An
article about how to find wired and wireless network card MAC
addresses. It also goes into details about the output of the "ipconfig
/all" command and "arp" command
The Answer To The Media Access Control Question
----------------------------
Over the past few weeks I have received quite a few e-mails about
Ethernet cards, both wired and wireless, and more specifically, about
Media Access Control (MAC) addresses. I think the main reason I’ve
received so many questions about Ethernet cards and MAC addresses is
people trying to secure their home wireless networks and their desire
to use MAC address filtering. This type of filtering in wireless
networks can be configured to allow or deny specific computers to use
or attach to the wireless network, based on the MAC address.
My first thought was to write an article just about MAC addresses and
wireless Ethernet. After thinking about it I decided to expand on this
and go over some specific information about Ethernet cards and
communication.
Different Ways Of Finding Your MAC Address And More
--------------------------------------------------
There are several ways of finding your Ethernet and communications
protocol information. Many Ethernet card manufacturer’s have
proprietary software that can reveal this information but they work
differently depending on the manufacturer. So we will use the Windows
2000 and XP “ipconfig” utility since this is available in the majority
of Windows Operating Systems.
First, go to “start” -> “run” and type “cmd” without the quotes.
Then hit the enter key. At the command line type “ipconfig /all”, again
without the quotes. Actually, just typing ipconfig without the /all
will work but will only provide you with abbreviated information
regarding your network cards. An example of what you might see by
typing the “ipconfig /all” command is below with each item commented in
green lettering:
Fault Tolerant And Highly Availability Computer Systems
----------------------------
There are several ways of finding your Ethernet and communications
protocol information. Many Ethernet card manufacturer’s have
proprietary software that can reveal this information but they work
differently depending on the manufacturer. So we will use the Windows
2000 and XP “ipconfig” utility since this is available in the majority
of Windows Operating Systems.
First, go to “start” -> “run” and type “cmd” without the quotes.
Then hit the enter key. At the command line type “ipconfig /all”, again
without the quotes. Actually, just typing ipconfig without the /all
will work but will only provide you with abbreviated information
regarding your network cards. An example of what you might see by
typing the “ipconfig /all” command is below:
OutPut Of The “Ipconfig /All” Command
----------------------------------------------------------
Windows IP Configuration
Host Name . . . . . . . . . . . . : Home Computer
This is the name of your computer, typically defined during the windows
installation. However, it can be changed after installation.
Primary Dns Suffix . . . . . . . : domain.com
If your computer participates in a network such as a Microsoft Windows domain this item may contain the name of the domain.
Node Type . . . . . . . . . . . . : Unknown
The Node Type may say Unknown, or peer-to-peer, or in some cases
“hybrid”. It is a setting that has to do with the Windows Internet
Naming Services used in certain types of Windows domain networks.
IP Routing Enabled. . . . . . . . : No
This setting determines if Windows XP or 2000 will function as an IP
router. If you have two or more network cards you can setup your system
to act as a router, forwarding communications requests from one network
to another. Windows 2000 can be configured to do this in a pretty
straight forward fashion; Windows XP will need a registry modification.
WINS Proxy Enabled. . . . . . . . : No
WINS Proxy is another setting that is related to the “Node Type” we
discussed earlier. It is normally not a required setting in a home or
small office network, or newer types of Microsoft Windows domains.
Ethernet adapter Wireless Network Connection 2:
If you have multiple Ethernet (network) cards in your systems, as I do
in this laptop, you will have multiple listings. This one happens to be
the second Ethernet card, an internal wireless Ethernet card.
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
This is the description of the Ethernet card, usually the Name /
Manufacturer and type of Ethernet card. In this case, it is a Broadcom
wireless Ethernet card built into my laptop.
Physical Address. . . . . . . . . : 00-90-4B-F1-6E-4A
And here we have the MAC address. The MAC address is a 48 bit
hexadecimal code and is suppose to be a totally unique address. It is
48 bits because each number or letter in hexadecimal represents 8 bits.
Hexadecimal numbers range from 0,1,2,3,4,5,6,7,8,9,A,B,C,D,E, F. There
are 6 alpha-numeric codes hence 6*8=48(bits). The first 3 codes
identify the manufacturer of the card and the remaining codes are used
to create a unique number. Theoretically there should never be a card
with same MAC address on a local network. However, there are a few
exceptions. There are software tools that allow you to change this
code. In fact, this is a step some hackers take to attack other systems
on a local network. I say local network because MAC addresses are not
routable between network segments. By spoofing this address, you can
impersonate another machine on the local network. Traffic that was
bound for the intended target can be redirected to the hacker’s
machine. This is the address you would also use to populate a MAC
address, or physical address table when setting up your wireless access
point to support MAC address filtering.
DHCP Enabled. . . . . . . . . . . : Yes
DHCP, or the Dynamic Host Control Protocol, if enabled means your
computers IP address is being provided by a DHCP server on you network.
The DHCP server could be your wireless access point, cable/dsl router,
cable modem, or a server on your network. Also, if a DHCP server is not
enabled on your network, your computers Operating System will auto
generate a random IP address within a certain predefined range. This
means you could network a group of systems together without having to
manually assign the IP settings.
IP Address. . . . . . . . . . . . : 192.168.0.117
This parameter provides you with your current IP address. The address
listed above is what is called a "private" address. There are certain
classes of IP addresses that have been set aside for private use. This
means for your internal, local, or private network at home or office.
These addresses are not, or should not, be routable on the Internet.
The Internet routes what are called “valid” IP addresses. Your
cable/dsl router or cable modem has a valid IP address assigned to its
“external” network interface. The external interface may be your phone
line or cable TV cable.
Subnet Mask . . . . . . . . . . . : 255.255.255.0
The Subnet Mask is a special number, or in some sense, filter, that
breaks down your IP address, in this case private IP address, into
certain groups. IP addresses and Subnet Masks can be a complicated
matter and would take an entire article to go over.
Default Gateway . . . . . . . . . : 192.168.0.254
The default gateway, the IP addresses listed above, is the IP address
of the device that will route your request, such as when you try to
browse a website, to the Internet. It is a bit more complicated than
that though as gateways or routers can route traffic to various
different networks, even other private networks. At your home or small
office, this gateway most likely is your cable/dsl modem or router.
DHCP Server . . . . . . . . . . . : 192.168.0.49
The DHCP server, remember we talked a little about this above, is the
device that assigns your computer an IP address and other information.
DHCP servers can assign all kinds of information such as; Default
Gateway, Domain Name Servers (DNS), IP address, Subnet Mask, Time
Server, and much more.
DNS Servers . . . . . . . . . . . : 192.168.0.49, 64.105.197.58
DNS Servers are internal or external servers that resolve Fully
Qualified Domain Names (FQDN), such as www.defendingthenet.com , to IP
addresses. This is done because computers don’t actually transmit your
requests using the domain name, they use the IP address assigned to the
FQDN. For most home or small office users, the primary DNS server is
the IP address of your cable/dsl router. Your cable/dsl router than
queries an external DNS server on the Internet to perform the actual
resolution of the FQDN to IP address. The address 192.168.0.49 is an
internal private device on my network whereas the 64.105.197.58 is an
external public Internet DNS server and is present just in case my
router has trouble performing the DNS resolution tasks.
Lease Obtained. . . . . . . . . . : Sunday, March 19, 2006 6:38:16 PM
This information tells you when your computer received its IP address
and other information from a DHCP server. You will notice it says
“Lease Obtained”, that is because most DHCP servers only lease the IP
address to you from a pool of available address. For instance, your
pool may be 192.168.1.1 through 192.168.1.50. So your DHCP server has
50 IP addresses to choose from when assigning your computer its IP
address.
Lease Expires . . . . . . . . . . : Wednesday, March 29, 2006 9:38:16 PM
When the IP address, assigned by the DHCP server, lease expires it will
attempt to lease you the same or another IP address. This function can
typically be changed on the DHCP server. For instance, on some fully
functional DHCP servers, you can configure the Lease to never expire,
or to expire within 1 day and so on.
Why Are MAC Addresses So Important And How Do They Work
------------------------------------------------------
To jump back to MAC address for just a bit. You may think that IP
addresses are the most important thing when it comes to network
communication. The reality is, MAC addresses are very important because
without them computers would not be able to communicate over Ethernet
networks. When a computer wants to speak with another computer on a
local network, it will make a broadcast request, or ask a question, of
who owns a particular IP address. For instance, your computer may say
“Who is 192.168.0.254”. Using the information above, my default gateway
is 192.168.0.254 and will answer “I am “00-90-4B-F1-6E-4A”
192.168.0.254”. It sends back its MAC address. That MAC address then
goes into what is called a Address Resolution Protocol (ARP) table on
your computer. You can see this information by going to the command
prompt like you did above and typing "arp –a". You will get information
like the following:
Internet Address Physical Address Type
192.168.0.49 00-12-17-5c-a2-27 dynamic
192.168.0.109 00-12-17-5c-a2-27 dynamic
192.168.0.112 00-0c-76-93-94-b2 dynamic
192.168.0.254 00-0e-2e-2e-15-61 dynamic
How A Hacker Can Use MAC Addresses In An Attack
----------------------------------------------
You will notice the IP addresses and to the right of them the MAC
addresses. Without this information, without the MAC address, you would
not be reading this article right now. MAC addresses are not routable
like IP addresses. They work on your local or private network. However,
devices on the Internet perform the same tasks. Routers and switches
maintain a list of their peer devices MAC address just like your
computers and devices on your home or office network. I mentioned above
that MAC addresses can be changed in order to redirect requests. For
instance, if I were on your office network and you had an internal web
server that took personal information as input, I could tell your
computer to go to my laptop for the web site by broadcasting my MAC
address tied to the real web servers IP address. I would do this when
you computer asked “Who is the “Real Web Server””. I could setup a fake
web server that looks just like the real thing, and start collecting
information the real web server would normally collect. You can see how
dangerous this can be.
Conclusion
-----------
There are several other easy ways you can find your MAC address but
they can be a little confusing if you have more than one internal
network card. Most external USB, or PCMCIA wired and wireless Ethernet
cards have their MAC address printed on them. In cases where the wired
or wireless network card are inside your computer, such as in laptops,
the MAC address is sometimes printed on the bottom of the laptop. Even
Desktop systems cards that are inserted in PCI slots have the MAC
address printed on the Ethernet card.
