bypassing mac filters?

[funnybob]

Does anyone know how to bypass a mac filter without spoofing a client, like if there are no clients on the router?

[iliyapolak]

It depends on the AP firmware implementation , also in the WPA/WPA2 spoofing and replay attacks are fought with the binding of the keys to the mac addresses.

[funnybob]

Ok, Im testing on my old linksys router and just wanted to try and crack it currently without any protection, new to the whole thing so any help would be great, thanks! I can spoof but wanted to learn how tuo do it withot a client on, and I can't find a lot of info on how to do it.

[M00kaw]

I dont see how you could connect to an access point with mac-filtering, if you cant find a mac-address to spoof...

[TAPE]

Theoretically you could bruteforce it, however I have not had any luck with that option
in mdk3, and realistically, its probably better to wait for one to connect ..

[Gitsnik]

Theoretically you could bruteforce it, however I have not had any luck with that option
in mdk3, and realistically, its probably better to wait for one to connect ..

TAPE is on the ball here, wait or ignore it.

There have also been flaws in routers in particular routers which may provide their own workarounds - what model is yours?

[iliyapolak]

Theoretically you could bruteforce it, however I have not had any luck with that option
in mdk3, and realistically, its probably better to wait for one to connect ..

When WPA/WPA2 is used you cannot impersonate a client because of session tokens binding.
Moreover spoofing can be prevented easily by simple state machine algorithm for example measuring preamble power of real client over specified time interval and comparing it with spoofed source.

[funnybob]

The router is a linksys WRT54G, and i don't have anyone one in the filter its just an empty list, so would bruteforce work?

[hhmatt]

Theoretically you could bruteforce it, however I have not had any luck with that option
in mdk3, and realistically, its probably better to wait for one to connect ..

This sounds like a job for SPIKE and wireshark!

[TAPE]

When WPA/WPA2 is used you cannot impersonate a client because of session tokens binding.
Moreover spoofing can be prevented easily by simple state machine algorithm for example measuring preamble power of real client over specified time interval and comparing it with spoofed source.

Well I must be missing something then, I can spoof an approved MAC addy on a WPA2 network just fine,
just set up a test router (Linksys WRT54G) with hidden SSID, WPA2 AES and no problems spoofing.
(now connecting straight away with WICD.. thats a different story.. sjeesh.. gotta get back to cli)
and your 'easy' spoofing prevention... doesnt sound so easy !
perhaps you have a trial example you would care to share with us .. ?

The router is a linksys WRT54G, and i don't have anyone one in the filter its just an empty list, so would bruteforce work?

If you have nothing in the filter.. then there is surely nothing to bruteforce ? All MAC addies should be able to connect ?

I had a go at it a while ago, forget which type of router I was using at the time, but you should read this
thread for the response I got from the author of MDK3;
http://www.backtrack-linux.org/forum...c-filters.html



Might have another shot with wireshark running to see what's going on exactly.