Spoofing a MAC address.

 

Every Ethernet card or NIC (Network Interface Card) is know by a 48 bit number. This number is called the Ethernet address of the card. An IP address is a logical number and is a 32 bit address. As IP addresses are logical they can be changed at will. Thus we cannot use an IP address to pinpoint a machine, but we can use Ethernet addresses to uniquely identify a NIC card placed in a machine.

 

Ethernet is the lowest or the bottommost protocol in our networking stack. An Ethernet address identifies a physical end point. An Ethernet address is used to finally deliver a packet. What we will now show you is how to change an Ethernet address.

 

We first run a program available on all operating systems called ipconfig.

 

Ipconfig /all

 

Windows 2000 IP Configuration

            Host Name . . . . . . . . . . . . : vmci

            Primary DNS Suffix  . . . . . . . :

            Node Type . . . . . . . . . . . . : Broadcast

            IP Routing Enabled. . . . . . . . : No

            WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Bluetooth Network:

            Media State . . . . . . . . . . . : Cable Disconnected

            Description . . . . . . . . . . . : Bluetooth LAN Access Server Driver

            Physical Address. . . . . . . . . : 00-10-60-A8-A4-44

Ethernet adapter Local Area Connection 2:

            Connection-specific DNS Suffix  . :

            Description . . . . . . . . . . . : Realtek RTL8029(AS)-based PCI Ethernet Adapter #2

            Physical Address. . . . . . . . . : 00-00-E8-DF-A4-66

            DHCP Enabled. . . . . . . . . . . : No

            IP Address. . . . . . . . . . . . : 70.0.0.10

            Subnet Mask . . . . . . . . . . . : 255.255.255.0

            Default Gateway . . . . . . . . . : 70.0.0.4

            DNS Servers . . . . . . . . . . . :

 

The above output shows that we have a bluetooth network also installed and a ethernet card as local area network Connection 2. Our IP address is 70.0.0.10 and our ethernet address is 00-00-E8-DF-A4-66. The minus signs are for effect only. We also see that a company called Realtek has manufactured our card.

 

We then run the regedit program and try and find the string 0000E8DFA466 which is our ethernet address minus the minus signs in our registry. We click on the menu Edit and then search. The program searches our entire registry and comes up with a blank. No match found. Thus our ethernet address is not stored in the registry. We do not give up and now try a different track. We search for the string Realtek in our registry. We find that the search stops at a key name HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}.  This key is the same for all machines. Here we have present the descriptions of the network cards and drivers our system has. For example the 8th item is our bluetooth driver and the 10th is the ethernet card. The key DriverDesc has a value of Realtek RTL8029(AS)-based PCI Ethernet Adapter. We then click with the right mouse button on key sub name 10 and then choose new, String value. In your case you would choose the key number corresponding to your ethernet card. We name the key NetworkAddress. We then press enter and double click on the name, we are given a dialog box to write out our ethernet address which we specify as 1234567890ab. We now ipconfig /all and see no change at all. We then reboot our machine. Now when we run ipconfig /all this is what we get

 

            Description . . . . . . . . . . . : Realtek RTL8029(AS)-based PCI Ethernet Adapter #2

            Physical Address. . . . . . . . . : 12-34-56-78-90-AB

When we run ethereal on our machine our ethernet address has changed. Thus we have changed the ethernet address of our card, the question is how did we create the above magic. We cheated. Lets tell you how we cheated.

 

While surfing the net for mac cloning we came across a site that has a program to change a mac address. The url is http://www.klcconsulting.net/smac/smac12_download/SMAC12_Eval.exe/ This is a free trial version that changes the mac address to 0c0c0c0c0c01. When we run the program it shows us all the interfaces we have, we choose the interface in our case Realtek and then click on update mac. We reboot the system and viola the mac address changes. We wanted to know how this program works its magic.

 

We next downloaded a program http://www.sysinternals.com/Files/RegmonNt.zip from the site sysinternals. We extracted the program and then ran the exe file regmon. This program is a registry spy and tells us what program is making what changes to our registry. We then ran the smac and carried out the same procedure. We then saw in the registry spy that smac is simply creating the key NetworkAddress and giving it  a value.

 

SMAC.exe:520            CreateKey            HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010            SUCCESS     Access: 0xF003F         

SMAC.exe:520            SetValue            HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010\NetworkAddress            SUCCESS            "0C0C0C0C0C01"    

 

This is how we figure out what a piece of software does. To sum up, the network address is not stored in the registry in a form that can be read. If we create a key NetworkAddress and give it a value, this is the ethernet address used. If we delete the key, the system can now use the original ethernet address.

 

12338: System:8            QueryValue            HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010\NetworkAddress            NOT FOUND         

 

We next set an menu option, Options,  Log Boot on and we get a message box saying that our log file will be stored in a file C:\winnt\regmon.log. This is a log of all registry activity made by windows at startup. We can see that it checks for a key NetworkAddress and if it finds the key it uses its value as the ethernet address.

 

The key name is  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} and it is present under the text network adapters in the registry.

 

It is also present under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} and HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} and in the below key  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_10EC&DEV_8029&SUBSYS_00000000&REV_00\4&2af9ed5&0&08F0 under sub key Class GUID.

 

The other places are too numerous to mention.

 

We then downloaded a another program from the site http://amac.paqtool.com/images/amac.exe which does the same thing. We double checked that it changes the same registry settings.