Rolling Thunder Security · Codex · Network Security 03

MAC Addresses
& the OUI

Every network interface has a 48-bit MAC address burned in by the manufacturer. The first three bytes name the vendor; the last three identify the specific device. That used to be a reliable fingerprint. Today, every modern phone, laptop, and operating system can change it on demand, and most of them do.

Format · 48 bits / 6 octets OUI · first 3 octets Authority · IEEE
01
The Concept

A name burned into the silicon

A Media Access Control (MAC) address is the layer-2 identifier for a network interface. When the manufacturer builds the network card, they write a 48-bit number into the card's read-only memory. That number is what the card uses to identify itself on the local network. Every Ethernet frame that crosses the wire carries a source MAC and a destination MAC.

In theory, every MAC address in the world is unique. To make that work, the Institute of Electrical and Electronics Engineers (IEEE) hands out the first three bytes (the Organizationally Unique Identifier, or OUI) to manufacturers who register and pay a fee. Each manufacturer can then assign the remaining three bytes however they like, giving every vendor 16,777,216 unique device IDs per OUI.

The neighborhood, not the highway

MAC addresses only matter on the local link. The moment a packet crosses a router, the layer-2 frame around it is thrown away and a new one is built with the next hop's MAC addresses. Your MAC address never leaves your subnet. This is why MACs are a useful local fingerprint but never appear at remote endpoints.

02
Anatomy

48 bits, six octets, two halves

A MAC address is written as six hexadecimal pairs separated by colons (Unix style) or hyphens (Windows style). Each pair is one byte. The first three pairs are the OUI; the last three are the device-specific identifier assigned by the vendor.

00:1B:21:AB:CD:EF
Example hardware MAC · Intel network adapter
00
00000000
Octet 1
1B
00011011
Octet 2
21
00100001
Octet 3
AB
10101011
Octet 4
CD
11001101
Octet 5
EF
11101111
Octet 6
OUI · Organizationally Unique Identifier
24 bits · assigned by IEEE · identifies vendor
Device ID / NIC
24 bits · assigned by vendor · identifies card

The two special bits in octet 1

Bits inside the first byte tell you what kind of MAC this is

Inside the very first byte of every MAC, two bits carry meaning beyond the OUI itself. They are the two least significant bits of octet 1. Here they are highlighted in the binary expansion of 0x00:

0
bit 7
0
bit 6
0
bit 5
0
bit 4
0
bit 3
0
bit 2
0
U/L · bit 1
0
I/G · bit 0
I/G · Individual or Group

The least significant bit of octet 1 says whether this address represents one device or many.

0 · Unicast (one device)
1 · Multicast / broadcast
U/L · Universally or Locally Administered

The second-least bit says whether this MAC came from the IEEE OUI registry or was assigned locally.

0 · Universal (real hardware)
1 · Local (randomized or set by software)

Tell hardware from random at a glance

The U/L bit is the easiest way to tell a real hardware MAC from a randomized one. Look at the second-least significant bit of the first octet. If it is 0, the MAC came from a manufacturer's IEEE-registered OUI. If it is 1, the MAC was assigned locally, which today almost always means it was randomized by the operating system.

A quick mental shortcut: convert the first hex digit to binary. If the second bit from the right of the first hex digit is 1, it is locally administered. Hex digits with U/L set are 2, 3, 6, 7, A, B, E, F. Hex digits with U/L clear are 0, 1, 4, 5, 8, 9, C, D.

Hardware MAC · from manufacturer
00:1B:21:AB:CD:EF
First octet 0x00 = 0000 0000
I/G bit = 0 (unicast). U/L bit = 0 (universal). This MAC was burned in at the factory using an IEEE-registered OUI. The first three octets 00:1B:21 belong to Intel.
Locally Administered · randomized
AA:BB:CC:DD:EE:FF
First octet 0xAA = 1010 1010
I/G bit = 0 (unicast). U/L bit = 1 (locally administered). This MAC did not come from any manufacturer. It was set by software, either by the OS at boot or by a tool like macchanger.
03
The OUI

Reading the manufacturer off the wire

The IEEE publishes the OUI registry. Every assigned OUI is searchable on the IEEE website, and tools like wireshark, macchanger, and various online lookups embed a local copy. A short list of OUIs you will run into constantly:

00:50:56
VMware, Inc.
Any VM running on ESXi or Workstation. A subnet full of these is almost certainly a virtualized environment.
00:0C:29
VMware, Inc.
Older VMware OUI. Still common on long-lived VMs and templates.
00:1B:21
Intel Corporate
Wired Intel NICs in laptops and desktops. The chip you saw on the OSI page was an I219-V.
DC:A6:32
Raspberry Pi Trading
Pi 4 and later. A subnet of these is a maker lab, a kiosk farm, or an IoT deployment.
28:CF:E9
Apple, Inc.
One of dozens of Apple OUIs. Apple holds enough OUI space that a list of theirs alone fills pages.
F0:18:98
Apple, Inc.
Recent MacBooks and iPhones often present a hardware MAC starting with this prefix when not randomizing.
00:1A:11
Google, Inc.
Chromecast, Nest, Pixel devices. Often appears with other Google OUIs on the same LAN.
B8:27:EB
Raspberry Pi Foundation
Older Pi models (1-3). A relic of pre-2019 builds, still seen in long-running deployments.
During a pen test, scan and identify

Running arp -a after landing on a network lists every MAC the host has spoken to recently. Run those MACs against the OUI database (Wireshark does this automatically) and you get a rough inventory of the subnet: how many VMs, how many Apple devices, how much custom hardware. It is reconnaissance with zero noise on the wire.

