Security Basics mailing list archives
Re: Detecting Spoofed MAC
From: "Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>
Date: Mon, 04 Dec 2006 17:41:19 -0500
Hello, The answer is yes, no, and kinda. Depending on the Data Link Layer of the underlying transport, a bit-flag should be set. This can alert one to the fact that the MAC Address is Manually set. Then again, some NIC manufactures skip this and simply use the manually set MAC Address without setting this bit. This function used to be hardcoded into the NIC's firmware. More and more manufactures have moved this into the driver. Therefore very easy to bypass, and leaves it up to the end manufactures and driver programmers to do the right things (which very few do). When is the last time anybody reviewed the 802.3 standards documents. Many embedded devices load the MAC Address from EPROM2-ish memory and don't set any such flags (unless one JTAG/reconfigure it oneself -- Hack the device). Considered that the flag is set, For most transports (including Ethernet), one would have to be on the same segment (hub, bridge, repeater, tap, perhaps switch, not router) to detect this. In other words, one needs to be able to examine the Data Link Layer of the Transport which is not normally routable. Even with manual investigation the real MAC Address can never be recovered unless one can examine the hosts internals. Real being as intended by the end manufacture. This fact remains true even when using ARPWatch. Regards, -- Jason Muskat | GCFA, GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/
From: <divinepresence () gmail com> Date: 29 Nov 2006 09:44:36 -0000 To: <security-basics () securityfocus com> Subject: Detecting Spoofed MAC Resent-From: <security-basics-return-42079 () securityfocus com> Resent-Date: Wed, 29 Nov 2006 05:24:17 -0700 (MST) Hi all Is there a tool to determine whether the MAC has been spoofed on a system (Win/*nix) for a given interface? Also, is it possible to know the real MAC in such a case? I was wondering if you could hook up to some system info API which would provide you with this information assuming that this detail is stored at some location which is not affected by spoofing. Thanks Ankur Jindal
--------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- RE: Detecting Spoofed MAC Lall, Navneet Singh (Dec 01)
- <Possible follow-ups>
- Re: Detecting Spoofed MAC crazy frog crazy frog (Dec 01)
- RE: Detecting Spoofed MAC Maxime Ducharme (Dec 01)
- Re: Detecting Spoofed MAC israel (Dec 01)
- Re: RE: Detecting Spoofed MAC vachanta (Dec 01)
- Re: Detecting Spoofed MAC Jason Muskat, GCFA, GCUX, de VE3TSJ (Dec 06)