Time for action – beating MAC filters

Let's follow the instructions to get started:

1. Let's first configure our access point to use MAC filtering and then add the client MAC address of the victim laptop. The settings pages on my router looks as follows:
   
2. Once MAC filtering is enabled, only the allowed MAC address will be able to successfully authenticate with the access point. If we try to connect to the access point from a machine with a non-whitelisted MAC address, the connection will fail.
3. Behind the scenes, the access point is sending authentication failure messages to the client. The packet trace resembles the following:
   
4. In order to beat MAC filters, we can use airodump-ng to find the MAC addresses of clients connected to the access point. We can do this by issuing the airodump-ng -c 10 -a --bssid <mac> wlan0mon command. By specifying the bssid command, we will only monitor the access point, which is of interest to us. The -c 10 command sets the channel to 10, where the access point is. The -a command ensures that, in the client section of the airodump-ng output, only clients associated and connected to an access point are shown. This will show us all the client MAC addresses associated with the access point:
   
5. Once we find a whitelisted client's MAC address, we can spoof the MAC address of the client using the macchanger utility, which ships with Kali. You can use the macchanger –m <mac> wlan0mon command to get this done. The MAC address you specify with the -m command option is the new spoofed MAC address for the wlan0mon interface:
   
6. As you can clearly see, we are now able to connect to the access point after spoofing the MAC address of a whitelisted client.

What just happened?

We monitored the air using airodump-ng and found the MAC address of legitimate clients connected to the wireless network. We then used the macchanger utility to change our wireless card's MAC address to match the client's. This fooled the access point into believing that we were the legitimate client, and it allowed us access to its wireless network.

You are encouraged to explore the different options of the airodump-ng utility by going through the documentation on their website at http://www.aircrack-ng.org/doku.php?id=airodump-ng.