WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 08-12-2000 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
      [Beware of your MAC address - part 1
      Sep 13, 2000
      Mike Sullivan

      A colleague and I recently faced a perplexing problem, which led us to a startling discovery. It is possible to set the MAC address of almost any computer on your network! To think that all this time, we blindly believed that the hardware vendor controlled MAC addresses. This is not the case, and I believe that this presents a serious security problem.

      Discovering the hole
      It all started one morning when one of our servers was on the blink. My connectivity to it was flittering in and out for no apparent reason. My colleague was experiencing the same problem, and we both began pinging the server. The results were puzzling. Reply, Reply, Time Out, Reply. We tried several additional times and had the same result. We would get both Replies and Time Outs.

      Our next step was to log on to the server directly in order to check the logs and so on. I logged on to the problem server and my partner to the server sitting next to it. Pinging anywhere resulted in some of the packets making it, and some of them meeting their demise in the Ethernet abyss. My partner moved to a third server and tried the tests again. The results were the same. Pinging the problem server or the server he had been working on resulted in dropped packets. However, when he pinged a different server, there were no problems.

      We then looked at the ARP caches of the problem servers and compared them to each other. We suddenly discovered that the MAC addresses for both servers were identical! Go ahead and read that again:       Both servers had the same MAC address! We didn't know how or why this had happened, but we knew that somewhere, somehow, somebody had actually set the MAC address of these servers.

      Setting the MAC address
      Thinking quickly, I opened Regedit and searched for the offending address. I soon found a registry key used to set the MAC address of a computer. My partner checked several other computers to see if the key existed, and it didn't. I deleted the key on one of the identity-impaired servers, and the problem was solved. But we still didn't know how this had happened.

      The offending computers were both DEC Alpha servers, so our first test was to see if we could duplicate the symptoms on another computer. We were able to set the MAC address of NT computers as well as Windows 9x computers. Realizing that you can set the MAC address of virtually any computer on your network is scary enough. But what if this was used as an attack against your network?       What if a hacker set his MAC address to the MAC address of your Default Gateway? At the end of our investigation, we concluded that the problem was caused by a failed installation of DEC Pathworks. No nefarious intentions were involved, just a poorly written installation program.

      Microsoft's response
      We called Microsoft to report what we thought was a security problem with their OS. The answer we received was surprising. The ability to set your MAC address is part of the NDIS specification originally developed by 3Com and Microsoft. It is not considered a security problem, but a standard. In fact, under Windows 2000, the ability to modify your MAC address has been incorporated into the GUI.

      My final thoughts
      Because I still believe that this is a security issue, I will not give out the specific registry keys used to set your own MAC address. Permissions on the registry key (at least in Windows 2000) are limited to only allow Administrators and System write access. I believe that it is still a security issue because the address can be changed on Windows 95 and 98 computers, and those computers don't have the ability to set permissions on registry keys]


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)