04
The Modern Reality

MAC randomization is the default

For decades a MAC address was as good as a serial number. Every device you owned could be tracked across networks, across stores, across cities, because its MAC was unique and unchanging. Around 2014 the major operating system vendors decided this was a privacy disaster and started randomizing MAC addresses by default. Today, the MAC you see in a packet capture is more likely randomized than not, especially on phones.

Each OS uses a slightly different strategy. The general pattern is the same: pick a random MAC with the U/L bit set, use it consistently for one network or one boot, and pick a new one when that context ends.

Operating System Default behavior Strategy
iOS / iPadOS On by defaultsince iOS 14 (2020) One random MAC per Wi-Fi SSID, kept stable while you reconnect to that network. New SSID = new MAC.
Android On by defaultsince Android 10 (2019) One random MAC per Wi-Fi SSID. Some vendors rotate per-association instead of per-SSID.
macOS Partialsince 2014 Randomized during Wi-Fi scanning (probe requests). Switches to the hardware MAC once associated, unless explicitly configured otherwise.
Windows 10/11 Opt-insetting "Random hardware addresses" toggle in Wi-Fi settings. Off by default but easily enabled. Can rotate daily or per-SSID.
Linux Variesby distro NetworkManager has had per-SSID randomization since 1.4 (2016). Default differs across distros; usually opt-in.
ChromeOS On by defaultsince ~2017 Random MAC per SSID, similar to Android. Can be disabled per-network.
The fingerprint is leaky anyway

Randomization does not make a device anonymous. The order of Wi-Fi networks the device probes, the timing of its requests, the IE elements it advertises, even the supported channel widths form a fingerprint that survives MAC rotation. Privacy-conscious users still leak enough metadata to be tracked by motivated observers.

05
Spoofing the MAC

Anyone can change it in one line

Even when an OS would not randomize on its own, the MAC is fundamentally a number stored in memory that the driver reads on startup. With root or administrator privileges, that number can be overwritten before the interface comes up. A new MAC is one command away on every operating system.

Linuxmacchanger / ip link
sudo ip link set dev eth0 down
sudo ip link set dev eth0 address 02:42:ac:11:22:33
sudo ip link set dev eth0 up
# or, easier:
sudo macchanger -r eth0 # fully random
macOSifconfig
sudo ifconfig en0 down
sudo ifconfig en0 ether 02:42:ac:11:22:33
sudo ifconfig en0 up
WindowsDevice Manager or registry
Get-NetAdapter | Set-NetAdapterAdvancedProperty -RegistryKeyword "NetworkAddress" -RegistryValue "024242AC1122"
# or via Device Manager > Adapter > Advanced > Network Address
Why an attacker does this

To bypass MAC filtering on a Wi-Fi access point or wired switch. To impersonate a trusted device that already has access. To evade detection systems that maintain a list of "known bad" MACs. To rejoin a network that banned the attacker's previous MAC. To poison ARP tables more convincingly. None of these are hard once you have local privilege on a machine with a network card.

06
Security Implications

Do not trust the MAC for identity

Because MAC addresses can be changed in a single command and are randomized by default on most consumer devices, they are not a reliable identifier for anything that matters. Below is a quick taxonomy of controls and approaches that use MAC addresses, sorted by how much they actually protect you.

MAC filtering on Wi-Fi

Security theater

Allow-listing specific MAC addresses on a wireless access point sounds clever, but a passive sniffer can read every authorized MAC off the air in seconds and an attacker just sets theirs to match.

DHCP reservations as access control

Convenience, not security

Reserving an IP for a specific MAC is useful for inventory and stable addresses. It does not stop an attacker from spoofing that MAC and grabbing the same address.

802.1X port authentication

Real authentication

The standard for verifying who gets to use a switch port or wireless network. Uses certificates or credentials, not MACs. Every enterprise should be running this on edge switches.

Port security with sticky MAC

Defense in depth

A switch port that learns the first MAC it sees and refuses any other. Useful in static environments like data closets or kiosks. Combine with 802.1X for actual identity.

MAC in audit logs

Useful but spoofable

Recording MACs in DHCP logs, switch logs, and Wi-Fi controller logs is worth doing, but treat the values as hints, not as identity. Correlate with 802.1X usernames or certificates for the actual story.

MAC-based device tracking

Increasingly broken

Marketing analytics platforms used to track shoppers by Wi-Fi probe MACs. Since iOS 14 and Android 10 randomize MACs, those analytics have rotted significantly. They are not coming back.

07
Key Takeaways

What to remember

i.

48 bits split 24 / 24

OUI in the first three bytes, device ID in the last three. IEEE manages the OUI; vendors manage the rest.

ii.

Two bits to know

I/G in bit 0 of octet 1 says unicast or multicast. U/L in bit 1 says hardware or locally administered.

iii.

OUI tells you the vendor

Wireshark and IEEE both publish the lookup tables. A subnet full of 00:50:56 is VMware; a subnet of DC:A6:32 is Raspberry Pis.

iv.

Randomization is the default

iOS, Android, ChromeOS all randomize per SSID by default. Windows and Linux can be configured to. macOS randomizes during scanning.

v.

One command to change it

ip link, ifconfig, or Set-NetAdapterAdvancedProperty. Local admin gets you a new MAC in seconds. Plan defenses accordingly.

vi.

Identity needs more than a MAC

802.1X and certificates authenticate users and devices for real. MAC filtering and DHCP reservations are convenience features, not security controls.