[Metzen]

And it was a pain in the ass!

I wanted to try out MAC Spoofing in OS X so I did a little research on it, and let me tell you, it's not that easy.

You have to rebuild a mach_kernel but, unfortunately, the documentation is outdated to 10.1.1. This caused me about 2 hours worth of grief as I looked over failed compiles and tried to finding the line of code that screwed everything up (thank you Apple Find by Content!)

But the Apple documentation wasn't very helpful, and the MAC spoofing wasn't helpful at all. Here came building your first kernel tutorial which helped a lot in doing a lot of step by step command line by command line sort of thing.

But I still couldn't compile past the line here:

make RC_OS=macos
sudo cp misc/seg_hack.NEW /usr/local/bin/seg_hack
cd ld
make RC_OS=macos kld_build
sudo cp static_kld/libkld.a /usr/local/lib

It was pissing me off. It was spewing an error that said it couldn't find file "sys/unistd.h"

Doing a quick Content search and I found the offending line(s) in the Makedep (I think) file of the ld directory. Looked ok to me. So I did another content search, but this time of the whole drive. Low and behold I found file.h which was being referenced by the Makedep file and a quick search of that file revealed the exact same line:

"sys/unistd.h"

So I did a quick search on my hdd for unsitd.h with visibility set to all and found 3 copies. I renamed the line of the file.h one to "/usr/include/sys/unistd.h" and retried the same command.

Wala! Worked as charm.

Then I tried adding the patches for the spoofing but going into the xnu directory (described how to do that here, which could be a thread in it self) and typing the following command as said in the Spoof patch file:
patch -p0 -b [--verbose --suffix=.orig] < ETHERSPOOF+RAW4ALL.patch

It wouldn't work. Didn't recognize --verbose or --suffix so I removed those lines and the patch worked. I don't know why, but it did.

And then I compiled a kernel following the instructions here.

And now I'm about to reboot...

Wish me luck!

[Mithras]

...and we have yet to hear back from him. Doesn't sound too good.

I do agree that if Apple actually wants any kernel hackers to help out with xnu, they should make it easy to compile a kernel and drop it in to OS X...

[eno]

Well, compiling a new kernel SHOULD be easy. It is easy on FreeBSD, at least.

Would be nice though if Apple would just enable the ability to change MAC addresses using the ifconfig util, like you can on a lot of other Unix operating systems.

Failing that, rather than rebuilding the entire kernel, might be nice if it could be down with a dynamically loadable kernel extension module. No rebooting. Minimal risk. :-) Don't know if it's possible though.

[dfiler]

Originally posted by eno:
Well, compiling a new kernel SHOULD be easy. It is easy on FreeBSD, at least.

Heheh. And re-milling your block head SHOULD be easy.
I guess context is everything aye?

Howabout: The process of compiling a new kernel SHOULD be well documented.

[normyzo]

Originally posted by dfiler:
Heheh. And re-milling your block head SHOULD be easy.
I guess context is everything aye?

Howabout: The process of compiling a new kernel SHOULD be well documented.

True enough. And shame on Apple for not doing so. Aren't there how-tos at OpenDarwin.org or something? However, when you're compiling a kernel you're not the average user, so you should expect to have to know _something_ about what you're doing. FreeBSD is a breeze though, until your device drivers don't work for some reason. Example: isp scsi driver somehow changed from 4.6.2 to 4.7 and now my AlphaServer chokes on boot...

Still, couldn't Metzen have checked whether -I/usr/include was in the compile line and then added it? Wouldn't that have been a better solution?

Dan

[normyzo]

Or you know what, if the line really was:

#include "sys/unistd.h"

then shouldn't it have been

#include <sys/unistd.h>

so the system includes paths would be picked up...

[Millennium]

I know Apple doesn't recommend using homebrew kernels on OSX. They say that they add some non-Open-Source stuff to it for the OSX version.

I'm not sure what impact that would have, though. It's entirely possible that the kernel might boot, minus some features (or perhaps not even minus features; I wouldn't put it past Apple to say that just to keep us from building kernels).

I've never heard of anyone actually trying to boot OSX off a Darwin kernel, though. Following Metzen's adventures here is going to be interesting.

