Assuring Mac Address plausible deniability

I run my computer in a Live Linux CD/USB environment, and occasionally when using Tor modify (spoof) my computer's NIC Mac address - not my hardware router's Mac address.

Upon login to the administrator account to my router, I notice that quite a number of network records of my previously changed Mac addresses (for my computer) remain as a side effect and are not expunged after the session where both my hardware router and computer are powered off.

The router login is to a GUI interface, and there does not appear any way to expunge these records.

Perhaps one way would be to reset the hardware router to its factory defaults after saving the configuration modifications I made to improve its security and close the ISP's backdoor port. Presumably, the router's configuration could be restored (from the computer) since when the configuration is saved it is saved on the computer.

Has anyone noticed this example of spoofed Mac address router records (for the computer's NIC) on the router, and how would I go about removing these previous (spoofed) Mac address records from my hardware router in order to remove any association with them wrt any discovery process for associations with them that presumably would break plausible deniability.

 

If your LAN is privately owned by you why go through the trouble of spoofing the mac address as it is only used within your LAN? Now if I understand correctly you want to completely disable logging? Do you currently have logging enabled in your router?

You mentioned WRT, are you using DD-wrt firmware? Via GUI you can easily disable logging from router GUI (Administration -> Management -> Remote Access). Or you can kill the daemon named "syslogd".

Hope this helps.

 

Clear the ARP cache

 

Im with EncryptedBytes on this one. Im not really sure what your concern is. I could understand if you were using a public wifi location wanting to change your MAC. I dont see what advantage you get by changing your MAC when using your own private router that you own. Your ISP does not see your computer MAC they only see the one of your Cable/DSL modem. The only thing I could see you accomplishing is if someone raided you they could look at your router and see that your laptops MAC was not recorded and instead a different MAC is recorded. Dont know how much that would matter though because if you are at the point of being raided I am sure they would surely run forensics on your computer even though the MAC did not appear on your router logs. Maybe Im missing something but I just dont see why what you are doing is necessary.

 

Your ISP sees everything eeeeeverything. Its their network. Even my VPN provider sees my PC's MAC

 

What is "eeeeeverything"? How can an ISP see the MAC of a computer on your local network if you are behind a router? Your ISP only sees the MAC of your cable/dsl modem it does not see the MAC address of particular computers on your local network if you use a router. This has been discussed before here: https://www.wilderssecurity.com/showthread.php?t=313340

Do you have any information that shows that an ISP can see computer MAC addresses of computers connected to a router on a local network?

 

I don't see why your MAC would need to travel past the router since its purpose is to map a device onto one network.

But idk.

 

My VPN provider only sees the MAC of the Virtual Network Adapter, which differs from the PC's physical MAC. Conversely, my ISP only sees the physical MAC, but not the virtual one.

 

Cloning a MAC address into the WAN port of a router. If you want to insert a NAT router between your PC and the cable modem, you might want to avoid changing the client MAC address that the cable modem connects to. With the cloned MAC address in the router's WAN port, then as far as the cable modem is concerned, it is talking to the original PC.

Normally you do it to avoid having to register a new client MAC address with your ISP (if your ISP is one which requires registration of the MAC address of the connected device) and to avoid problems with the ISP's DHCP system not immediately issuing a new IP lease when the client MAC address changes

 

Mine see my MAC. If I use it in a virtual machine and change the MAC it detects my pc only as a different pc but I on the other hand use a mobile broadband aka 3G connection with a USB modem

 

Im not sure where you live or what your ISP does. Where I am my ISP ONLY requires to know the MAC address of the Cable/DSL modem. They do not ask for every computers network adapters MAC nor the MAC of a router. I guess I agree with you then. Yes I guess your ISP would have the MAC of your computer but only if you give it to them because it is required. Never heard of this before at least where I am. As far as an ISP detecting MAC addresses of computers on a local network behind a router then that is not possible. Do we agree on that?

