Posted on 2006-05-05
Last Modified: 2008-03-10
Hi guys,

Is there any way to identify a computer when browsing my site? It is for a chat application, and I was wondering if it is possible to get the PCs mac address. I won't use the IP address since it may change if the user does not have an static IP address


Question by:pvg1975
    LVL 95

    Accepted Solution

    Not really... not without using some sort of ActiveX control.  You might try using cookies.
    LVL 12

    Expert Comment

    This will get a MAC address when passed a valid IP address, but most people are not comfortable running stuff like this on their servers...

    Function GetMACAddress(strIP)
          Set net = Server.CreateObject("Wscript.Network")
          Set sh = Server.CreateObject("Wscript.Shell")
 "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
          Set sh = nothing
          Set fso = Server.Createobject("Scripting.Filesystemobject")
          Set ts = fso.opentextfile(Server.MapPath(strIP) & ".txt")
          macaddress = null
          Do While Not ts.AtEndOfStream
                data = ucase(trim(ts.readline))
                If instr(data,"MAC ADDRESS") Then
                      macaddress = trim(split(data,"=")(1))
                      Exit Do
                      macaddress = "Cannot Obtain Mac Address"
                End if
          Set ts = nothing
          fso.deletefile Server.MapPath(strIP) & ".txt"
          Set fso = nothing
          GetMACAddress = macaddress
    End Function      

    LVL 7

    Expert Comment

    Just curios, what is the risk of that code on the server?  I would imagine it has something to do with allowing IUSR to access the network and write to disk.

    Sounds like something that could be wrapped up into a DLL and sold for $10. :)

    getMac.dll  $10 order yours today :)

    Also, I think in ASP.NET there are some special accounts for performing disk access and netowkr functions from your ASPX pages without granting permissions to ISUR.  That should make it



    Author Comment

    Hi peterxlane!

    Same question than chisholmd. What's the risk of having that code on the server?
    LVL 12

    Expert Comment

    To be honest, I am just going based on what I have heard other users say in regards to running command line commands in your ASP code.

    Once you have the permissions set correctly, this line:
    <% "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true

    is executing that command line, so if it could be changed to:
    <% "%comspec% /c delete c: >" & Server.MapPath(strIP) & ".txt",0,true

    It would effectively delete the contents of the C: drive.  This is the type of example that people always mention when pointing out that this type of thing is a security issue, but what I have never understood is that if someone had access to modify your source code, then theoretically they could make it do anything.  One thing that you would obviously want to avoid is to give the user a text field and allow them to execute whatever they type in...clearly that would be a big security issue.  But since the above code is merely passing the IP address and executing a specific command, I am not really clear on how it is a security issue, other than what others have said...

    LVL 7

    Expert Comment

    Granted that does sound nasty and I am not disagreeing.  However, I would imagine that the shell is going to be running in the context of IUSR so delete C:\*.* probably wouldn't get very far.  Also, in your example your not using any user supplied parameters so you shouldn't have to worry so much about them injecting some nasty command.

    In general I'd guess that granting IUSR write access so it can create the text files is probably more dangerous then simply shelling out a command (as long as there is no chance for injection).

    Is someone hasn't already this should be (could be) written as an activeX dll. Maybe I'll do that tonight.

    *To be clear I am not saying it is 100% safe to do anything mentioned, I am just discussing the reltive risks.


    Author Comment

    I think I will use cookies :)

    Thanks guys!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
    This demonstration started out as a follow up to some recently posted questions on the subject of logging in: and…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now