[stew]

Originally posted by Millennium:
I know Apple doesn't recommend using homebrew kernels on OSX. They say that they add some non-Open-Source stuff to it for the OSX version.

I'm not sure what impact that would have, though. It's entirely possible that the kernel might boot, minus some features (or perhaps not even minus features; I wouldn't put it past Apple to say that just to keep us from building kernels).

I've never heard of anyone actually trying to boot OSX off a Darwin kernel, though. Following Metzen's adventures here is going to be interesting.

Really? I've been booting a homebrew kernel for weeks now (suppose it got wiped with the 10.2.2 update) and had no problems whatsoever.

[Metzen]

Ho ho, I'm back. My computer booted just fine with the new kernel, and though I haven't had the opportunity to test it extensively, I can note that, just like the known issues of that article articulates my DHCP client was hosed. I could obtain a IP number but not access the internet. I couldn't ping anyone, including the IP given by my DHCP host! This makes this hack pretty useless for me, as I need to access DHCP.

As of yet I haven't tried changing the MAC address though, I'll have to read up on how to do that, but I've read good things about this utility for doing that, or other neato stuff.

[Detrius]

Originally posted by Metzen:
Ho ho, I'm back. My computer booted just fine with the new kernel, and though I haven't had the opportunity to test it extensively, I can note that, just like the known issues of that article articulates my DHCP client was hosed. I could obtain a IP number but not access the internet. I couldn't ping anyone, including the IP given by my DHCP host! This makes this hack pretty useless for me, as I need to access DHCP.

As of yet I haven't tried changing the MAC address though, I'll have to read up on how to do that, but I've read good things about this utility for doing that, or other neato stuff.

Seriously though... except for fun hacking purposes, what need would anyone have for changing their MAC address?

[Metzen]

Originally posted by Detrius:
Seriously though... except for fun hacking purposes, what need would anyone have for changing their MAC address?

It's a long story about my ISP being retards and limiting our internet access by registering our MAC addresses of our computer.

This may seem a typical thing for an ISP to do (an it is) but the whole other story goes like this...

Back sometime late last year Shaw cable purchased our cable-internet provider Videon. Now we never had a problem with Videon, they're service was always exceptional and their policy with multiple computers connecting to the internet was this:

You can have as many computers as you want, but only two are allowed on the internet at any one time.

That sounded fine to me.

So now we have to go back three years when we first got our cable modem. My family, at the time, had 4 computers. If my mom wanted to access the internet when me and my brother were on the net (or just finished), one of us would release the IP and change to a static IP. My mom would then get on.

This was a very cumbersome process, obviously, so we had to find a workaround. The workaround was to setup a router with one of the Mac computer's using IPNetRouter, since it allowed us to setup a router even though the computer has one NIC card, and all computer's were connected together through a hub.

Worked as a charm, except that Videon still had our MAC addresses because even the cable modem was connected through the hub. I'm not saying it was bad that Videon had a list of our MAC addresses, but it got bad after Shaw took over Videon. Excluding the service problems we had, during the takeover (which occured this year around March or April) I moved out on my own.

So, all was well and good for me, but problems started occuring at home shortly there after.

Shaw wouldn't release the IP's that they leased out, and every time our computer's would reboot they'd recieve another IP address, even though they were running through a pseudo-router. Shaw was reading our MAC addresses and assigning a new IP to that MAC adderss every reboot.

Eventually we had amassed a couple hundred IP addresses and they shut down our internet connection without notifying us first.

So we called them up and they stated to us that we had several hundred IP's leased to us and that, obviously, wasn't allowed.

So we informed them to either a) set the IP's to time out after X day(s) or b) limit the IP's as Videon had done.

So what did they do for us? They reset our service completely, logged the first 2 MAC addresses and locked the rest of us out. Now that may not seem like a bad thing, since we can get on the internet if we use our pseudo-router, but because it is a NAT I can't send files through MSN Messenger or use Timbuktu or VNC (hence the reason I'm experimenting with this).

And I wasn't one of the 2 computers because I had come home much too late... I had moved back after the reset, thus it is impossible to get my MAC address registered so I could use the internet for these special purposes.

