Our Blog

Handling Randomised MAC Addresses in MANA

Reading time ~3 min

mana development has been chugging along nicely. However, the OffSec crew politely asked us to move mana to proper releases a while back, which we’ve just done. This is about one of the many changes pushed in our first new set of releases since October 2014; 1.3.1-Fixy McFixface. There’s a longer summary of what’s new available at the previous release page 1.3-WPE & ACLs with the WPE functionality extensions from and inspired by Brad Antoniewicz’s work being the coolest from a pwnage perspective.

When we first released mana; iOS devices had started probing less, were going to start with randomised MAC address probing (but hadn’t yet) and we knew that Android had patched the bug that lead to leaky probes in low power mode. That’s why we built loud mode.

Since then, iOS, OSX, some Windows and and Android devices have started using randomised MAC addresses to probe for networks on their preferred network list (PNL). While loud mode caters for this already, as it will record ESSIDs probed for by these random MACs, respond to them, and rebroadcast them to the non-random MACs this leads to a bit of a problem – proportionality.

mana is most effective in loud mode, because it will look at the probes from all devices and respond with those to all devices. That means networks devices have remembered, but aren’t probing for, have a higher chance of showing up. However, this also means you have a chance of pwn-ing all devices around you, which isn’t desirable when you aren’t looking to break the law.

The obvious fix is to use MAC ACLs. However, these will only come into effect at association level and doesn’t stop the device seeing or trying to connect to the rogue networks. So, we created an option to extend the MAC ACLs to management frames (i.e. probes & responses). This means you can effectively make the rogue AP invisible to devices you don’t want to see it (I’m not sure why normal APs don’t do this).

That’s great, but it means mana sees far fewer probes, especially since so many of them are from randomised MACs. Additionally, you may want to allow all MAC addresses from a specific manufacturer (e.g. the target org uses Dell laptops exclusively) and explicit ACLs are a hassle as you only know the OUIs. To handle this, we created a capability to add binary masks to the MAC ACLs (ala airodump-ng’s netmask functionality). There are some examples in the source. This means you can provide ACL rules in the hostapd.accept/deny files like <MAC> <MASK>:
02:00:00:00:00:00 02:00:00:00:00:00
11:22:33:00:00:00 ff:ff:ff:00:00:00
aa:bb:cc:dd:ee:ff

The above example will match all randomised MAC addresses (which has the second bit of the first octet of the MAC set, to indicate a locally administered MAC addresses). Then match anything with an OUI of 11:22:33 and match the aa:… MAC exactly.

If the above ACLs are provided in whitelist mode, then you’ll get the benefit of seeing probes from devices using randomised MACs, and if in loud mode, will rebroadcast them to your target devices, but not to others. Yay, proportionality without limiting the effectiveness of mana!

Like I said above, the release is at GitHub. It also contains several binary packages.