actually, with a tiny device driver, you don't even need to think about the
actual card. MAC address is kept in kernel memory with the hardware
description of the card. rewrite that bit of memory in a kernel driver and
that's all it takes.
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Peter Van Epp" <vaneppSFU.CA>
To: <PEN-TESTSECURITYFOCUS.COM>
Sent: Wednesday, February 14, 2001 7:49 AM
Subject: Re: Changing MAC address on Win2k

> Whether Prom, Eprom or EEprom the MAC address gets read by the CPU
> from the (e, ee)prom and written in to the Ethernet chip on board (which
by
> default has no MAC address) during machine initialization during boot by
the
> BIOS (reading the option prom on the Ethernet card). You have always been
able
> to write any MAC address you please into an Ethernet card without regard
to
> what media the MAC address is stored in on the card so the media that is
> storing the built in MAC address is inmaterial. You don't need to change
the
> prom to change a MAC address (this appears to be what fools so many
> manufacturers) you only need the data sheet for the Ethernet chip and to
know
> where in I/O space the chips registers are. If you don't have the data
sheet,
> using debug to trace the card initialization code that gets executed
during
> the BIOS post (which vectors from a well known address) will usually tell
you
> (assuming you can read assembler and are familiar with device driver
> programming) all that you need to know in order to change the MAC address.
>
> Peter Van Epp / Operations and Technical Support
> Simon Fraser University, Burnaby, B.C. Canada
>
>
> >
> > Until recently, MAC addresses were stored in EPROM's (i.e. only
resettable
> > with UV light), or before that, PROM's - write once. Do they use EEPROMs
> > now?
> >
> > alex
> >
> > On Tue, 13 Feb 2001, Peter Van Epp wrote:
> >
> > > Changing the arp cache entry will not change the MAC address the card
> > > is using, it will only change the MAC address associated with the IP
in the
> > > arp cache. As someone mentioned you need to convince the card driver
to change
> > > the MAC address. Failing that you need to find the I/O address of the
Ethernet
> > > chip where the MAC address is written. This is generally trivial using
debug
> > > and the initialization ROM on the card. I always have a good laugh
when a
> > > vendor tells me that "you can't change MAC addresses so our product
(which
> > > depends on MAC addresses) is secure". Its never taken me more than 1/2
an hour
> > > to find the necessary ports on the Ethernet chip (and your CPU writes
the
> > > MAC address from prom/flash to the Enet chip during BIOS boot up in
all cases
> > > execpt where there is a CPU on the Enet card which is quite rare). Not
all
> > > salesbeings seem to understand this however ... One note: when doing
this
> > > make sure you use a valid MAC address (such as one stolen from a card
which
> > > is disconnected and in your hand) because duplicate MAC addresses on a
network
> > > will cause excitement.
> > >
> > > Peter Van Epp / Operations and Technical Support
> > > Simon Fraser University, Burnaby, B.C. Canada
> > >
> > >
> > > >
> > > > Hi all! :)
> > > > Is Working only in Win2k ??
