Re: Detecting Spoofed MAC

["Jason Muskat, GCFA, GCUX, de VE3TSJ" <Jason () TechDude Ca>]

Hello,

The answer is yes, no, and kinda. Depending on the Data Link
Layer of the underlying transport, a bit-flag should be set. This can alert
one to the fact that the MAC Address is Manually set.

Then again, some NIC manufactures skip this and simply use the manually set
MAC Address without setting this bit. This function used to be hardcoded
into the NIC's firmware. More and more manufactures have moved this into the
driver. Therefore very easy to bypass, and leaves it up to the end
manufactures and driver programmers to do the right things (which very few
do). When is the last time anybody reviewed the 802.3 standards documents.

Many embedded devices load the MAC Address from EPROM2-ish memory and don't
set any such flags (unless one JTAG/reconfigure it oneself -- Hack the
device).

Considered that the flag is set,

For most transports (including Ethernet), one would have to be on the same
segment (hub, bridge, repeater, tap, perhaps switch, not router) to detect
this. In other words, one needs to be able to examine the Data Link Layer of
the Transport which is not normally routable.

Even with manual investigation the real MAC Address can never be recovered
unless one can examine the hosts internals. Real being as intended by the
end manufacture.

This fact remains true even when using ARPWatch.

Regards,

-- 
Jason Muskat  | GCFA, GCUX - de VE3TSJ
____________________________
TechDude
e. Jason () TechDude Ca
m. 416 .414 .9934

http://TechDude.Ca/


> From: <divinepresence () gmail com>
> Date: 29 Nov 2006 09:44:36 -0000
> To: <security-basics () securityfocus com>
> Subject: Detecting Spoofed MAC
> Resent-From: <security-basics-return-42079 () securityfocus com>
> Resent-Date: Wed, 29 Nov 2006 05:24:17 -0700 (MST)
>
> Hi all
> Is there a tool to determine whether the MAC has been spoofed on a system
> (Win/*nix) for a given interface? Also, is it possible to know the real MAC in
> such a case? I was wondering if you could hook up to some system info API
> which would provide you with this information assuming that this detail is
> stored at some location which is not affected by spoofing.
>
> Thanks
> Ankur Jindal





---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------