 

Again

Cloning a MAC address into the WAN port of a router. If you want to insert a NAT router between your PC and the cable modem, you might want to avoid changing the client MAC address that the cable modem connects to. With the cloned MAC address in the router's WAN port, then as far as the cable modem is concerned, it is talking to the original PC.

Ever seen that option DMZ?

Most ISPs assign their IPs based on the MAC address in your equipment. If the MAC address of your router is 00-11-22-33-44-55 and you connect to your ISP, the DHCP server records your MAC and assigns an IP. If you disconnect from the ISP, you lose your IP address. The next time you connect, the DHCP server sees your MAC, looks to see if it has assigned an IP address to you before. If it has and the lease time has not expired, it will most likely give you the same IP address you had before disconnecting. Why clone a MAC address? New MAC address most likely equals new IP.

If you are running a server then you don't want that to happen so you clone your mac.

 

Back in the old days, BigISP would authenticate your account against the NIC. Then when routers got affordable, the MAC Clone feature was added to trick the ISP into thinking the router was the NIC. Nowadays, I've swapped routers in and out and never had a connection problem, or even lost the same dynamic IP. I think it's all based off the Cable Modem MAC, but defer to the smarter members for correction.

To the original question, you might be seeing DHCP leases. They persist (or can be made permanent) for a while. DD-WRT has a trash icon next to them so you can delete them.

PD

 

And again I say... LOL

Yes I guess your ISP would have the MAC of your computer but only if you give it to them because it is required.

Ok Let me be more specific what I mean when I say "give the ISP your computers MAC". If you clone your computers MAC to your router than YES your ISP knows your computers MAC address. If you do not do this than your ISP will not know your MAC address. I know some ISPs require to know your MAC Address. This is done by either requiring you to connect directly to the cable/dsl modem or if you are behind a router then clone your MAC to the router. If your ISP does not require this and you are behind a router and you HAVE NOT cloned your MAC to it then you are good to go. You ISP will not know your computers MAC in this case as long as your computer is not in the DMZ and is behind the NAT of the router. Once again Im not really sure you disagree with me. I just dont think we are understanding what each other is saying. This whole conversation started with you stating that your ISP sees "eeeeeverything". My whole point is that is not necessarily true depending on the setup.

 

There's a few MAC Spoofing threads on here, this is the most recent.

Here is the best MAC changer I have found, for Windows, and it's free. I may send the dev a few bucks, it's so good:

http://www.technitium.com/tmac/index.html

Remember, your Host Name (Computer Name) get's logged as well, so make it non-identifying and maybe rotate it with each visit to an open AP.

PD

Edit: Host Name Randomizer:

http://www.irongeek.com/i.php?page=security/random-host-name

Tested on Win 7 x64, added as trusted file in Comodo - works.

Edit 2: Ok, didn't realize IronGeek had a combined app for this. MadMACs. Installed and it works fine. Does both MAC and Host Name. I set the first octet to 02, instead of 00, per research on MACs for wireless adapters and Windows 7.

http://www.irongeek.com/i.php?page=security/madmacs-mac-spoofer

Remove 'sample' from sample dic.txt

 

I'd take anything "Spooony" says with a grain of salt really. It wouldn't be the first time he's brought forth nonsense to argue with without any form of backing it up. For example, what does cloning your MAC address to your router have to do with this thread, has it been mentioned by the author? No, he's simply spoofing his PC's MAC address, not cloning it. This action would ONLY affect the local network he is on.

Suggesting that the ISP has access to a PC's MAC address past the router is completely absurd without purposely doing that yourself, which clearly hasn't been suggested by the OP. Stating "Your ISP sees everything" is also laughable at best.

 

Your MAC address is used for mapping you onto the network. Your network has a router so the information never makes it past that point - it has no reason to and passing it would only make things more confusing. This is somewhat related to NAT and just... networking in general.

But yeah if you tell your ISP "Hey my MAC is XX:XX:XX:XX blah blah blah" they'll know. Or if you use something that specifically sends the MAC.