Authentication / Mac Spoofing of Device with Known Psk



MAC Spoofing of Device with known PSK is a type of authentication vulnerability (CWE-287) that occurs in infrastructure. It is a type of attack in which the attacker changes the MAC address of the device with a known pre-shared key (PSK) in order to gain access to the network. This attack is commonly used to bypass authentication protocols and gain access to the network. According to the OWASP Testing Guide, the attacker can use this attack by first obtaining the MAC address of the device, then spoofing the MAC address of the device with the known PSK and finally attempting to authenticate with the network.


This vulnerability has a high risk of compromising the security of the network. The attacker can gain access to the network by bypassing authentication protocols. This could lead to the attacker having access to sensitive data and resources on the network. This can cause severe damage to the network and can have serious implications for the security of the organization.


The best way to protect against this vulnerability is to implement strong authentication protocols. This can be done by using two-factor authentication, or by using a combination of public key authentication and password authentication. Additionally, organizations should also employ network segmentation and network access control to limit the access of the attacker.


The following code example is based on a CVE-2020-5384 vulnerability and shows a basic example of MAC spoofing of a device with a known PSK.

// Set the source MAC address to the known PSK 
int set_mac_address(char *mac_addr) 
    if (strlen(mac_addr) != 17) 
        return -1; 
    // Set up the netlink socket 
    int sockfd; 
    sockfd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); 
    // Create the payload 
    struct nlmsghdr *nlhdr; 
    struct ifaddrmsg *ifaddr; 
    struct rtattr *rta_mac; 
    char *payload; 
    nlhdr = (struct nlmsghdr *) malloc(NLMSG_SPACE(sizeof(struct ifaddrmsg) + RTA_LENGTH(6))); 
    ifaddr = NLMSG_DATA(nlhdr); 
    rta_mac = (struct rtattr *) IFA_RTA(ifaddr); 
    payload = (char *) RTA_DATA(rta_mac); 
    // Fill the payload with the new MAC address 
    memcpy(payload, mac_addr, 6); 
    // Set up the netlink header 
    nlhdr->nlmsg_len = NLMSG_SPACE(sizeof(struct ifaddrmsg) + RTA_LENGTH(6)); 
    nlhdr->nlmsg_flags = NLM_F_REQUEST; 
    nlhdr->nlmsg_type = RTM_NEWADDR; 
    // Set up the ifaddr structure 
    ifaddr->ifa_family = AF_PACKET; 
    ifaddr->ifa_index = 0; 
    ifaddr->ifa_prefixlen = 6; 
    // Set up the rtattr structure 
    rta_mac->rta_len = RTA_LENGTH(6); 
    rta_mac->rta_type = IFA_ADDRESS; 
    // Send the request 
    sendto(sockfd, nlhdr, nlhdr->nlmsg_len, 0, (struct sockaddr *)&saddr, sizeof(saddr)); 
    // Free the allocated memory 
    return 0; 

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.