> > > > Because i try it here in my Nt 4.0 +SP6a ...but i didn't had error
in arp
> > > > command...but didn't work...look:
> > > >
> > > > Configura?Æo de IP do Windows NT
> > > >
> > > > Nome do host . . . . . . . . . . : nt_hadrion.hadrion.com
> > > > Servidores DNS . . . . . . . . . :
> > > > Tipo de n¢ . . . . . . . . . . . : H¡brida
> > > >
> > > > Identificador de escopo NetBIOS. :
> > > > Roteamento de IP ativado . . . . : Sim
> > > > Proxy WINS ativado . . . . . . . : NÆo
> > > > Resolu?Æo NetBIOS usa DNS. . . . : NÆo
> > > >
> > > > Ethernet adaptador E100B1:
> > > >
> > > > Descri?Æo. . . . . . . . . . . . : Intel EtherExpress PRO PCI
Adapter
> > > > Endere?o f¡sico. . . . . . . . . : 00-10-DC-0D-40-27
> > > > DHCP ativado . . . . . . . . . . : NÆo
> > > > Endere?o IP. . . . . . . . . . . : 192.168.151.100
> > > > M scara de sub-rede. . . . . . . : 255.255.255.0
> > > > Gateway padrÆo . . . . . . . . . : 192.168.151.1
> > > > Servidor WINS prim rio . . . . . : 120.120.120.2
> > > >
> > > > Ethernet adaptador NdisWan4:
> > > >
> > > > Descri?Æo. . . . . . . . . . . . : NdisWan Adapter
> > > > Endere?o f¡sico. . . . . . . . . : 00-00-00-00-00-00
> > > > DHCP ativado . . . . . . . . . . : NÆo
> > > > Endere?o IP. . . . . . . . . . . : 0.0.0.0
> > > > M scara de sub-rede. . . . . . . : 0.0.0.0
> > > > Gateway padrÆo . . . . . . . . . :
> > > >
> > > > Then i do to test: arp -s 192.168.151.100 00-10-DC-0D-40-40
> > > > changing only the ultimate 2 numbers of mac...and it didn't show-me
> > > > error...but when i verify my mac appear igual before! look (same
mac):
> > > >
> > > > Ethernet adaptador E100B1:
> > > >
> > > > Descri?Æo. . . . . . . . . . . . : Intel EtherExpress PRO PCI
Adapter
> > > > Endere?o f¡sico. . . . . . . . . : 00-10-DC-0D-40-27
> > > > DHCP ativado . . . . . . . . . . : NÆo
> > > > Endere?o IP. . . . . . . . . . . : 192.168.151.100
> > > > M scara de sub-rede. . . . . . . : 255.255.255.0
> > > > Gateway padrÆo . . . . . . . . . : 192.168.151.1
> > > > Servidor WINS prim rio . . . . . : 120.120.120.2
> > > >
> > > > Thkz...
> > > > until more! =)
> > > >
> > > > -----Mensagem original-----
> > > > De: N0sferatu <satanTM.NET.MY>
> > > > Para: PEN-TESTSECURITYFOCUS.COM <PEN-TESTSECURITYFOCUS.COM>
> > > > Data: Domingo, 11 de Fevereiro de 2001 23:47
> > > > Assunto: Re: [PEN-TEST] Changing MAC address on Win2k
> > > >
> > > >
> > > > ; I don't really know whether this is correct but I have tried and
found
> > > > that the MAC address can be changed in Win2k by issuing this command
:
> > > > arp -s ip-of-the-computer mac-address
> > > >
> > > > though it might be wrong..
> > > >
> > > > \
> > > >
> > > > -----Original Message-----
> > > > From: Penetration Testers [mailto:PEN-TESTSECURITYFOCUS.COM]On
Behalf
> > > > Of Parth Galen
> > > > Sent: Monday, February 12, 2001 4:46 AM
> > > > To: PEN-TESTSECURITYFOCUS.COM
> > > > Subject: [PEN-TEST] Changing MAC address on Win2k
> > > >
> > > >
> > > > I recently read in Pen-Test that the MAC could be changed in Win2k.
I have
> > > > looked on the web for info, and in the archives at Security Focus
but can
> > > > not find any "How To" information. Nothing on my system offers any
obvious
> > > > opportunity either.
> > > >
> > > > So, can anyone tell my how to change the MAC on Win2k.
> > > >
> > > > This has to do with better anonymity while doing Pen-Tests. It is
nice to
> > > > hop through proxies, but my MAC is always there to ID me.
Specifically, I
> > > > working in a multi-site company, and their ID (they tell me) is
blocking my
> > > > work based on MAC. Changing IP does not help.
> > > >
> > > > Thanks Much,
> > > > Parth
> > > >
> > > >
> > > > Get your small business started at Lycos Small Business at
> > > > http://www.lycos.com/business/mail.html
> > > >
> > >
> >
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]