Addresses generated by macchanger --random can be detected (without any knowledge about vendors)

[camel-cdr]

macchanger --random uses the following to randomize the MAC address:

https://github.com/alobbs/macchanger/blob/f4f66e1eba1f5154a365d3323088050d0f75a168/src/mac.c#L76-L82

The PRNG is initialized with srandom and a random seed, but srandom only takes a 32-bit seed, which can be brute forced.

Proof of concept: https://gist.github.com/camel-cdr/6b299f538c896f723d9dfdf76c7e8ec8