OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: MAC addresses
From: Marc Maiffret (marcEEYE.COM)
Date: Sun Aug 06 2000 - 10:49:13 CDT


null session? You don't need to use a null session to get a MAC via NetBIOS.

Simply send:
char
getnbcrap[]="\x90\xA0\x00\x10\x00\x01\x00\x00\x00\x00\x00\x00\x20\x43\x4B\x4
1\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x4
1\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00\x00\x21\x00\x01"
srcport=137
dstport=137
grab the return packet to yourip port 137, the mac is right after
"\x20\x20\x03\x04\x00\x00" or something close to that

---
you could always just type C:\>nbtstat -A 192.168.1.67 | find "MAC Address
=" but then that's not as fun.

me and Ryan will probably release a dumb daemon soon that spoofs return nbtstat's. So that way you can play with overflowing a remote attackers nbtstat.exe (possibly) when they are trying to probe you, or at least return fun things like workgroup=mymotherhasbetterhackingskillsthenyou.

Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com

"Your a slave to the system, working jobs that you hate, for that crap you don't need."

| -----Original Message----- | From: Focus on Microsoft Mailing List | [mailto:FOCUS-MSSECURITYFOCUS.COM]On Behalf Of H Carvey | Sent: Sunday, August 06, 2000 12:23 AM | To: FOCUS-MSSECURITYFOCUS.COM | Subject: Re: MAC addresses | | | MAC addresses can be retrieved from NT systems via | null sessions...and the manufacturer can be determined | by looking the codes up at the IEEE site, if that's | necessary. Both can be easily accomplished in Perl. | | --- Ruud van Buren <ruudQUILTWEB.NL> wrote: | > Hi, | > | > I've got a question about MAC addresses. On my | > Windows machine I use the | > BlackICE Defender firewall among others, wich most | > of the time can find the | > MAC address of a intruder. Does anybody know in wich | > way a MAC address of a | > remote computer can be retrieved and if there is a | > way to block it? | > References to books, web pages, etc. | > that would provide more insight we be useful too. | > | > Thanks a lot, | > | > Ruud van Buren | > rvanburenquiltweb.nl | | | __________________________________________________ | Do You Yahoo!? | Kick off your party with Yahoo! Invites. | http://invites.yahoo.com/ |