Security Basics mailing list archives
RE: Detecting Spoofed MAC
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 29 Nov 2006 09:15:10 -0800
I doubt it. I'm not sure how it's implemented on various *nix flavours, but the usual method on Windows is via options provided by the NIC driver from the manufacturer. You could *theoretically* build something to walk the list of installed adapters, invoke the Properties|Advanced dialog for each one, and more or less "screenscrape" the relevant options, but you'd have to customize the last bit for every card you wanted to support -- and perhaps for each different driver version, too. Various switch manufacturers provide tools for detecting and responding to changes in the client MAC address(es) on a port. But these can't generally spot whether the change is due to spoofing, or swapping out the client device (or its NIC). The things I've used which label some MAC addresses as "spoofed" incorporate some knowledge of valid, invalid, and reserved OUI prefixes, and are actually detecting whether the MAC address is *credible* as a native hardware address or not. David Gillett
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of divinepresence () gmail com Sent: Wednesday, November 29, 2006 1:45 AM To: security-basics () securityfocus com Subject: Detecting Spoofed MAC Hi all Is there a tool to determine whether the MAC has been spoofed on a system (Win/*nix) for a given interface? Also, is it possible to know the real MAC in such a case? I was wondering if you could hook up to some system info API which would provide you with this information assuming that this detail is stored at some location which is not affected by spoofing. Thanks Ankur Jindal
Current thread:
- Detecting Spoofed MAC divinepresence (Nov 29)
- RE: Detecting Spoofed MAC David Gillett (Nov 30)
- RE: Detecting Spoofed MAC MARTIN Benoni (Nov 30)