OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: bacano (bacanoESOTERICA.PT)
Date: Tue Feb 13 2001 - 16:16:41 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    A nice paper about the subject:
    http://www.atstake.com/research/reports/mac_address_cloning.pdf

    [ ]'s bacano

    ----- Original Message -----
    From: "Peter Van Epp" <vaneppSFU.CA>
    To: <PEN-TESTSECURITYFOCUS.COM>
    Sent: Tuesday, February 13, 2001 8:16 PM
    Subject: Re: [PEN-TEST] Changing MAC address on Win2k

    > Changing the arp cache entry will not change the MAC address the card
    > is using, it will only change the MAC address associated with the IP in
    the
    > arp cache. As someone mentioned you need to convince the card driver to
    change
    > the MAC address. Failing that you need to find the I/O address of the
    Ethernet
    > chip where the MAC address is written. This is generally trivial using
    debug
    > and the initialization ROM on the card. I always have a good laugh when a
    > vendor tells me that "you can't change MAC addresses so our product (which
    > depends on MAC addresses) is secure". Its never taken me more than 1/2 an
    hour
    > to find the necessary ports on the Ethernet chip (and your CPU writes the
    > MAC address from prom/flash to the Enet chip during BIOS boot up in all
    cases
    > execpt where there is a CPU on the Enet card which is quite rare). Not all
    > salesbeings seem to understand this however ... One note: when doing this
    > make sure you use a valid MAC address (such as one stolen from a card
    which
    > is disconnected and in your hand) because duplicate MAC addresses on a
    network
    > will cause excitement.
    >
    > Peter Van Epp / Operations and Technical Support
    > Simon Fraser University, Burnaby, B.C. Canada
    >
    >
    > >
    > > Hi all! :)
    > > Is Working only in Win2k ??
    > > Because i try it here in my Nt 4.0 +SP6a ...but i didn't had error in
    arp
    > > command...but didn't work...look:
    > >
    > > Configura?Æo de IP do Windows NT
    > >
    > > Nome do host . . . . . . . . . . : nt_hadrion.hadrion.com
    > > Servidores DNS . . . . . . . . . :
    > > Tipo de n¢ . . . . . . . . . . . : H¡brida
    > >
    > > Identificador de escopo NetBIOS. :
    > > Roteamento de IP ativado . . . . : Sim
    > > Proxy WINS ativado . . . . . . . : NÆo
    > > Resolu?Æo NetBIOS usa DNS. . . . : NÆo
    > >
    > > Ethernet adaptador E100B1:
    > >
    > > Descri?Æo. . . . . . . . . . . . : Intel EtherExpress PRO PCI Adapter
    > > Endere?o f¡sico. . . . . . . . . : 00-10-DC-0D-40-27
    > > DHCP ativado . . . . . . . . . . : NÆo
    > > Endere?o IP. . . . . . . . . . . : 192.168.151.100
    > > M scara de sub-rede. . . . . . . : 255.255.255.0
    > > Gateway padrÆo . . . . . . . . . : 192.168.151.1
    > > Servidor WINS prim rio . . . . . : 120.120.120.2
    > >
    > > Ethernet adaptador NdisWan4:
    > >
    > > Descri?Æo. . . . . . . . . . . . : NdisWan Adapter
    > > Endere?o f¡sico. . . . . . . . . : 00-00-00-00-00-00
    > > DHCP ativado . . . . . . . . . . : NÆo
    > > Endere?o IP. . . . . . . . . . . : 0.0.0.0
    > > M scara de sub-rede. . . . . . . : 0.0.0.0
    > > Gateway padrÆo . . . . . . . . . :
    > >
    > > Then i do to test: arp -s 192.168.151.100 00-10-DC-0D-40-40
    > > changing only the ultimate 2 numbers of mac...and it didn't show-me
    > > error...but when i verify my mac appear igual before! look (same mac):
    > >
    > > Ethernet adaptador E100B1:
    > >
    > > Descri?Æo. . . . . . . . . . . . : Intel EtherExpress PRO PCI Adapter
    > > Endere?o f¡sico. . . . . . . . . : 00-10-DC-0D-40-27
    > > DHCP ativado . . . . . . . . . . : NÆo
    > > Endere?o IP. . . . . . . . . . . : 192.168.151.100
    > > M scara de sub-rede. . . . . . . : 255.255.255.0
    > > Gateway padrÆo . . . . . . . . . : 192.168.151.1
    > > Servidor WINS prim rio . . . . . : 120.120.120.2
    > >
    > > Thkz...
    > > until more! =)
    > >
    > > -----Mensagem original-----
    > > De: N0sferatu <satanTM.NET.MY>
    > > Para: PEN-TESTSECURITYFOCUS.COM <PEN-TESTSECURITYFOCUS.COM>
    > > Data: Domingo, 11 de Fevereiro de 2001 23:47
    > > Assunto: Re: [PEN-TEST] Changing MAC address on Win2k
    > >
    > >
    > > ; I don't really know whether this is correct but I have tried and found
    > > that the MAC address can be changed in Win2k by issuing this command :
    > > arp -s ip-of-the-computer mac-address
    > >
    > > though it might be wrong..
    > >
    > > \
    > >
    > > -----Original Message-----
    > > From: Penetration Testers [mailto:PEN-TESTSECURITYFOCUS.COM]On Behalf
    > > Of Parth Galen
    > > Sent: Monday, February 12, 2001 4:46 AM
    > > To: PEN-TESTSECURITYFOCUS.COM
    > > Subject: [PEN-TEST] Changing MAC address on Win2k
    > >
    > >
    > > I recently read in Pen-Test that the MAC could be changed in Win2k. I
    have
    > > looked on the web for info, and in the archives at Security Focus but
    can
    > > not find any "How To" information. Nothing on my system offers any
    obvious
    > > opportunity either.
    > >
    > > So, can anyone tell my how to change the MAC on Win2k.
    > >
    > > This has to do with better anonymity while doing Pen-Tests. It is nice
    to
    > > hop through proxies, but my MAC is always there to ID me. Specifically,
    I
    > > working in a multi-site company, and their ID (they tell me) is blocking
    my
    > > work based on MAC. Changing IP does not help.
    > >
    > > Thanks Much,
    > > Parth
    > >
    > >
    > > Get your small business started at Lycos Small Business at
    > > http://www.lycos.com/business/mail.html
    > >
    >