And this is why I'm doing this.

[pavement]

Originally posted by Metzen:
This was a very cumbersome process, obviously, so we had to find a workaround. The workaround was to setup a router with one of the Mac computer's using IPNetRouter, since it allowed us to setup a router even though the computer has one NIC card, and all computer's were connected together through a hub.

Maybe I'm missing something, but couldn't you just pick up a cheap router instead? My Linksys lets me assign it whatever MAC address I choose and asigns IPs to the computers on my network with DHCP. The WAN just sees one MAC address and assigns one IP.

WAN -> Router/DHCP server -> A room full of computers

Of course, that's not as exciting as compiling your own kernel, I guess.

[Oneota]

Originally posted by Metzen:


It's a long story about my ISP being retards and limiting our internet access by registering our MAC addresses of our computer.

Yuck! Sounds like it's time to switch broadband providers.

Seriously; I've never understood where internet access providers get off telling people what they can and cannot do with the bandwidth their customers are buying fom them.

As long as I don't take more than the bandwidth you're selling me (which requires you to have some means of enforcing that), I should be able to do whatever I want with my x kilobits/second.

[Metzen]

Originally posted by pavement:


Maybe I'm missing something, but couldn't you just pick up a cheap router instead? My Linksys lets me assign it whatever MAC address I choose and asigns IPs to the computers on my network with DHCP. The WAN just sees one MAC address and assigns one IP.

WAN -> Router/DHCP server -> A room full of computers

Of course, that's not as exciting as compiling your own kernel, I guess.

Not quite. I'm a piss poor student right now. I go to school fulltime blah blah blah blah blah.

Needless to say, I have no $$. My parents don't see this as an issue as they don't do Timbuktu, VNC, MSN, etc.

SO, this is where I stand.

[Eug]

Originally posted by Detrius:


Seriously though... except for fun hacking purposes, what need would anyone have for changing their MAC address?

My coffee shop said I could use their wireless internet access for free if I had my own wireless card and I was a paying customer for their coffee. Unfortunately, they've limited the access to a few specific MAC addresses so that not every shmoe sitting outside the store and in the condo building next door can access the network. So this is sort of like a hacking purpose, known and supported by the store owner.

Also, it seems that the ISP issue is all too common.

[[APi]TheMan]

Originally posted by Eug:

My coffee shop said I could use their wireless internet access for free if I had my own wireless card and I was a paying customer for their coffee. Unfortunately, they've limited the access to a few specific MAC addresses so that not every shmoe sitting outside the store and in the condo building next door can access the network. So this is sort of like a hacking purpose, known and supported by the store owner.

Also, it seems that the ISP issue is all too common.

Interesting, couldn't they just password the network... And even change it every so often?

[Millennium]

Originally posted by stew:

Really? I've been booting a homebrew kernel for weeks now (suppose it got wiped with the 10.2.2 update) and had no problems whatsoever.

Whoa. Didn't know that. So either Apple's improved Darwin since they made that announcement, or their little "don't use a Darwin kernel on OSX" bit was crap the whole time. Frankly, I don't know which is more likely.

Okie; so you can run Darwin kernels on OSX now. Good to know.

[Metzen]

Originally posted by Millennium:
Whoa. Didn't know that. So either Apple's improved Darwin since they made that announcement, or their little "don't use a Darwin kernel on OSX" bit was crap the whole time. Frankly, I don't know which is more likely.

Okie; so you can run Darwin kernels on OSX now. Good to know.

Kick ass easy to install too. Just drag and drop

[Metzen]

Ok, a little update on my adventures...

After playing with ettercap for a while, it seems like a neat program, but I have no idea what to do with it. I've gotten to the point where it looks like it's spoofing another computers MAC address by ARP poisoning, but going on another computer and arp -a brings up the correct MAC address on my Mac.

Bloody... Bloody hell.

So I looked at other options and found the MAC address stored in these two .xml files:

preferences.xml
NetworkInterfaces.xml

Thinking that maybe.. Just maybe Apple made this as easy as changing the settings in those files I changed them, and then rebooted.

No Go

Bloody... Bloody hell.

