RE: NIC Hardware Address
Hi all,
Brian's code is certainly useful. You should check to make sure that the
system isn't setup to report a custom (or 'spoofed') MAC address.
Try this (Windows XP).
Run Brian's program. It should correctly ID the MAC address (it worked
perfectly on my machine).
Then do this:
Open a cmd prompt and type:
net config rdr
You will see a line something like this in the output:
NetBT_Tcpip_{9C2C2745-99DF-46E9-8345-4BF5198A1629} (00D059D97B88)
The second number is the MAC address (or not, you'll see). But the number
in the squiggly brackets is what you're interested in. Copy it to the
clipboard.
Open the registry using regedt32, and browse to this exact key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11
CE-BFC1-08002bE10318}
Here, you will see a bunch of subkeys, 0000, 0001, and so on. These
represent the different possible network devices in your system. Look
through the keys until you find the one with a value 'NetCfgInstanceId'
whose data is set to the big number in squiggly brackets you copied from
the DOS prompt.
Suppose yours matched in the 0001 key (that's where mine did, but it could
be in the 0000 key or wherever). Add the following STRING value there:
Name: NetworkAddress
Value: For now, just set it the same as your real MAC address, but change
only the last digit. For instance, my registry entry for the
NetworkAddress value in the 0001 subkey looks like:
NetworkAddress REG_SZ 00D059D97B22
Now to see the change, either Disable/enable the network interface, or
reboot windows.
Lastly, run Brian's program again. It now reports your fake MAC address.
Run 'net config rdr' again from the cmd prompt. It too reports the fake
address.
So if you're doing something that checks for a MAC address, it should also
check for the 'NetworkAddress' value in one of the 0000,0001, etc. subkeys,
to see if someone has altered Windows to report an alternate address.
You also should consider that some cards can have their nvram reprogrammed
with an alternate MAC address. What this shows is that even on a card that
doesn't have that feature, or where that feature has been disabled, MAC
spoofing is still entirely possible.
This may have no bearing on what you're ('you' being whoever asked about
this) doing, and I don't mean to detract from Brian's program. It does
exactly what he says it does. I just wanted to point out that it is almost
impossible to be absolutely certain of a system's MAC address.
And also, this is just kind of interesting.
More info: <http://www.klcconsulting.net/>
Ted
--On Wednesday, October 01, 2003 1:07 AM +0000 Brian Broker <bkb at cnw.com>
wrote:
>
>
> Hi C.K.
>
> I tried the 'GetAdaptersInfo' function and got a working demo.
>
> Get it from http://cnw.com/~bkb/Eu/MAC.zip (case sensitive)
>
> Let me know if that works for you...
> -- Brian
>
> Brian Broker wrote:
>>
>>
>> Well, if you want support for all OSes you could use the Netbios
>> function but that assumes your card is bound to NetBIOS (MSDN provides
>> an example in C). Or you could use the GetAdaptersInfo function, but
>> that is only supported in Windows XP, Windows 2000 Professional, Windows
>>
>> Me, and Windows 98.
>>
>> Which method would you prefer to use? I could try translating C code
>> that I've found... (Also, I don't know whether there are any libs in the
>>
>> archive that might help.)
>>
>> -- Brian
>>
>> C. K. Lester wrote:
>> >
>> >
>> > Good stuff... 'cept I need it for Windows! 
>> >
>> > ----- Original Message -----
>> >
>> >
>> > > its real easy in dos
>> >
>> > <snippage occurred>
>> >
>> >
>
>
> TOPICA - Start your own email discussion group. FREE!
>
>
|
Not Categorized, Please Help
|
|
