• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 366
  • Last Modified:

IDENTIFY A COMPUTER

Hi guys,

Is there any way to identify a computer when browsing my site? It is for a chat application, and I was wondering if it is possible to get the PCs mac address. I won't use the IP address since it may change if the user does not have an static IP address

Thanks!

0
pvg1975
Asked:
pvg1975
  • 2
  • 2
  • 2
  • +1
1 Solution
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Not really... not without using some sort of ActiveX control.  You might try using cookies.
0
 
peterxlaneCommented:
This will get a MAC address when passed a valid IP address, but most people are not comfortable running stuff like this on their servers...

<%
Function GetMACAddress(strIP)
      Set net = Server.CreateObject("Wscript.Network")
      Set sh = Server.CreateObject("Wscript.Shell")
      sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
      Set sh = nothing
      Set fso = Server.Createobject("Scripting.Filesystemobject")
      Set ts = fso.opentextfile(Server.MapPath(strIP) & ".txt")
      macaddress = null
      Do While Not ts.AtEndOfStream
            data = ucase(trim(ts.readline))
            If instr(data,"MAC ADDRESS") Then
                  macaddress = trim(split(data,"=")(1))
                  Exit Do
            Else
                  macaddress = "Cannot Obtain Mac Address"
            End if
      Loop
      ts.close
      Set ts = nothing
      fso.deletefile Server.MapPath(strIP) & ".txt"
      Set fso = nothing
      GetMACAddress = macaddress
End Function      
%>

0
 
chisholmdCommented:
Just curios, what is the risk of that code on the server?  I would imagine it has something to do with allowing IUSR to access the network and write to disk.

Sounds like something that could be wrapped up into a DLL and sold for $10. :)

getMac.dll  $10 order yours today :)

Also, I think in ASP.NET there are some special accounts for performing disk access and netowkr functions from your ASPX pages without granting permissions to ISUR.  That should make it safe...no?

2cents

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
pvg1975Author Commented:
Hi peterxlane!

Same question than chisholmd. What's the risk of having that code on the server?
0
 
peterxlaneCommented:
To be honest, I am just going based on what I have heard other users say in regards to running command line commands in your ASP code.  

http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_21287474.html
http://www.experts-exchange.com/Web/Web_Languages/ASP/Q_20579292.html


Once you have the permissions set correctly, this line:
<%
sh.run "%comspec% /c nbtstat -A " & strIP & " >" & Server.MapPath(strIP) & ".txt",0,true
%>

is executing that command line, so if it could be changed to:
<%
sh.run "%comspec% /c delete c: >" & Server.MapPath(strIP) & ".txt",0,true
%>

It would effectively delete the contents of the C: drive.  This is the type of example that people always mention when pointing out that this type of thing is a security issue, but what I have never understood is that if someone had access to modify your source code, then theoretically they could make it do anything.  One thing that you would obviously want to avoid is to give the user a text field and allow them to execute whatever they type in...clearly that would be a big security issue.  But since the above code is merely passing the IP address and executing a specific command, I am not really clear on how it is a security issue, other than what others have said...



0
 
chisholmdCommented:
Granted that does sound nasty and I am not disagreeing.  However, I would imagine that the shell is going to be running in the context of IUSR so delete C:\*.* probably wouldn't get very far.  Also, in your example your not using any user supplied parameters so you shouldn't have to worry so much about them injecting some nasty command.

In general I'd guess that granting IUSR write access so it can create the text files is probably more dangerous then simply shelling out a command (as long as there is no chance for injection).

Is someone hasn't already this should be (could be) written as an activeX dll. Maybe I'll do that tonight.


*To be clear I am not saying it is 100% safe to do anything mentioned, I am just discussing the reltive risks.


0
 
pvg1975Author Commented:
I think I will use cookies :)

Thanks guys!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now