Hunting for MAC Addresses

I had a need to identify the MAC address of a computer from an image (actually a whole bunch of images) recently and went looking through the registry to try solve my problem. Who doesn’t love a bit of registry analysis, and of course Eric’s tools come to the rescue yet again for this kind of hunting. Also side note, you should support Eric’s tool-making.

Eric was even kind enough to recently add an –sa option so that you can search across keys values data and slack in one query
Searching for a known value is a good way for finding this kind of info, so using RECmd I searched my live registry for the MAC of my host. Which led me to the following key/value in the SYSTEM hive :

SYSTEM\ControlSet001\Control\NetworkSetup2\Interfaces\{GUID}\Kernel\CurrentAddress

Screen Shot 2019-10-05 at 7.01.05 pm

(There’s also the Services\Tcpip6\Parameters one, but I haven’t looked into that one)

Now if I want to do parse this value directly I can do this using the –kn and –vn options, but this is going to require a bit of extra work. There may be multiple interfaces so we’d have to replace {GUID} with a wildcard and this isn’t supported in the –kn option. For this, we need to use a batch file! If you haven’t looked at RECmd batch files I’d highly recommend it. They really allow you to process registry data at scale very quickly.

I wrote out my little batch file that pulls out this value, and tested it out but alas it was not to be so. Windows stores the MAC address in binary format, and in the version of RECmd that I was using Eric had programmed the tool to output the phrase “(Binary Data)” instead of the actual hex. This is a smart move because of the significant amount of data that could be stored in here that would really clog up output.

Screen Shot 2019-10-05 at 7.18.23 pm

But of course, because of his awesomeness, I shared my problem and Eric came up with a solution, which can be seen in this example. There are now two new optional parameters you can use in the batch file:

  1. IncludeBinary – which if true will dump the binary in hex format (great for my problem);
  2. BinaryConvert – which will decode data to an IP or FILETIME format.

Screen Shot 2019-10-05 at 7.21.38 pm

From here I was able to dump out all the SYSTEM hives from my images and run the batch file across every one of them in no time flat.

I’ve only tested this on Win10 and but I’d be interested to know if it appears on other version of Windows.


Also I highly recommend people go over to Eric’s GitHub Sponsors page and throw him some $$. I get value out of his work so I see it fitting to give some value back. Patreon might not be something people are aware of, but I think Eric’s tooling is something worth supporting and encourage others to do the same.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s