I've been reading a few articles recently about the need for people to keep their network access anonymous. A seemingly popular method is to change out the MAC address of your interface every X amount of time. It appears to be a reasonable approach; many institutions rely solely on the MAC address for various types of provisioning and tracking. If you change this reported value, all of these mechanisms tracking your access seem to get confused. By no means do I claim this is the "be-all-and-all" of keeping your access anonymous, but it's nonetheless a good trick to keep in your belt.

In response to a few scripts and utilities I've seen floating around offering to adjust your MAC address for you, I figured I'd just write one that was better than the ones I've seen so far.

The tool

cmac.sh is a simple script that can help hide your system's true MAC address. It runs on OSX and Linux, and probably many other POSIX-compliant OSes. By running this script, it will loop through your available network interfaces, and randomly assign a new valid MAC address to any "inactive" interface. You can also specify anonymous mode, where it will loop through the interface every 30 seconds (configurable) by default.

If you want to get courageous, you can even enabled bump mode, which will down an active interface during each cycle so its MAC address can be adjusted. When using this mode, you may want to set the time parameter to something long, like 5 min or so. Unless you don't mind having your active connections bumped every 30 seconds.

Additionally, you can use the -c flag to change the MAC of specific interfaces rather than all of them. For example: cmac.sh -c "en0 en1"

Remember to check out the help information (--help) before running this script.

This hasn't been heavily tested, so if you run into any bugs (or just have general questions) feel free to contact me about them.

About the randomization

This utility is designed to generate MAC-48 addresses. EUI-64 is not supported at this time. When generating the MAC addresses, I chose to embed the current list of assigned OUIs into the script (using base64) so I can keep this all self-contained. The script randomly selects one of the 19k+ OUIs and then (pseudo)random generates the remaining 3 octets for the address.

Why not randomly generate the OUI entirely? Well, there is a very small set of filtering systems out there that will actually verify your OUI against a list of those formally registered through IEEE. If they don't match, the connection will be dropped. I figured it wasn't very much work to add these in there and cover all use-case scenarios if I could. It does mean that the base64 string may need to be updated in the future to keep this list current, but fortunately they don't change often (and even if they did, 19k random OUIs is probably "good enough" for most people).


cmac.sh utility

Remember to chmod a+x this file before trying to run it!