Note that this patch is not a tool in and of itself; it merely extends other tools and APIs, and actually requires some knowledge to use. (Read: spare me your accusations of feeding the skript kiddies until you know what you're talking about.)
Like other BSD-derived codebases, Mac OS X and Darwin kernels like to meticulously stick the hardware address into the source field of each ethernet header. The following Darwin / Mac OS X kernel patch removes that tendency for AF_UNSPEC packets, allowing injected packets to forge that field in the header.
Also supplied below are a RAW4ALL patch, so you don't always have to be root to use raw sockets, and a FORCE_VERBOSE patch to force verbose output at boot time without having to press Option-V. Note that the FORCE_VERBOSE patch is not necessary with some Apple-supplied tarballs and CVS checkouts.
In recent days, Jeff Nathan has put together a less kludgey patch that fixes all the known issues; this is linked to below. These patches have been tested and verified with up to OS X 10.3 (Darwin 7.x) and verified to allow MAC spoofing with ethernet cards as well as wireless cards.
OS X 10.4.x (Darwin 8.x) kernel sources appear to require no modification in
order to spoof MAC addresses.
The directions above, by the way, are intentionally not very thorough. I've
tried to write these directions for those who will be able to make use
of this patch. In other words, if you can't navigate through the directions
above, you probably shouldn't be messing with this patch. Either way, please
use it responsibly.
I have decided that these source patches are trivial enough that they do not require integrity hashes. However, please review what you download before applying them to your source tree.
Also, I'm pretty sure all these source patches are all subject to the
Apple Public Source License.
Patches called "ETHERSPOOF" above break the DHCP
client thanks to the funky DLILization of the kernel, and though I have yet to
see them cause problems getting an address personally, I have received reports
and seen the cause of the problem, empty source ethernet address fields in the