Identify a randomised (locally administered) MAC Address
Anonymisation measures introduced by WiFi vendors makes to harder to use MAC Addresses to consistently identify a device. Here’s how you can tell if a device is using a locally administered (aka random) MAC Address.
A MAC address is six-pairs of hex characters, and a normal MAC address looks something like this:
13:fe:34:dc:56:22
Each pair of hex characters is represented by eight bits (one byte) of data.
Locally Administered Addresses
Locally administered MAC addresses can be identified by looking at the second hex character in the MAC Address. If the character is a 2, 6, a or e, the address is considered as locally administered.
The rationale behind this is buried in the two least significant bits of the second character of the MAC address.
Consider the below:
MAC Address
13:fe:34:dc:56:22
First byte of MAC Address (in Hex)
13:
First byte of MAC Address (in Binary)
0001 0011
^^ These two values are what we're interested in
The last two binary digits of the first byte control how the MAC address is perceived. The first (left-most) of these two digits is used to show if this is a Locally Administered MAC Address or not. The second (right-most) of these two digits is used to show if this MAC address belongs to an individual device, or a group.
| Last two bits of the first byte | Meaning |
|---|---|
| 00 | Not a locally administered address, assigned to a specific device |
| 01 | Not a locally administered address, assigned to a group of devices |
| 10 | A locally administered address belonging to a specific device |
| 11 | A locally administered address belonging to a group of devices |
This means that any MAC Address where the penultimate bit of the first byte is ‘1’, is using a randomised or locally administered, MAC Address. This means we can easily produce a table showing all possible values of a locally administered MAC Address.
All Locally Administered MAC Addresses
This table shows all possible values of the second MAC Address character where a locally administered MAC Address is being used.
| Binary | Second Hex character of MAC Address |
|---|---|
| 0010 | 2 |
| 0011 | 3 |
| 0110 | 6 |
| 0111 | 7 |
| 1010 | a |
| 1011 | b |
| 1110 | d |
| 1111 | e |
Locally Administered MAC Addresses for WiFi Clients
Where we are only concerned about identifying WiFi Clients using Locally Administered addresses, then we know our two bits of interest must be “10”. This narrows down the number of possible values for the MAC Address’s second hex character to just four.
| Binary | Hex |
|---|---|
| 0010 | 2 |
| 0110 | 6 |
| 1010 | a |
| 1110 | e |
This means that all Locally Administered Addresses will fit in to one of the following address formats:
x2:xx:xx:xx:xx:xx
x6:xx:xx:xx:xx:xx
xA:xx:xx:xx:xx:xx
xE:xx:xx:xx:xx:xx
Regular Expression
Now we know what we’re looking for, we can use a Regular Expression to search for Clients using Locally Administered MAC Addresses.
Regex: ^[0-9a-fA-F][26aeAE]
This regex can be read as;
^ Starting at the start of the string
[0-9a-fA-F] The first character can be anything between 0-f (f is a hex number,
which is equivalent to 15 in decimal or 1111 in binary)
[26aeAE] The second character can be 2, 6, a, e, A or E
NOTE: You can see that letters a & e are entered as both
uppercase and lowercase in the regular expression.
a, e, A & E are entered as lowercase and UPPERCASE to
help prevent issues relating to the industry's lack of
standardisation around whether upper or lower case
letters should be used to represent a MAC Address. This
approach ensures that regardless of whether you have upper
or lowercase letters, the regex will match correctly.
Also note, the regex does not evaluate characters in the
rest of the MAC address.