Penetration Testing mailing list archives
Re: [PEN-TEST] Changing MAC address on Win2k
From: Ryan Permeh <ryan () EEYE COM>
Date: Wed, 14 Feb 2001 14:19:24 -0800
actually, with a tiny device driver, you don't even need to think about the actual card. MAC address is kept in kernel memory with the hardware description of the card. rewrite that bit of memory in a kernel driver and that's all it takes. Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Peter Van Epp" <vanepp () SFU CA> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Wednesday, February 14, 2001 7:49 AM Subject: Re: Changing MAC address on Win2k
Whether Prom, Eprom or EEprom the MAC address gets read by the CPU from the (e, ee)prom and written in to the Ethernet chip on board (which
by
default has no MAC address) during machine initialization during boot by
the
BIOS (reading the option prom on the Ethernet card). You have always been
able
to write any MAC address you please into an Ethernet card without regard
to
what media the MAC address is stored in on the card so the media that is storing the built in MAC address is inmaterial. You don't need to change
the
prom to change a MAC address (this appears to be what fools so many manufacturers) you only need the data sheet for the Ethernet chip and to
know
where in I/O space the chips registers are. If you don't have the data
sheet,
using debug to trace the card initialization code that gets executed
during
the BIOS post (which vectors from a well known address) will usually tell
you
(assuming you can read assembler and are familiar with device driver programming) all that you need to know in order to change the MAC address. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. CanadaUntil recently, MAC addresses were stored in EPROM's (i.e. only
resettable
with UV light), or before that, PROM's - write once. Do they use EEPROMs now? alex On Tue, 13 Feb 2001, Peter Van Epp wrote:Changing the arp cache entry will not change the MAC address the card is using, it will only change the MAC address associated with the IP
in the
arp cache. As someone mentioned you need to convince the card driver
to change
the MAC address. Failing that you need to find the I/O address of the
Ethernet
chip where the MAC address is written. This is generally trivial using
debug
and the initialization ROM on the card. I always have a good laugh
when a
vendor tells me that "you can't change MAC addresses so our product
(which
depends on MAC addresses) is secure". Its never taken me more than 1/2
an hour
to find the necessary ports on the Ethernet chip (and your CPU writes
the
MAC address from prom/flash to the Enet chip during BIOS boot up in
all cases
execpt where there is a CPU on the Enet card which is quite rare). Not
all
salesbeings seem to understand this however ... One note: when doing
this
make sure you use a valid MAC address (such as one stolen from a card
which
is disconnected and in your hand) because duplicate MAC addresses on a
network
will cause excitement. Peter Van Epp / Operations and Technical Support Simon Fraser University, Burnaby, B.C. CanadaHi all! :) Is Working only in Win2k ?? Because i try it here in my Nt 4.0 +SP6a ...but i didn't had error
in arp
command...but didn't work...look: Configura?Æo de IP do Windows NT Nome do host . . . . . . . . . . : nt_hadrion.hadrion.com Servidores DNS . . . . . . . . . : Tipo de n¢ . . . . . . . . . . . : H¡brida Identificador de escopo NetBIOS. : Roteamento de IP ativado . . . . : Sim Proxy WINS ativado . . . . . . . : NÆo Resolu?Æo NetBIOS usa DNS. . . . : NÆo Ethernet adaptador E100B1: Descri?Æo. . . . . . . . . . . . : Intel EtherExpress PRO PCI
Adapter
Endere?o f¡sico. . . . . . . . . : 00-10-DC-0D-40-27 DHCP ativado . . . . . . . . . . : NÆo Endere?o IP. . . . . . . . . . . : 192.168.151.100 M scara de sub-rede. . . . . . . : 255.255.255.0 Gateway padrÆo . . . . . . . . . : 192.168.151.1 Servidor WINS prim rio . . . . . : 120.120.120.2 Ethernet adaptador NdisWan4: Descri?Æo. . . . . . . . . . . . : NdisWan Adapter Endere?o f¡sico. . . . . . . . . : 00-00-00-00-00-00 DHCP ativado . . . . . . . . . . : NÆo Endere?o IP. . . . . . . . . . . : 0.0.0.0 M scara de sub-rede. . . . . . . : 0.0.0.0 Gateway padrÆo . . . . . . . . . : Then i do to test: arp -s 192.168.151.100 00-10-DC-0D-40-40 changing only the ultimate 2 numbers of mac...and it didn't show-me error...but when i verify my mac appear igual before! look (same
mac):
Ethernet adaptador E100B1: Descri?Æo. . . . . . . . . . . . : Intel EtherExpress PRO PCI
Adapter
Endere?o f¡sico. . . . . . . . . : 00-10-DC-0D-40-27 DHCP ativado . . . . . . . . . . : NÆo Endere?o IP. . . . . . . . . . . : 192.168.151.100 M scara de sub-rede. . . . . . . : 255.255.255.0 Gateway padrÆo . . . . . . . . . : 192.168.151.1 Servidor WINS prim rio . . . . . : 120.120.120.2 Thkz... until more! =) -----Mensagem original----- De: N0sferatu <satan () TM NET MY> Para: PEN-TEST () SECURITYFOCUS COM <PEN-TEST () SECURITYFOCUS COM> Data: Domingo, 11 de Fevereiro de 2001 23:47 Assunto: Re: [PEN-TEST] Changing MAC address on Win2k ; I don't really know whether this is correct but I have tried and
found
that the MAC address can be changed in Win2k by issuing this command
:
arp -s ip-of-the-computer mac-address though it might be wrong.. \ -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On
Behalf
Of Parth Galen Sent: Monday, February 12, 2001 4:46 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Changing MAC address on Win2k I recently read in Pen-Test that the MAC could be changed in Win2k.
I have
looked on the web for info, and in the archives at Security Focus
but can
not find any "How To" information. Nothing on my system offers any
obvious
opportunity either. So, can anyone tell my how to change the MAC on Win2k. This has to do with better anonymity while doing Pen-Tests. It is
nice to
hop through proxies, but my MAC is always there to ID me.
Specifically, I
working in a multi-site company, and their ID (they tell me) is
blocking my
work based on MAC. Changing IP does not help. Thanks Much, Parth Get your small business started at Lycos Small Business at http://www.lycos.com/business/mail.html
Current thread:
- Re: [PEN-TEST] Changing MAC address on Win2k, (continued)
- Re: [PEN-TEST] Changing MAC address on Win2k Abe Getchell (Feb 11)
- Re: [PEN-TEST] Changing MAC address on Win2k Fulton L. Preston Jr. (Feb 12)
- Re: [PEN-TEST] Changing MAC address on Win2k Adrien de Beaupre (Feb 12)
- Re: [PEN-TEST] Changing MAC address on Win2k -=Quequero=- (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k sekure (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k Peter Van Epp (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k bacano (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k Alex Tibbles (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k Lars Gaarden (Feb 14)
- Re: [PEN-TEST] Changing MAC address on Win2k Peter Van Epp (Feb 14)
- Re: [PEN-TEST] Changing MAC address on Win2k Ryan Permeh (Feb 14)
- Re: [PEN-TEST] Changing MAC address on Win2k Peter Van Epp (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k Hugo Fortier (Feb 13)
- Re: [PEN-TEST] Changing MAC address on Win2k Olli Artemjev (Feb 14)
- Re: [PEN-TEST] bs (Feb 14)