I doubt it. I'm not sure how it's implemented on various
*nix flavours, but the usual method on Windows is via options
provided by the NIC driver from the manufacturer.
You could *theoretically* build something to walk the list
of installed adapters, invoke the Properties|Advanced dialog
for each one, and more or less "screenscrape" the relevant
options, but you'd have to customize the last bit for every
card you wanted to support -- and perhaps for each different
driver version, too.
Various switch manufacturers provide tools for detecting
and responding to changes in the client MAC address(es) on a
port. But these can't generally spot whether the change is
due to spoofing, or swapping out the client device (or its
NIC).
The things I've used which label some MAC addresses as
"spoofed" incorporate some knowledge of valid, invalid,
and reserved OUI prefixes, and are actually detecting whether
the MAC address is *credible* as a native hardware address or
not.
David Gillett
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of
divinepresence@gmail.com
Sent: Wednesday, November 29, 2006 1:45 AM
To: security-basics@securityfocus.com
Subject: Detecting Spoofed MAC
Hi all
Is there a tool to determine whether the MAC has been spoofed
on a system (Win/*nix) for a given interface? Also, is it
possible to know the real MAC in such a case? I was wondering
if you could hook up to some system info API which would
provide you with this information assuming that this detail
is stored at some location which is not affected by spoofing.
Thanks
Ankur Jindal
