Bypassing Router’s Access Control List (ACL)

Introduction

Today I will be discussing a very simple concept to get around Access Control Lists using Ubuntu, although it is also possible though Windows. ACLs can be used to enforce network security by limiting portions of your network devices can access or even limit access to the internet. They are put in place to seclude hosts from certain parts of your enterprise or from accessing private infrastructures.

Modern home routers (or modem/router combos) include a basic Access Control feature to prevent users accessing the web. Depending on the router, time and dates can be configured to prevent devices from using the internet.

The following sections will cover:

  • Understanding The Router’s ACL Logic
  • Enabling ACL On The Router
  • Changing Interface MAC Address
  • Conclusion

Understanding The Router’s ACL Logic

Before we continue in discussing how to bypass ACLs on your home network, it is important to understand how the technologies in play function. This will provide us with more insight to why what we are doing works.

An Access Control List blocks devices based on their IP address. Router’s are considered layer 3 devices, meaning that they handle IP packets and pass it down to other layers for processing through encapsulation. Your home router keeps an ARP table that associates every IP address with its corresponding MAC address. When a request is being made from a device that has been blocked, the router inspects the packets and analyses the source IP address. If the source IP address match what is on its ACL, then the traffic is blocked.

When new devices join a network, and the MAC address is not associated with any IP address, the new machine is given an unused IP address. It is to say, that changing your MAC address will allow DHCP to provide your interface with a new IP address, therefore circumventing the applied restrictions.

Enabling ACL On The Router

Many routers have unique builds. Enabling Access Controls may differ from router to router but the concept behind them are similar. The device that will be blocked for demonstration purposes owns the IP address 192.168.0.16.

Enabling Access Control

Once this restriction is put in place, browsing the web will not be possible:

ACL in effect

ACL in effect

Changing Interface MAC Address

Changing your interface’s MAC address is very simple. I will be using a utility called MacChanger to spoof my MAC address. Please keep in mind that you can use built-in tools such as ‘ip’ and ‘ifconfig’ to change your MAC address. In Windows, you will need to change your adapter’s configuration. The changes that you make to your burned-in address will not persist across reboots.

It is always good practice to take note of your current MAC address just in case it is needed for another time. The following steps will guide you in installing MacChanger, obtaining your interface’s MAC address, brining your interface down, changing your MAC address, then brining your interface up to obtain a new IP address.

You can install MacChanger with the given command below:

sudo apt-get install macchanger

The following image displays our interface’s status (UP), IP address, and MAC address:

ifconfig wlan0
macchanger --show wlan0
ip a | grep wlan0

interface details

You will need to bring your interface down before you can proceed in acquiring a new MAC address.

ifconfig wlan0 down

After that is done, we can continue. I will be changing my MAC from “74:e5:43:30:78:a7” to “74:e5:43:30:78:a1”:

macchanger -m 74:e5:43:30:78:a1
ifconfig wlan0
ifconfig wlan0 up

Changing MAC address

It is important to keep in mind that brining your interface UP while it has a the old IP address with the new MAC address will cause conflict in your home network. In turn, you will be disconnected from the access point. Make sure that you are disabling and enabling your wireless after bringing your interface UP. This will allow the router to provide you an unused IP address for the new MAC address when you are re-authenticated to your wireless access point.

At this time, the new IP address is 192.168.0.14. We can confirm that the ACL in place for our device has been evaded:

ACL bypassed

Conclusion

Overall, understanding the conventions that rule your devices can be a powerful instrument. To recapitulate, bypassing your home router’s ACL can be accomplished by changing your MAC address in order to obtain a new IP address.

Hopefully everyone was able to take something with them after reading. If you would like any type of topic to be covered, do not hesitate to ask.

Happy hacking!

Advertisements