IDS mailing list archives
RE: Wired detection of rogue access points
From: "Adam Graham" <agraham () datastreamcowboys net>
Date: Mon, 2 Apr 2007 10:28:48 -0500
Got to thinking and did a little test.... I queried my mac address. It returned 00:06:25:2E:56:A0 (Linksys WPC11 v3) Then I spoofed my MAC using sirMACsalot... Then when I queried the MAC in my ap it gave me the spoofed MAC.... BUT!!!!! When I queried the hardware for the MAC it gave me the real one... Knowing this.. in theory... couldn't one write an application to grab the MAC from the hardware not the network... Like I have seen programs that you can run from a domain controller that can tell you all the hardware installed on a workstation in the domain. If one can do this.. then one should be able to ask the wireless nic what its MAC is right? I was just thinking that if this could be done.. it would be able to spot a spoofed MAC. And if the utility cant be run on the remote machine then it's likely a spoofed MAC. Note this idea only works on windows boxes on a windows domain.... not on Linux, OSX, or applicances... ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Wired detection of rogue access points Adam Graham (Apr 02)