Security Basics mailing list archives

Re: Detecting Spoofed MAC

From: israel () israeltorres org
Date: 30 Nov 2006 20:27:48 -0000

On a local Windows box you can easily check if the local machine is spoofing the mac by searching for the 
NetworkAddress value in the registry for the enumerated network devices (wired/wireless).

I've written a tool in the past that allows you to quickly check for this and report back which device is "spoofing" - 
it is called macitup (as in make it up) windows binary exectuable:
http://tools.israeltorres.org/#macitup to check if adapter is using NetworkAddress to spoof MAC
input: macitup.exe --checknetworkaddress xx:xx:xx:xx:xx:xx
output: NetworkAddress is not being used  by the system for adapter: [XX:XX:XX:XX:XX:XX]

*note you can actually use the literal string xx:xx:xx:xx:xx:xx to scan for spoofed addresses with this tool*

More information on NetworkAddress :
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netxp_r/hh/NetXP_r/NdisXN_R_459fbfae-4235-4f60-9b10-02c60defc236.xml.asp

This NetworkAddress value overrides the manufactures MAC and if not set correctly could cause your NIC to be 
unresponsive until it is reset or set better.

Israel Torres

Current thread:

RE: Detecting Spoofed MAC Lall, Navneet Singh (Dec 01)
- <Possible follow-ups>
- Re: Detecting Spoofed MAC crazy frog crazy frog (Dec 01)
- RE: Detecting Spoofed MAC Maxime Ducharme (Dec 01)
- Re: Detecting Spoofed MAC israel (Dec 01)
- Re: RE: Detecting Spoofed MAC vachanta (Dec 01)
- Re: Detecting Spoofed MAC Jason Muskat, GCFA, GCUX, de VE3TSJ (Dec 06)