Alrighty, back to square one. The Unix command ifconfig allows you to change your IP address on the fly using the command:

ether OR
lladdr

As it says straight from the man pages:

Code:
ether   Another name for the lladdr parameter.

     lladdr addr
             Set the link-level address on an interface.  This can be used to
             e.g. set a new MAC address on an ethernet interface, though the
             mechanism used is not ethernet-specific.  The address addr is
             specified as a series of colon-separated hex digits.  If the
             interface is already up when this option is used, it will be
             briefly brought down and then brought back up again in order to
             ensure that the receive filter in the underlying ethernet hard-
             ware is properly reprogrammed.

Ok then, we're getting somewhere! So let's try this little puppy out!

ifconfig en0 ether 00:00:XX:XX:XX:XX
ifconfig: ioctl (SIOCAIFADDR): Operation not supported

Bloody... Bloody hell.

SO, now it appears if I can get SIOCAIFADDR to work by finding where it is in the darwin source code, I should be able to get this to work.

Oi boy.

[Metzen]

Originally posted by Metzen:
SO, now it appears if I can get SIOCAIFADDR to work by finding where it is in the darwin source code, I should be able to get this to work.

Oi boy.

Ok, so another update on my Kernel building adventures...

I've decided I'm going to build a tutorial on how to build a kernel current with 10.2, but I've been unable to get the latest 10.2.2 kernel because I don't know the xnu build number (10.2 is 344). I guess I could try multiple numbers in acsending order till it tells me there is none, but:

a) I haven't had a chance to do so
b) I've been too lazy to do so yet
c) I don't know what the hell I'm doing

All in all this is pretty fun, pretty cool stuff.

I did some searches on the xnu source codes and I've found one instance of SIOCAIFADDR in one of the source files.

Perhaps a programmer can tell me why it won't work, whether it's being disabled or not. I haven't had a chance to compare it with the FreeBSD or OpenBSD kernels, but I would suspect that they're sufficiently different to be incompatible.

Has anyone else had any luck MAC spoofing?

Oh, and I've had to remove my newly built kernel (10.2 fame) recently because it doesn't support the JFS addition of HFS+, and thus all my volumes that I enabled journalling on didn't load on startup except for the boot drive, which disabled the JFS addition on bootup. JFS was reenabled after I replaced my new kernel with the 10.2.2 kernel.

Yah!

[Eug]

Originally posted by [APi]TheMan:

Interesting, couldn't they just password the network... And even change it every so often?

Well, the problem here was that it was set up for complete non-computer people. ie. Set it up once and forget about it. Remember, we're talking about coffee shop employees here.

It's a moot point now though, since they've removed the access point and internet access. Guess it didn't make them much money (thru 802.11b card rentals) or significantly increase the number of customers. Most people just read the paper.

[Big Mac]

With all of the time you've expended on this project, it would have been infinitely more productive to get a router, IMO. You can spend the extra hours programming for real money, right? Wired routers are cheap and reliable.

[Metzen]

Originally posted by Big Mac:
With all of the time you've expended on this project, it would have been infinitely more productive to get a router, IMO. You can spend the extra hours programming for real money, right? Wired routers are cheap and reliable.

Some people look for the easy way out, others...

But seriously, I'm not a real programmer, I just dabble in it. I'm playing with C and Objective-C and at present I'm finding C easier to work with.

Meh.

Anyways, as a student, my time value is depreciated greatly

[Avon]

Originally posted by Metzen:


Not quite. I'm a piss poor student right now. I go to school fulltime blah blah blah blah blah.

If you put a value on all the time you spent trying to get something to work I bet its somethign like 2 bucks/ hour as aposed to buying a router that just works out of the box.

I know you can scrape together 50 bucks. It really is the best solution and ultra reliable.

Also if you really wanted to get cheap, you can find a PC in the trash and load a barebones linux os from a floppy. There is plenty of documentation online and boot images.
http://perso.club-internet.fr/ffaure...routersfw.html

I have found so many Pentiums, 486's and 386's with NICs in the garbage.

I recomend the router though, its so cheap.

