What happened is, I went to my cousin house and asked to connect to his WIFI router, the thing is, he asked me for my phone MAC address, and I said why?!! he told me he doesn’t use WIFI password authentication as the MAC address configuration is better to keep his WIFI connection TIGHT!!!
That’s when I told him it’s a very bad idea doing this type of authentication, as his WIFI is open network, even if he does the MAC filter manually, it doesn’t mean his connection is safe. I explained to him the process on how to connect to his network without the need to give him my MAC address of my phone.
So, I’m doing this demonstration on how to connect to open WIFI using MAC filters.
First, we need to configure our router to only use the MAC address filter and make it open WIFI, because using the MAC filter with encrypted WIFI makes no senesce… right!!! or at least this was the scenario. Using my raspberry pi as the attacker device with a WIFI card that’s monitor mode enabled, and my laptop and phone connected to the router with their MAC addresses in the “Allow” section.
Make sure your phone or whatever device you using is not set to use Random MAC address every time it connects to the router, as every time you disconnect and reconnect again it will use a different MAC address, this is a good option to use but not in this case.
Now lets’ jump in to the raspberry pi and set our WIFI card into monitor mode by running “airmon-ng start wlan1”.
And then start the monitoring mode to capture the WIFI BSSID using “airodump-ng wlan1”.
We have the BSSID of the target WIFI router, now let’s run “airodump-ng –bssid <BSSID> -c <channel> wlan1
As we can see, there is a device connected to the router with the same MAC address we saw on the router configuration page, so we now going to make this device disconnect from the router by “aireplay-ng –deauth 0 -a <BSSID> -c <DMAC> wlan1” where the “DEMAC” is the device MAC address.
In the same time, we’re going to change our MAC address of our WIFI card to be the same MAC address of the device we’re trying to deauth, be aware that the MAC address we’re changing on our device is for the build in card not the external card.
Let the “aireplay-ng” command run for a while to make sure the device is disconnected and no longer able to reconnect again, in the same time click the WIFI icon on the raspberry pi to connect to the WIFI network, after that stop the deauth process and quickly input the “macchanger” command like this “macchanger -m <MAC_address_of the_device_we_deauth> wlan0
So, if the MAC address, we tring to kick out of the router is 00:9a:cd:64:ad:4a then the command should be:
macchanger -m 00:9a:cd:64:ad:4a wlan0
Take a look at the WIFI icon and you will find it got a connection to the target WIFI.
It’s very easy method to bypass the MAC filter of an open network that dependents on only MAC filter option which is a stupid move to do, if you want to have control on your router just use the normal login method using the WPA2 encryption, along with a strong password, maybe if you have some guests, you can try the Guest mode if available on your router, if not, then you can try to save the password of the router as a QR code and give it only to people you trust. also, some routers give the option to connect using the QR code method by scanning it from the router screen.
One more thing, if you must use the MAC filter option, then enable both the password login and MAC filter at the same time, this way even if some unauthorized person got the password somehow, he still be unable to login it with it as his device not registered on the MAC filter.