots of
adapters. Not all of these adapter are physical ones, NIC in the most common
way we intend. There are several "virtual" adapters, such as VPN, virtual
Wi-Fi, IP tunneling, and so on, contributing to the "NIC pollution" of this
sub-key. We are interested in changing only physical ones, and there are
several methods to identify them, mostly involving ANDing bits with some value;
since we are lazy, we'll take a shortcut and browse each numbered sub-key
looking at the 'DriverDesc' value. Here you can read the name the driver
exposes to the system for that adapter, so you can distinguish between "WAN
Miniport (SSTP)" that is a virtual adapter for Microsoft SSL VPN and "Realtek
PCle GBE Family Controller" which identifies itself as our piece of hardware.
Having identified the sub-key of interest, just scroll down the values and
see some of the working tunables for that device. It depends on the vendor, so
the list may vary. Physical adapters tend to have more settings than virtual
We must point straight to the 'NetworkAddress' value of type REG_SZ.
You can have three cases here:
1) The value does not appear.
2) The value appears, but contains no data.
3) The value is here and contains something, say 112233445566.
The data in 'NetworkAddress' is the MAC address of our adapter or, better,
the one we want the system to use. If it is already present (case 3), change it
to whatever you want and disable/re-enable the network adapter from the device
manager of the connections menu. If you have doubts, reboot your system: it's
always a Windows box, isn't it?
If the value is not present, just right click the right pane, select
'New->String value,' and name it 'NetworkAddress', then double-click it and
type your brand new MAC address.
And how do I get my "real" MAC address back? It is simple enough: just enter
empty data or remove the 'NetworkAddress' value.
A little hint: the MAC address must be typed in the form 112233ABCDEF - no
colons, dashes, spaces, or other garbage. Also, your MAC should be well-formed,
basically being six bytes in hex form. Failing to set a valid MAC generally
results in the real one being used.
Another even-more-simple-but-not-always-applicable method is going into
your device properties sheet and looking for Network Address settings:
sometimes a radio button appears with "Not Present" or a box to type the MAC
To modify HKLM key, you must be an administrator of your box and run
REGEDIT with elevated privileges where needed.
Because we can, first of all. Because "real" MAC addresses are boring.
Because we like to set up a contest for the best sounding valid MAC address and
we need to test it!
According to a friend of mine, other uses are possible. Once he was in a
hotel, and connecting to the Internet was mediated by a captive portal. They
tend to cage your connection until you provide valid user/password/credit card
and so on. Since they block all of your network connections, not only web,
they usually check packets at layer 2, looking for authorized MAC addresses.
So when a friend of my friend got authenticated and then shut down its computer
(it is often a requirement, but we'll digress another time), my friend "leased"
the other person's MAC address and continued to surf, getting the same address
from DHCP and having its surfing logs credited to the other person. He said
this is a workable solution also in airports, where people connect, surf for a
while and then run to the check-in.
Also, some captive portals have some "always authenticated" devices like
proxy servers, anti-virus, management stations, network controllers, TV, set-top
boxes (like the one standing in front of you in your hotel room), and so on. A
little sniffing on the net (broadcast is your friend) may help to identify them
Another friend of mine once told me that changing the MAC address can help
while pen-testing (your) wireless networks. Some access points have MAC
filtering and only devices with a certain MAC address can connect to them.
Well, the MAC address is a layer 2 beast, so it is not encrypted and clearly
visible even on WEP/WPA networks.
Another friend (yes, I have lots of friends) told me that some wireless
provider let you surf for free for a fixed amount of time before requiring some
kind of sign in. A brand new MAC address will often convince DHCP to give you a
brand new IP. And so on. Some services require your device to be produced by
some specific vendor. As you know, changing the first three digits may
transform your el-cheapo laptop into a shiny new MacBook Air. Yes, it's magic!
Some devices on the net (PLC, SCADAs), for security or compatibility
reasons, may respond only to requests coming from specific ranges of MAC
addresses. Well, spoofing yours may render you very compatible.
A person who was on the plane with a friend of mine told him that some
firewalls perform layer 2 filtering because layer 2 (IP) addresses can be
spoofed. I owe him lots of thanks.
A designer my friend knew on the beach said the CAD he used had a license
based on the MAC of the network adapter. He then was able to test drive the CAD
product with its friend license, become an expert, and then finally acquire the
CAD product. He also told me he designed a famous steel tower in Paris, but I
suspect he was joking me.
Last but not least, since MAC address are "immutable" characteristics of a
computer, they can be part of forensics analysis. Layer 2 devices often log
them. Using some imagination can help to keep the bad guys looking for some
iPhone instead of your Vista box, if you just remember to unbind some protocols
from the NIC.
Spoofing your MAC address is not so difficult and generally does not
require more than five minutes. Do not give money for some "magic" software.
Free ones are available. Use those (if you are lazy, just look at the end of
Section 2 is valid also for UNIX users. What changes is the way to spoof
the address. In many cases, it is a matter of typing:
ifconfig ath0 ether 112233445566
Consult your man page for ifconfig.
Finally, remember that MAC addresses live in your LAN, and are discarded
by the first router you'll find. Generally speaking, Internet hosts cannot see
your MAC address, or not directly.
As always, play fair. Some assembly may be required and results may vary.
And remember, if you don't trust snake oil, be aware of ARP poison too.
For a click-and-go free tool that seems to work, jump to:
and look for MacMakeup. Probably runs Vista and Seven too, but if you read
section 2 you can simply write your own tool.
For a list of MAC address vendor codes, look at the manuf file in your
Wireshark installation directory, or consult: