Security Basics mailing list archives
Re: Changing the mac address on Windows 2000 and XP
From: ChayoteMu <chayotemu () gmail com>
Date: Tue, 5 Jul 2005 20:49:38 -0700
There are a number of software programs that will change the MAC address, other than that you'd need to actually crack into the chip and change it there (I THINK they are EEPROM but not sure), but the software version is easier. To detect it depends on the setup. When the MAC changes the machine it would have to start responding to ARP broadcasts or sending it's own so if you could find a way to determine if that's suspect you could tell. Timing would be one thing, if the ARP requests aren't expected and are just sent out there's a chance it's a new PC otherwise it could be a changed MAC. I'd expect you can setup sniffers to look at and store basic ARP tables and see if the new MAC starts talking and the old one stops doing so. To get that to work you'd probably need the sniffer to check the old MAC and see if it's still running, if not and the new MAC is brand new it's a good assumption the old PC changed the MAC. To determine for certain you'd need to be able to cut down where the new MAC is from and see if the responses are coming from the same basic wire, otherwise you might just happen to catch a new PC getting on the network. The only downside is to do that you'd need to send out more traffic each time a new MAC is advertised. Other than that I'd expect you'd need a HIPS of some sort that either prevents such changes or sends an alert when it detects it. Just a side-note, I'm pretty confident I know what I'm talking about here but think I may be wrong. If so let me know where I'm wrong. On 7/5/05, Pranav Lal <pranav.lal () gmail com> wrote:
Hi all, Is there any way to change the mac address of a LAN card in Windows 2000 and Windows XP? As a corollary to the question, how would one detect if a computer was changing its mac address? This is assuming that the network on which this machine is connected has DHCP enabled. Pranav -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.8/37 - Release Date: 7/1/2005
-- ChayoteMu "To catch a thief, think like a thief. To catch a master thief, be a master thief."
Current thread:
- Changing the mac address on Windows 2000 and XP Pranav Lal (Jul 05)
- Re: Changing the mac address on Windows 2000 and XP ChayoteMu (Jul 06)
- RE: Changing the mac address on Windows 2000 and XP Nicolas villatte (Jul 06)
- Re: Changing the mac address on Windows 2000 and XP Nikiforov Alex (Jul 06)
- Re: Changing the mac address on Windows 2000 and XP Anish Shaikh (Jul 06)
- Re: Changing the mac address on Windows 2000 and XP Alexander Bolante (Jul 06)
- Re: Changing the mac address on Windows 2000 and XP Greg Stiavetti (Jul 11)
- RE: Changing the mac address on Windows 2000 and XP David Gillett (Jul 06)
- Re: Changing the mac address on Windows 2000 and XP Adam Jones (Jul 06)
- RE: Changing the mac address on Windows 2000 and XP Joe Osborn (Jul 06)
- Re: Changing the mac address on Windows 2000 and XP Mike Sweeney (Jul 11)
- Re: Changing the mac address on Windows 2000 and XP Kelly D. Lucas (Jul 11)
(Thread continues...)