Can a website track a visitor's MAC address?

I am not sure to understand the question.

Is it possible in theory to run in the browser a Java or ActiveX or WMI script that gathers the MAC address of the machine?
Yes.
See here for an example
https://techdetails.agwego.com/2008/02/11/37/

Will the above (or something like it) work normally/generically?
No.

Is the MAC address of the machine available to the site otherwise?
No, something must be run "locally" and send the info to the website, a typical example of what a malware is.

jaclaz

I am not sure to understand the question.

Is it possible in theory to run in the browser a Java or ActiveX or WMI script that gathers the MAC address of the machine?
Yes.
See here for an example
https://techdetails.agwego.com/2008/02/11/37/

Will the above (or something like it) work normally/generically?
No.

Is the MAC address of the machine available to the site otherwise?
No, something must be run "locally" and send the info to the website, a typical example of what a malware is.

jaclaz

You appear to have understood, thanks for the reply.

Let's leave malware to one side for a moment and assume we are talking about one of your initial possibilities. In that instance would the ONLY MAC address that could be collected be that of the wifi adapter of the computer connecting to the internet? Or could it also include that of all the NICs and other MAC addresses found associated on that computer, and could it possibly also include the MAC address of the router connecting to the internet that the computer is connected to?

Having something executed locally is malware, that was the whole point.

jaclaz

Having something executed locally is malware, that was the whole point.

jaclaz

Sites can run Java applets or Active X scripts without going as far as infecting your computer with malware. Are you in fact saying that the only way to achieve what I was talking about is through infecting with malware (something a reputable company would not get involved in)?

Sites can run Java applets or Active X scripts without going as far as infecting your computer with malware.

It's a question of definition of the term 'malware'.

One common definition is 'code that does things on a system that the owner of the system has not authorized or is not aware that he has authorized'.

That second part ('not aware') is fairly common in, say, Android, which tend to over-authorize.

Are you in fact saying that the only way to achieve what I was talking about is through infecting with malware (something a reputable company would not get involved in)?

It's also a question of whose definition. If it's between what a reputable software company thinks it means, and what their users thinks it means, it is generally the users' definition that wins. Especially when it reaches the press.

A lot of reputable companies have been revealed to collect information from 'their' systems (i.e. systems their software runs on), and generally they backed off fairly quickly once it became general knowledge that it was happening.

According to themselves, it was not malware. According to their users, they collected information they (the users) regarded as sensitive, without due notice, and so 'malware' was certainly one of the terms applied to that practice.

Using WMI through ActiveX is possible given a set of conditions that you won't ever find in the real world
http//www.codingforums.com/javascript-programming/299234-how-get-mac-address-client-machine-using-javascript-all-browsers.html

Condition #1 Internet Explorer
Condition #2 Site marked as "trusted site"
Condition #3 Explicit consent from user to run unsafe scripting

See also
http//codingresource.blogspot.it/2010/02/get-client-mac-address-ip-address-using.html
http//codingresource.blogspot.it/2010/01/get-client-cpu-id-with-javascript.html

The question might be (besides the fact that noone uses IE anymore and the personal opinion that those who actually used it deserved to be hacked) can something like that be coded in such a way that the user does not need to give once or twice actual explicit consent?

Possibly yes, and then it will be malware.

jaclaz

Be it the MAC address of the router connecting to the internet or the MAC address of the computer the visitor is searching from, is it possible for a website to record or track it's visitors' MAC addresses?

Yes, it is possible. But u have to configure this "trap" on the server in advance. 99,5% of all webservers i have seen are using the W3C standarized logging format without any customizations. There is a short and good documentation on a Microsoft site
https://msdn.microsoft.com/de-de/library/windows/desktop/aa814385(v=vs.85).aspx

There u can find an example for such a log and the infos inside. No MAC adress there, not on Windows IIS and not in a standarized Apache log on Linux/ Unix/ BSD.

by the way i am absolutly sure that the MAC address is the most wanted information by "agencies"and recorded whenever possible. Since only a few people know how to change a MAC address and much more people know how to delete a browsing history, this is a nice and unique forenic artefact.

Robin

Yes, it is possible. But u have to configure this "trap" on the server in advance. 99,5% of all webservers i have seen are using the W3C standarized logging format without any customizations. There is a short and good documentation on a Microsoft site
https://msdn.microsoft.com/de-de/library/windows/desktop/aa814385(v=vs.85).aspx

This appears to refer to an attempt record the MAC address of the traffic reaching the server, not the MAC address of the traffic that leaves the client.

A MAC address typically doesn't survive a network border transition (say, a firewall or router). So … in almost all cases what you would see in such logs would be the MAC address of your border router, your firewall, your load balancer or whatever else you have next to your web server on the LAN.

In other words, totally uninteresting information. (Unless you're tracing a rouge node on your own local network, but using web server logs for that would be … unusual.)

The only situation I can think of that *might* show the sender's MAC address is if a VPN connection to the target was used, and that would be a very special case. I'm inclined to believe that the sender MAC in such a case would be a virtual MAC address rather than a physical one. But I'm not a VPN expert.

by the way i am absolutly sure that the MAC address is the most wanted information by "agencies"and recorded whenever possible. Since only a few people know how to change a MAC address and much more people know how to delete a browsing history, this is a nice and unique forenic artefact.

Well … no. It's not unique. And since there is no need for it to be (except within a LAN), some companies don't try to make it unique anymore – as as long as they ensure their manufacturing batches (with shared MACs) don't end up at the same dealer, and thus risk ending up at the same customer, causing network disruption, they're reasonably safe from complaints. (I've seen duplicated MACs – universally administrated MACs – in physical NICs three times myself; and I don't even work with networks.)

Don't pretend MACs are unique – that makes for bad forensic science. Add the correct qualifier 'locally unique'. Explain the limits of the term 'locally', why they are not globally unique, and provide the properly researched statistics to what degree they overlap, and if there are any ways for the forensic analyst who has to interpret them to keep such errors under control.

That's the task a forensic computer analyst should be up to.

Science and objective observation, not folk-lore.

(I think I remember a blog posting or article from the Shodan people about the extent they had observed duplicated MAC addresses during their trawls of Windows protocols … but I can't find it again. That's the closest thing I can think of regarding research into this matter.)

This appears to refer to an attempt record the MAC address of the traffic reaching the server, not the MAC address of the traffic that leaves the client.

A MAC address typically doesn't survive a network border transition

You are completly right, this is why i wrote about a "trap". A malicious script running on the webserver may fetch the internal IP address (before NAT) and the MAC address of the connecting client. Have a look at the FBI reports about Darknet websites offering CP. Once the FBI had control over those servers, they grabbbed as many IP + MAC addresses and all other identifiers they could get. And a MAC is much more unique than a IP or Browser Agent.

Well … no. It's not unique. And since there is no need for it to be (except within a LAN), some companies don't try to make it unique anymore – as as long as they ensure their manufacturing batches (with shared MACs) don't end up at the same dealer, and thus risk ending up at the same customer, causing network disruption, they're reasonably safe from complaints. (I've seen duplicated MACs – universally administrated MACs – in physical NICs three times myself; and I don't even work with networks.)

In theory MAC addresses are unique! And i have never heard before from a vendor using duplicate values for their MAC branding. But - of course - i do not see it as a really unique identifier. We both know, that changing the MAC address is only one command line. MACs are only changed by professionals, not by the average user or offender. We are doing Digital Forensics- i do not trust any thing. Especially not if it can be modified to hide traces or identities with a single command.