Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Change MAC Address on Win2K & XP

From: Kyle Lai <aladin168 () hotmail com>
Date: 22 Nov 2002 22:37:08 -0000


I konw many of you want to answer "NO" or "ONLY if you can find the 
option in the NIC advanced properties", because that's the answer I heard 
all the time through out my research, 

However, the answer is: YES!!!!!!!!!!

ALMOST ALL NIC CAN BE SPOOFED, EVEN IF MANUFACTURERS DON'T INCLUDE 
OPTIONS IN THE ADVANCED PROPERTIES.

I wrote a detailed instruction on how to change MAC address on Windows 
2000 & XP, and you can find it at:

http://www.kylelai.com/Change_MAC_w2k.htm

I know there was one discussion before, but that thread offered no 
solutions...  I researched for a long time, and I finally discovered the 
solution through Microsoft MSDN Driver Development Kit (DDK) and Win2K 
resource kit.  I have many people tested my instructions, and I haven't 
found a NIC that can't be spoofed.  Not to say there isn't one out there.

The method is to call a DDK function - NdisReadNetworkAddress.

NdisReadNetworkAddress(...) is called by the network adapter driver to 
obtain a user specified MAC address in the registry. After the driver 
confirmed that there's a valid MAC address specified in the registry key, 
the driver then programs the MAC address to its hardware registers to 
override the burn-in MAC address. 

Not all manufacturers support this function I heard, but like I said, I 
haven't seen one NIC that can't be spoofed.  I am interested in learning 
which brand and model can't be spoofed.  If you know of any, please send 
me an email.

I think this discovery might not be new to the device driver developers, 
but it certainly is still a well kept secret to lots of security 
professionals out there.  Therefore, I decided to reveal this secret 
because there are too many wrong answers out there.

I am also writing a free tool, SMAC, to change MAC address on Wnidows 
2000 & XP.  I basically plan to incorporate the technique I discovered 
with some other functionalities.  SMAC 1.0 is due to release in a few 
weeks.  Please check www.kylelai.com for updates.

Cheers,
/Kyle
Kyle Lai, CISSP, CISA
InfoSec Consultant
kyle () kylelai com
www.kylelai.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: