Media Access Control, or MAC, addresses used to be thought of as the fingerprint for network devices until a number of ways to spoof your MAC address became freely available. With MAC addresses being used as access controls on a number of wireless routers, attackers have begun using spoofed MAC addresses to gain access, impersonating the original machine. While there is no technique for confirming a spoofed MAC address, by having a list of allowed client’s host names, IP addresses, and MAC addresses you can make accurate guesses.
Compile a list of all of the machines on your network. If you use a static IP scheme, write those down along with host names and MAC addresses. Using a standardized naming scheme for host names can help you quickly identify impersonators.
Launch a network monitoring program such as ettercap, tcpdump or Wireshark. All of these applications use the same libraries and run in nearly identical ways. Click capture, choose a network interface card and click the “Start” menu. These applications will allow you to monitor connections and packets in real time. If a user is connected, and is suddenly getting drowned out by a spoofed MAC address or an attacker poisoning the ARP tables, alerts will appear in real time, enabling you to stop the attacker quickly.
Examine a MAC address on your network monitoring program and compare it with a machine’s host name. Attackers will often change their MAC address, but forget to change their computer’s host name to match the network device they are impersonating. This is a dead give away of a spoofed MAC address.
Compare IP addresses with those of an attacker. While a MAC address will stay tied to static IP address, attackers may choose to allow DHCP to configure an IP address for them. The differentiation will be the other sure give away of a spoofed MAC address.