RE: Detecting Spoofed MAC

["David Gillett" <gillettdavid () fhda edu>]

  I doubt it.  I'm not sure how it's implemented on various 
*nix flavours, but the usual method on Windows is via options
provided by the NIC driver from the manufacturer.
  You could *theoretically* build something to walk the list
of installed adapters, invoke the Properties|Advanced dialog
for each one, and more or less "screenscrape" the relevant 
options, but you'd have to customize the last bit for every
card you wanted to support -- and perhaps for each different
driver version, too.

  Various switch manufacturers provide tools for detecting
and responding to changes in the client MAC address(es) on a
port.  But these can't generally spot whether the change is 
due to spoofing, or swapping out the client device (or its
NIC).

  The things I've used which label some MAC addresses as
"spoofed" incorporate some knowledge of valid, invalid, 
and reserved OUI prefixes, and are actually detecting whether
the MAC address is *credible* as a native hardware address or
not.

David Gillett
 

> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com] On Behalf Of 
> divinepresence () gmail com
> Sent: Wednesday, November 29, 2006 1:45 AM
> To: security-basics () securityfocus com
> Subject: Detecting Spoofed MAC
>
> Hi all
> Is there a tool to determine whether the MAC has been spoofed 
> on a system (Win/*nix) for a given interface? Also, is it 
> possible to know the real MAC in such a case? I was wondering 
> if you could hook up to some system info API which would 
> provide you with this information assuming that this detail 
> is stored at some location which is not affected by spoofing.
>
> Thanks
> Ankur Jindal