RE: Wired detection of rogue access points

["Adam Graham" <agraham () datastreamcowboys net>]

Got to thinking and did a little test....

I queried my mac address. It returned 00:06:25:2E:56:A0 (Linksys WPC11 v3)


Then I spoofed my MAC using sirMACsalot... 

Then when I queried the MAC in my ap it gave me the spoofed MAC.... 
BUT!!!!! When I queried the hardware for the MAC it gave me the real one... 


Knowing this.. in theory... couldn't one write an application to grab the
MAC from the hardware not the network... 
Like I have seen programs that you can run from a domain controller that can
tell you all the hardware installed on a workstation in the domain. If one
can do this.. then one should be able to ask the wireless nic what its MAC
is right?

I was just thinking that if this could be done.. it would be able to spot a
spoofed MAC. And if the utility cant be run on the remote machine then it's
likely a spoofed MAC.

Note this idea only works on windows boxes on a windows domain.... not on
Linux, OSX, or applicances...


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------