Link to home
Start Free TrialLog in
Avatar of pvg1975
pvg1975Flag for Argentina

asked on

IDENTIFY A COMPUTER

Hi guys,

Is there any way to identify a computer when browsing my site? It is for a chat application, and I was wondering if it is possible to get the PCs mac address. I won't use the IP address since it may change if the user does not have an static IP address

Thanks!

ASKER CERTIFIED SOLUTION
Avatar of Lee W, MVP
Lee W, MVP
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of peterxlane
peterxlane

This will get a MAC address when passed a valid IP address, but most people are not comfortable running stuff like this on their servers...

<%
Function GetMACAddress(strIP)
      Set net = Server.CreateObject("Wscript.Network")
      Set sh = Server.CreateObject("Wscript.Shell")
      sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
      Set sh = nothing
      Set fso = Server.Createobject("Scripting.Filesystemobject")
      Set ts = fso.opentextfile(Server.MapPath(strIP) & ".txt")
      macaddress = null
      Do While Not ts.AtEndOfStream
            data = ucase(trim(ts.readline))
            If instr(data,"MAC ADDRESS") Then
                  macaddress = trim(split(data,"=")(1))
                  Exit Do
            Else
                  macaddress = "Cannot Obtain Mac Address"
            End if
      Loop
      ts.close
      Set ts = nothing
      fso.deletefile Server.MapPath(strIP) & ".txt"
      Set fso = nothing
      GetMACAddress = macaddress
End Function      
%>

Just curios, what is the risk of that code on the server?  I would imagine it has something to do with allowing IUSR to access the network and write to disk.

Sounds like something that could be wrapped up into a DLL and sold for $10. :)

getMac.dll  $10 order yours today :)

Also, I think in ASP.NET there are some special accounts for performing disk access and netowkr functions from your ASPX pages without granting permissions to ISUR.  That should make it safe...no?

2cents

Avatar of pvg1975

ASKER

Hi peterxlane!

Same question than chisholmd. What's the risk of having that code on the server?
To be honest, I am just going based on what I have heard other users say in regards to running command line commands in your ASP code.  

https://www.experts-exchange.com/questions/21287474/ASP-line-command.html
https://www.experts-exchange.com/questions/20579292/Running-network-commands.html


Once you have the permissions set correctly, this line:
<%
sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
%>

is executing that command line, so if it could be changed to:
<%
sh.run "%comspec% /c delete c: >" & Server.MapPath(strIP) & ".txt",0,true
%>

It would effectively delete the contents of the C: drive.  This is the type of example that people always mention when pointing out that this type of thing is a security issue, but what I have never understood is that if someone had access to modify your source code, then theoretically they could make it do anything.  One thing that you would obviously want to avoid is to give the user a text field and allow them to execute whatever they type in...clearly that would be a big security issue.  But since the above code is merely passing the IP address and executing a specific command, I am not really clear on how it is a security issue, other than what others have said...



Granted that does sound nasty and I am not disagreeing.  However, I would imagine that the shell is going to be running in the context of IUSR so delete C:\*.* probably wouldn't get very far.  Also, in your example your not using any user supplied parameters so you shouldn't have to worry so much about them injecting some nasty command.

In general I'd guess that granting IUSR write access so it can create the text files is probably more dangerous then simply shelling out a command (as long as there is no chance for injection).

Is someone hasn't already this should be (could be) written as an activeX dll. Maybe I'll do that tonight.


*To be clear I am not saying it is 100% safe to do anything mentioned, I am just discussing the reltive risks.


Avatar of pvg1975

ASKER

I think I will use cookies :)

Thanks guys!