[yukon]

tried it a ways back to add dummynet. it was hell, after the fourth error, finally one in one of the programs (like a programming error) that I couldn't fix stalled my efforts. oh well, I made a solution in VPC, and dummynet is in 10.2 if i ever need it.

hmm, i thought i saw a mac spoofing program a while back...All i can find is the xnu recompile now

[Metzen]

Originally posted by Avon:
Also if you really wanted to get cheap, you can find a PC in the trash and load a barebones linux os from a floppy. There is plenty of documentation online and boot images.
http://perso.club-internet.fr/ffaure...routersfw.html

I have found so many Pentiums, 486's and 386's with NICs in the garbage.

I recomend the router though, its so cheap.

Ok, we're already looking into the cheap PC router as a option as well. We're just waiting on the cable.

It seems to me people are more interested in why I just don't take the lazy way out, well, I guess I enjoy fiddling.

As for the PC router thing, will I be able to Timbuktu, VNC, or such into my machine that is behind the router? I don't think so... Timbuktu and VNC the client software needs to connect to the server/viewer software, and for that you either need a IP address accessible from the internet.

Unless I'm waaay off base here and someone can do this behind a NAT, I'd be interested in that solution.

[smeger]

You can do that behind NAT by using port forwarding.

As far as building your own kernel goes, I for one am very interested in hearing about it. I dig on tinkering like this, too.

[Metzen]

Originally posted by smeger:
You can do that behind NAT by using port forwarding.

As far as building your own kernel goes, I for one am very interested in hearing about it. I dig on tinkering like this, too.

But then what IP do I specify for the machine that is behind the NAT?

[BKuchta]

You can configure the router to forard all requests to a certain port range to any given internal address. So from the outside, you just type in the address of your router, and it fowards the connection to the internal network address of the computer you're trying to reach. Works like magic.

[muchfresh]

Screw the EZ way. I would be very interested in reading a writeup on how to recompile the OSX to include ethernet spoofing. Very cool stuff and good luck.

[Metzen]

The latest xnu version you can grab from CVS is 344-2 I believe.

Doing a uname -a gives me the following:

6.2 Darwin Kernel Version 6.2: Tue Nov 5 22:00:03 PST 2002; root:xnu/xnu-344.12.2.obj~1/RELEASE_PPC Power Macintosh powerpc

I'll be right back!

[Some Guy []]

Good luck, i'd love to get this working in osx :)

I'll probably start playing with the kernel sources tonight, thanks for all the resources you've posted so far!


-justin

[yuriwho]

Metzen, do not let the 'buy a router' types thwart your mission of becoming one with the kernel.

You are blazing a trail....light a fire! And many will follow.

Y

[Metzen]

Ok, first an with an issue I've had before but didn't post:

When attempting to apply the Ethernet Spoof patch
(the instructions in the patch file say to do this

Code:
patch -p0 -b (--verbose --suffix=.orig) < ETHERSPOOF+RAW4ALL.patch

I get the following:

Code:
patch -p0 -b [--verbose --suffix=.orig] < ETHERSPOOF+RAW4ALL.patch
patch: **** Can't find file '[--verbose' : No such file or directory

Checking the man for patch tells me the following:

(for the -p0 option

Code:
-pnum  or  --strip=num
          Strip   the  smallest  prefix  containing  num  leading
          slashes from each file name found in the patch file.  A
          sequence  of one or more adjacent slashes is counted as
          a single slash.  This controls how file names found  in
          the patch file are treated, in case you keep your files
          in a different directory than the person who  sent  out
          the patch.  For example, supposing the file name in the
          patch file was

             /u/howard/src/blurfl/blurfl.c

          setting -p0 gives the entire file name unmodified,  -p1
          gives

             u/howard/src/blurfl/blurfl.c

          without the leading slash, -p4 gives

             blurfl/blurfl.c

          and  not  specifying -p at all just gives you blurfl.c.
          Whatever you end up with is looked for  either  in  the
          current directory, or the directory specified by the -d
          option.

Ok, so that's got nothing to do with --verbose... moving along we find in the man:

Code:
-b  or  --backup
          Make  backup  files.   That  is,  when patching a file,
          rename or copy the original  instead  of  removing  it.
          When  backing  up a file that does not exist, an empty,
          unreadable backup file is created as a  placeholder  to
          represent  the  nonexistent file.  See the -V or --ver-
          sion-control option for details about how  backup  file
          names are determined.

