Quote:
[Originally Posted by KSA;68107]This is what I want. Is there a way to read the REAL MAC address (Hardware MAC address) even the current MAC address (fake one) spoofed by any spoofing tool like SMAC. |
I was about to say you hadn't read the replies in this thread, then I looked at that SMAC tool in more detail.
Quote:
Does SMAC change the hardware MAC addresses? (Back to Top)
No. SMAC changes software based MAC address that is interpreted by the network adapter device driver, which eventually pass to Windows operating system. |
This FAQ answer is technical rubbish, but clearly it doesn't update the MAC in the EEPROM on the card, which is what I thought it did. What it appears to do is to register a virtual network card with the o/s, just like how VMWare or NLB works. Unfortunately the site doesn't fully explain what SMAC does, but clearly it must mess around with the routing to ensure all network traffic goes out the virtual card rather than the physical one (as far as Windows is concerned).
So actually you have a separate problem here - as far as everything except the SMAC driver is concerned, the SMAC network card is a real card. On that basis I bet the SMAC card requires its own IP address and doesn't share the IP of the physical card, as that would really screw things up.
So here's another suggestion. Why not send a packet out on the subnet broadcast address then check the ARP table for all the known MAC addresses. Compare each of those MAC addresses to the MAC addresses of all the network adapters in your machine. If you find 2 MAC addresses in the ARP table that match 2 network adapters in your machine, you've got something funny going on.
Here's the reason why. In a dual-homed PC (one with 2 network cards), each card will normally be addressed in different subnets. It's useless to address 2 cards in the same subnet as the routing will be screwed up. Sending a packet out to the broadcast address will cause every machine on the subnet to respond, which will populate your ARP table with the MACs of all the machines on the subnet.
Here's an example:
My machine, physical NIC, MAC: FF:FF:FF:FF:FF:01
My machine, fake SMAC adapter MAC: FF:FF:FF:FF:FF:02
Bob's machine, same bit of wire/subnet, MAC: FF:FF:FF:FF:FF:03
Dave's machine, same bit of wire/subnet, MAC: FF:FF:FF:FF:FF:04
Assume we're all addressed in 192.168.0.1 to 0.4, class C subnet.
I clear my ARP cache, then ping 192.168.0.255. I don't care which adapter this goes out of, but for argument's sake let's say it goes out my physical NIC, IP 192.168.0.1.
I'll get a response from 192.168.0.2, 0.3 and 0.4. That means in my ARP cache right now I have my two MAC addresses and the MAC addresses of Bob and Dave's machines. Because I got responses from Bob and Dave I know I'm connected to a bit of wire and I'm on a valid subnet.
So, in code, I'll scan through the ARP cache and check if the MAC addresses match any MAC addresses on my local machine. If more than one matches (in this case, 192.168.0.1 and 0.2), I have more than one adapter connected to the same subnet which pretty much guarantees something is funny.
This all falls down on 2 assumptions. First, that SMAC works how I think it does, and second that VMWare exhibits the exact same behaviour and so would fail this test.... I think there's another flaw in my logic somewhere but I can't quite spot it.