Change MAC Address on Win2K & XP

From: Kyle Lai (aladin168@hotmail.com)
Date: Fri Nov 22 2002 - 17:37:08 EST


('binary' encoding is not supported, stored as-is) I konw many of you want to answer "NO" or "ONLY if you can find the
option in the NIC advanced properties", because that's the answer I heard
all the time through out my research,

However, the answer is: YES!!!!!!!!!!

ALMOST ALL NIC CAN BE SPOOFED, EVEN IF MANUFACTURERS DON'T INCLUDE
OPTIONS IN THE ADVANCED PROPERTIES.

I wrote a detailed instruction on how to change MAC address on Windows
2000 & XP, and you can find it at:

http://www.kylelai.com/Change_MAC_w2k.htm

I know there was one discussion before, but that thread offered no
solutions... I researched for a long time, and I finally discovered the
solution through Microsoft MSDN Driver Development Kit (DDK) and Win2K
resource kit. I have many people tested my instructions, and I haven't
found a NIC that can't be spoofed. Not to say there isn't one out there.

The method is to call a DDK function - NdisReadNetworkAddress.

NdisReadNetworkAddress(...) is called by the network adapter driver to
obtain a user specified MAC address in the registry. After the driver
confirmed that there's a valid MAC address specified in the registry key,
the driver then programs the MAC address to its hardware registers to
override the burn-in MAC address.

Not all manufacturers support this function I heard, but like I said, I
haven't seen one NIC that can't be spoofed. I am interested in learning
which brand and model can't be spoofed. If you know of any, please send
me an email.

I think this discovery might not be new to the device driver developers,
but it certainly is still a well kept secret to lots of security
professionals out there. Therefore, I decided to reveal this secret
because there are too many wrong answers out there.

I am also writing a free tool, SMAC, to change MAC address on Wnidows
2000 & XP. I basically plan to incorporate the technique I discovered
with some other functionalities. SMAC 1.0 is due to release in a few
weeks. Please check www.kylelai.com for updates.

Cheers,
/Kyle
Kyle Lai, CISSP, CISA
InfoSec Consultant
kyle@kylelai.com
www.kylelai.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:25 EDT