Re: airdefence's claims...

[Jimi Thompson <jimit () myrealbox com>]

Well,

At a guess, they probably have access to who owns the various sequences 
(since most makers buy them in blocks) that MAC addresses are issued 
in.  If you can fingerprint the card via some means, but the MAC is the 
wrong sequence for the maker, then you'd know its either being spoofed 
or its an SMC card ;)

I'd like to get a hold of this and test it to see if you can detect 
spoofing from the same maker's stuff.  For business/corporate users 
having the someone spoofing from your same brand of gear is far more 
likely.  For example, we use Enterasys cards so if someone started 
spoofing internally, they'd be using the same kind of card everyone else 
has.  The MAC sequence wouldn't necessarily be off for the maker, which 
renders their anti-spoofing useless. 

2 cents,

Jimi



Dev wrote:


> hi ppl,
>
> I get to the point first. Airdefence claims that it has got some "vendor-provided" signatures that it uses to identify mac 
> spoofing - it can know that a certain card is spoofing the mac address of a different manufacturer's card. Is this possible?? How 
> can they possibly fingerprint the card. Is it using some undisclosed non 802.11 frames or what??
>
> I ask this becoz i m developing a wireless honeypot as part of my mtech project.
>
>
>