How to Detect the Original MAC Address After It Has Been Spoofed

Detect another host with the same MAC address

This question is too interesting to put down! After several false starts I started thinking about the essential components of the problem and scoured the RFCs for advice. I haven't found a definitive answer, but here's my thought process, in the hope that it helps:

  • The original question asks how to detect another device with your MAC address. Assuming you're on an IP network, what's required to accomplish this?

  • The passive method would be simply to listen to traffic and look for any packets that you didn't transmit but have your MAC address. This may or may not occur, so although it can tell you definitively if a duplicate exists, it cannot tell you definitively that it doesn't.

  • Any active method requires you to transmit a packet that forces an impostor to respond. This immediately eliminates any methods that depend on optional protocols.

  • If another device is spoofing you, it must (by definition) respond to packets with your MAC address as the destination. Otherwise it's snooping but not spoofing.

  • The solution should be independent of IP address and involve only the MAC address.

  • So the answer, it seems, would be to transmit either a broadcast (ethernet) packet or a packet with your MAC address as its destination, that requires a response. The monkeywrench is that an IP address is usually involved, and you don't know it.

What sort of protocol fits this description?

Easy Answer:

  • If your network supports BOOTP or DHCP, you're done, because this authoritatively binds a MAC address to an IP address. Send a BOOTP request, get an IP address, and try to talk to it. You may need to be creative to force the packet onto the wire and prevent yourself from responding (I'm thinking judicious use of iptables and NAT).

Not-so-easy Answers:

  • A protocol that's independent of IP: either one that doesn't use the IP layer, or one that allows broadcasts. None comes to mind.

  • Send any packet that would normally generate a response from you, prevent yourself from responding, and look for a response from another device. It would seem sensible to use your IP address as the destination, but I'm not convinced of that. Unfortunately, the details (and, therefore the answer) are left as an exercise for the OP ... but I hope the discussion was helpful.

I suspect the final solution will involve a combination of techniques, as no single approach seems to guarantee a dependable determination.

Some information is available at http://en.wikipedia.org/wiki/ARP_spoofing#Defenses

If all else fails, you may enjoy this: http://www.rfc-editor.org/rfc/rfc2321.txt

Please post a follow-up with your solution, as I'm sure it will be helpful to others. Good luck!

Over the www, does the server see my mac address?

Was wondering if in end to end communication say between facebook and
my computer, do the 2 ends know each others mac addresses?

No, they don't know.

Or does only my router know my mac address, and the directly next link
from it know its, and so on so that facebook only knows (out of the
devices in this particular communication) the mac adress of the final
router to pass my request to it?

Yes, check below for more details.

Over the www, can the server see my MAC address?

Not directly, but, there can be a trail of search to get upto your MAC address. Actually, MAC address changes in every hop of the packet's journey. So, your MAC address can be stored in packets received by the first router/system to which your system/router passes packets.

Only those devices can see a MAC address which are on the same LAN network.

I must be misunderstanding this otherwise a VPN wouldnt be able to
fool the other end unless I simultaneously spoofed my mac address,
right?

This is a very big story, but, in short, you could say that VPN's can fool in the cases when the MAC address has been spoofed or the proxy agent/server has been used for retrieving the same information. So, in that case, one can't get directly to the MAC address. But, remember, nothing is impossible, just hard.

MAC address of NIC card is changing

I used the technique from Reliable method to get machine's MAC address in C# to come up with a list of the devices on my machine.

    Status  NetworkInterfaceType    Speed       GetPhysicalAddress()    Description
0   Down    Wireless80211           0           XXXXXXXXXXXX            Realtek RTL8188CUS Wireless LAN 802.11n USB Slim Solo
1   Down    Wireless80211           0           XXXXXXXXXXXX            Microsoft Wi-Fi Direct Virtual Adapter
2   Up      Ethernet                100000000   XXXXXXXXXXXX            Realtek PCIe GBE Family Controller
3   Down    Ethernet                3000000     XXXXXXXXXXXX            Bluetooth Device (Personal Area Network)
4   Up      Loopback                            XXXXXXXXXXXX            Software Loopback Interface 1
5   Up      Tunnel                  100000      00000000000000E0        Microsoft Teredo Tunneling Adapter
6   Down    Tunnel                  100000      00000000000000E0        Microsoft ISATAP Adapter

The problem is that I was always taking the first item in the list. Networks with Blackberry VPNs (and probably other things, including VMs) insert new devices whereever they see fit. Including the beginning of the list. For them, the order of the list changes a great deal.

So my resolution is to have my client send every Physical Address on the list in a pipe-separated field. The server will store one address, but will look against each item sent to it. If any match, then the client may start up.

This leaves one problem, how do I know at the time I register that I'm picking an address that will stay on the list (rather than one associated with a mobile unit that will likely walk away). I thought about storing the whole list on the server, but that gets complicated quickly. Instead, I'll store the first active one on the server (the first time it logs in). Then I'll monitor who is getting denied and update their address, try to catch patterns, then maybe see if I can code a self-heeling solution. The trick is doing so without negating all of the checks I've put in.

Is the iphones mac address static? Looking for a way to identify which user is online

We use the MAC address as a unique identifier now the UDID has been deprecated.

MAC addresses are hardware based and therefore cannot be changed.

How to get TRUE hardware MAC address

The only means that Windows has to access the MAC address is asking the driver.

That's what the driver is for - to talk to the hardware so that Windows doesn't have to include code for every single device anyone might come up with ever.

If the driver is telling Windows that the MAC address is something, then that's what the MAC address is.


Related Topics

Wcf Httptransport: Streamed VS Buffered Transfermode

Why Is This Code Invalid in C#

Will Using Linq to SQL Help Prevent SQL Injection

Raise an Event of a Class from a Different Class in C#

Writing to Then Reading from a Memorystream

Read from a File Starting at the End, Similar to Tail

Visual Studio 2010: How to Enforce Build Order of Projects in a Solution

Getting Date or Time Only from a Datetime Object

How to Implement a Navigation Button in Shared Application Resources

Lambda Expressions in Immediate Window for VS2015

How to Get All Cookies of a Cookiecontainer

Simulating Keyboard with Sendinput API in Directinput Applications

Best Way to Dynamically Set an Appender File Path

How to Split a Number into Individual Digits in C#

Enum.Getvalues() Return Type

Detect Windows Font Size (100%, 125%, and 150%)

System.Drawing in Windows or ASP.NET Services

System.Valuetype Understanding


Leave a reply



Submit