How to prevent real MAC address leakage

Normally you cannot change the MAC address through network manager until after you've connected to a network and exposed your wifi card/devices real MAC address. How can I ensure that every card or usb adapter immediately gets issued a randomized or specific address the second I plug it in and never leaks the real address? I noticed that ubuntu doesn't randomize wireless network scans either.

L3 environment

The MAC addresses visibility is limited to the broadcast domain only. It means the MAC cannot go through router to other network segments. Any network router is the OSI layer 3 (L3) device and removes any layer 2 information including the MAC in normal circumstances.

L2 environment

If you wish to hide your MAC in a local network (LAN, inside the broadcast domain), it is harder. I recommend to verify your MAC visibility by real test.

You will need a second device (PC or server, let its name is "analyzer") with installed Wireshark application and a small network switch too. I suppose the first device name is "PC1".

1. Connect analyzer to switch and ensure its Ethernet interface is up. No problem if analyzer has no IP address for first test. It is not necessary, only the L2 is important now.
2. Start Wireshark application on analyzer, select the Ethernet interface for capturing and start capturing process.
3. Connect the PC1 to the switch and watch Ethernet frames displayed in Wireshark. Any PC excluding very special cases will start sending some network requests like a DHCP discovery, ARP broadcasts etc. All these frames/packets have visible source MAC addresses of sending device. It can be found at the L2 (Ethernet) part of output.
4. Probably at least two MAC's will be visible. The second MAC is from analyzer interface. You can filter out the analyzer MAC address (and any other eventually) in Wireshark window very easy. (Go to Ethernet II --> Source. Right click to displayed MAC, in context menu select select "Apply as filter" --> "Not Selected".) Any frames having this source MAC address will be hidden. The remaining visible frames in Wireshark contain either PC1 original MAC or PC1 fake address. No other devices are connected excluding switch which has no MAC (if it is unmanaged switch).

The test done by this way will show you MAC addresses of PC1 early after cable connecting to PC. If you want to speed up the sending of the first packets, manually set the IP addresses of both devices and start ping from the analyzer towards PC1 before connecting PC1.

Wireless packet capture

It is little bit harder. The test procedure is similar like in Ethernet case, but instead of switch a wireless environment is used. You will need a Linux PC as an analyzer and a Wi-Fi card/adapter. (The Windows OS has very limited wireless capture capability excluding special Wi-Fi cards. It is not recommended for wireless analysis.)

Search for a Wireless traffic sniffing to get detail information. The Wi-Fi adapters for sniffing must support special "monitor" mode. Not all adapters have this capability. But for your purpose can be used common adapter type I think. You will capture traffic between two devices in the same wireless network. It means no special mode is required.

The same principle applies as in the Ethernet case. The analyzer must be started before the tested computer PC1 is connected to the network.

You need the macchanger package to do MAC randomization. See here for the official guide.