What is a MAC address? A MAC address (or media access control address) is a number assigned to a network interface on a computer. This number is meant to be globally unique (but in some cases is not…). MAC addresses may also be called physical addresses or hardware addresses. MAC addresses aren’t to be confused with Macintosh computers, commonly called “Macs”.
Where does it fit in the OSI model?
Switches, which operate on the data-link layer (level 2) of the OSI model, use MAC addresses to deliver information to and from devices on the same network. A switch keeps a record of all MAC addresses on a network, and only delivers information to the intended recipient’s port on a network (compared to a hub, which broadcasts indiscriminately). If a computer wants to send information to a computer on a different network, it will have to use an IP address to have the information delivered via router.
You can see the MAC addresses that your computer by opening up a command line and typing
arp -a. ARP stands for Address Resolution Protocol, and is a way of mapping a device’s IP addresses to the corresponding MAC addresses
What do they look like?
MAC addresses are 6 pairs of hexadecimal digits, separated by colons. This format looks like:
This means there are 2^48 bits or 281,474,976,710,656 possible MAC addresses.
The first 3 pairs usually correspond to a manufacturer code, the same way that segments of UPC barcodes map to a specific manufacturer. The last 3 pairs are specific to the device.
Your computer has a MAC address for every network interface. If your computer has ethernet, bluetooth and wifi, you’ll have 3 MAC addresses. To view these, you can go to the command line and type
ifconfig and look for the MAC addresses listed in each section
Can I figure out other people’s MAC addresses?
Depends. If the other person is on your local network, then yes.
IPv4: If the other person is outside of your local network, then no. The MAC addresses of computers within a local network are not sent past the router, so while the router can locally identify computers by their MAC addresses, people outside your network cannot.
IPv6: part of the IP address can be generated from the sending computer’s MAC address, meaning that a MAC address can be traceable outside of a given network. Alternatively, a random number may be used instead.
Can you change your MAC address?
Yes! MAC addresses were designed to be permanent, but you can modify or spoof them, temporarily.
On a unix-based system, you can use
ifconfig to change your MAC address.
Why would you want to?
Some networks filter or authenticate users based on their MAC address. Similarly, some wifi networks (like the airport wifi networks that give you 30 minutes of free wifi) identify devices by their MAC address.
If you had malicious intent, you would want to spoof someone’s MAC address so that the switch on that network mistakes your computer for theirs (and delivers the information to the spoofing computer) . Likewise, spoofing a MAC address could trick a DHCP server into distributing an IP address to the spoofing computer.
How does this relate to infosec?
In infosec, MAC addresses are important because:
- They’re an important part of computer networking, which is foundational for a lot of infosec concepts
- Spoofing MAC addresses can be used to gain access to networks or information.
- Spoofing MAC addresses can be used to hide one’s identity. Similarly, devices report their MAC addresses to networks they are trying to join. This behavior allows someone’s device (and thus, their physical location) to be tracked (here’s an example).