· Delowar Hossain · Security  · 2 min read

How I hacked my Manager!

My employer bound internet access to device MAC addresses. So I cloned my phone's MAC onto an unrecognized laptop to prove the control could be bypassed.

My employer bound internet access to device MAC addresses. So I cloned my phone's MAC onto an unrecognized laptop to prove the control could be bypassed.

I am always the guy in the room who likes to poke things even if those are not my field. I work in a Software Firm located in Bangladesh. We provide ERP solutions to different firms. But that’s not today’s part.

One thing got my attention when I joined. My employer took my mobile’s MAC address to approve my internet access. The motive was to prevent someone who knows the password but cannot access the internet due to device MAC binding. It’s a good feature but you need some more configuration applied along with this to get the perfect result.

One afternoon, I was talking to my colleague about MAC Cloning. My manager was passing and my colleague brought his attention. So, it’s a challenge now. I must show my manager that the current security feature must be improved and can be bypassed. It’s a challenge for me now, as I was arguing with my manager.

The following is my process list of how I bypassed MAC to get me internet access on an unrecognized device.

I booted up Ubuntu Mint and installed macchanger.

At first, I need to scan the network to find out the connected device. But as my mobile was already connected I know at least my MAC address. So, gladfully I skipped the initial stage.

Secondly, I had to shut down my network card.

ifconfig DEVICE down

Then I changed my laptop’s mac address.

macchanger -m XX:XX:XX:XX:XX:XX DEVICE

Then I had to power up my network card.

ifconfig DEVICE up

And that’s it. I could browse the internet from the unauthenticated laptop and the router was treating the laptop as my mobile as I cloned my mobile’s MAC to the laptop.

Note: “My manager took this action very positively and didn’t cause any trouble as I mentioned the threat earlier. Your manager may NOT.”

Back to Blog

Related Posts

View All Posts »
Troubleshooting Android APP Repinning

Troubleshooting Android APP Repinning

The messy real-world debugging story behind getting a target app to install and run for certificate pinning bypass — where the Play Store, ARM translation, and mismatched APKs all got in the way.

Starting With Android App Testing

Starting With Android App Testing

A step-by-step walkthrough of setting up an Android app testing environment with adb, Genymotion, and Frida — and bypassing SSL certificate pinning.