Peachy, so we're making a backup file of the originals we patch, nice to know, but nothing special here...

Code:
--verbose
          Output extra information about the work being done.

Ok, so why is --verbose in brackets? The synopsis says:

Code:
SYNOPSIS
       patch [options] [originalfile [patchfile]]

       but usually just

       patch -pnum <patchfile

So I can see the first line coming into play, but then why the error? Can you not combine -p# and -b with [options]? or do they all have to be in the brackets...

I don't know. I've tried various combinations to no avail. Maybe someone else can spot the flaw, but I'm up the creek without a paddle as far as figuring that out.

I managed to get it to work by going:

trententtye% patch -p0 --backup --suffix=.orig] < ETHERSPOOF+RAW4ALL.patch

But I do not know why. The output it gave me was:

Code:
patching file bsd/conf/MASTER
patching file bsd/net/ether_if_module.c
patching file bsd/netinet/if_ether.c
patching file bsd/kern/uipc_socket.c

So it appears to have worked.

I'm putting on the FORCE_VERBOSE.patch just to make sure that these patches are working. (The FORCE_VERBOSE.patch makes your computer start in Verbose mode, which you can accomplish by pressing Option-V on startup).

And for that patch I have to do the same thing, remove "[--verbose" and it patches successfully or so it seems.

Now I'm going to build the kernel and try installing it and rebooting.

Be back in a bit.

[Mithras]

brackets just mean a command-line option is optional. You don't actually type the brackets.

Example:

NAME
ls - list directory contents

SYNOPSIS
ls [-ACFLRSTWacdfgiklnoqrstux1] [file ...]


means that you can just type
ls
or you can type
ls -A /Volumes

So try your patch command again, like this:
patch -p0 -b --verbose --suffix=.orig < ETHERSPOOF+RAW4ALL.patch

and good luck!

[Metzen]

Originally posted by Metzen:
The latest xnu version you can grab from CVS is 344-2 I believe.

Doing a uname -a gives me the following:

6.2 Darwin Kernel Version 6.2: Tue Nov 5 22:00:03 PST 2002; root:xnu/xnu-344.12.2.obj~1/RELEASE_PPC Power Macintosh powerpc

I'll be right back!

uname -a
Darwin Trentent-Tyes-Computer.local. 6.1 Darwin Kernel Version 6.1: Thu Nov 21 01:13:06 MST 2002; root:BUILD/obj/RELEASE_PPC Power Macintosh powerpc

That's the current built kernel that I downloaded from CVS. Seems it's a version behind Apple's. I think it's the latest one you can download, so this is kind of a bummer as disk journalled volumes no longer mount.

[Some Guy []]

any luck getting MAC spoofing to work with DHCP now that you've properly patched the kernel.

Also, did DHCP work at all even when you weren't trying to spoof your MAC?


-justin

[Metzen]

Originally posted by Some Guy []:
any luck getting MAC spoofing to work with DHCP now that you've properly patched the kernel.

Also, did DHCP work at all even when you weren't trying to spoof your MAC?


-justin

Nope, no luck with the patched kernel. I found this utility that was supposed to take advantage of the hack. But it required libpcap and libnet.

I managed to compile libpcap fine, but libnet would not compile. So I got to this page where there was more detailed instructions on compiling the source.

No dice...

So I downloaded the OSX_dsniff which comes with utilities such as arpspoof which sounds perfect for what I want.

So I ran the included install script, read the examples on arpspoof and tried it out. It changed my MAC address to ff:ff:ff:ff:ff:ff. Yeah! Half way there, or so I thought. When arpspoof changed my MAC address, it munged with other stuff as well that rendered my NIC inoperable. I couldn't ping, arp, anything!

Removing the setting didn't do anything, so yesterday I spent reinstalling MacOS X. Fortunately, MacOS X has the "archive and install" feature so I didn't loose any files, and kept 90% of my settings.

And now I'm tired. I'll try again some other time, hopefully someone else will find this information useful to them, or at least I will when I start up again.