dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6547
share rss forum feed


horacebork
Premium
join:2011-03-17
09001

tracing a mac address

is there any way for me to trace a mac address?
i was sifting router logs and detected an unknown mac id.
--
".. the sofa has just vanished." ".. well, that's one mystery less."



jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
USA
kudos:24
Reviews:
·Cox HSI
·Speakeasy

2 recommendations

Not likely.

Part of the mac address identifies the manufacturer of the device. The rest is defined by that manufacturer. With that, you're narrowing down the possibilities a bit -- i.e. you know that it's a wireless device made by Intel.

You're not narrowing it down too much though. Most Windows laptops I've used in the past five years all use Intel made internal wireless cards.

And... it's not too difficult to spoof a MAC address.

If you know the MAC address of the intruder, why not just block it? That won't help you identify the perp (unless somebody complains that he/she can't connect), but it will secure you a bit more

--
JKK

Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!

»www.pbase.com/jaykaykay


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

reply to horacebork

What do you mean by 'trace'?

If you're seeing a MAC address, it must be on the network that saw it (if wired-LAN side, then on your wired LAN; if WiFi, then directly connected to your router; if WAN side, then it's something else on that wire). MAC addresses are next-hop only.



horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms

1 edit

i have pasted in the items in question from the log (edited).
by trace, i mean find the source device. and it seems to only be associated with the network for a very short period of time.
my router has mac address filtering, but only 'allow', i think.
(edit: seems like i can set a filter for a mac address to 'no access' - good news)
it's an airport extreme base station (4th gen).

also, can i scan my network for a mac address?
---

Feb 27 10:45:41 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 10:45:41 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 10:50:05 Severity:5 Disassociated with station 00:24:d2:ab:05:50
Feb 27 10:50:15 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 10:50:15 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:15:37 Severity:5 Disassociated with station 00:24:d2:ab:05:50
Feb 27 11:15:47 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 11:15:47 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:21:04 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).
Feb 27 11:21:04 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 2).
Feb 27 11:21:05 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 3).
Feb 27 11:21:05 Severity:5 Deauthenticating with station ff:ff:ff:ff:ff:ff (reserved 2).
Feb 27 11:21:08 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 11:21:08 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:28:41 Severity:5 Idle timeout for station 00:24:d2:ab:05:50
Feb 27 11:28:41 Severity:5 Disassociating with station 00:24:d2:ab:05:50 (reserved 4).
Feb 27 11:28:41 Severity:5 Disassociated with station 00:24:d2:ab:05:50
Feb 27 11:29:18 Severity:5 Associated with station 00:24:d2:ab:05:50
Feb 27 11:29:18 Severity:5 Installed unicast CCMP key for supplicant 00:24:d2:ab:05:50
Feb 27 11:54:31 Severity:5 Idle timeout for station 00:24:d2:ab:05:50
Feb 27 11:54:31 Severity:5 Disassociating with station 00:24:d2:ab:05:50 (reserved 4).
Feb 27 11:54:31 Severity:5 Disassociated with station 00:24:d2:ab:05:50
--
".. the sofa has just vanished." ".. well, that's one mystery less."



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits

1 recommendation

said by horacebork:

also, can i scan my network for a mac address?

Well you can't "scan" as such but you can use an arp utility either on a PC or on your router if it supports it's use.

As jaykaykay See Profile said you can lookup a MAC address to find some basic info.

For example this site says this

quote:
MAC address 0024D2
Company Askey Computer

about 00:24:d2:ab:05:50.

From that log it looks to me as though someone tried to connect to your Wi-Fi but didn't successfully connect.

Are you using security for your Wi-Fi? You should be using WPA-AES with a long password. WEP is breakable in seconds and address filtering is easily bypassed.
--
Don't feed trolls--it only makes them grow!


Raphion

join:2000-10-14
Samsara

If I'm not mistaken, FiOS Actiontek routers have an "Askey Computer" MAC address.


HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to horacebork

If you have a basic home router and this came over wireless, not much you can do to "trace" this MAC address.
a) it's wireless, so WHERE are you going to start looking for this MAC address, start knocking on neighborhood
doors?, and b) as jaykaykay said, it's not that hard to spoof a MAC address if you really wanted to.

If you don't want this guy connecting, make sure your wireless is locked down.

Regards



horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms

1 recommendation

reply to StuartMW

the wireless is wpa2 with a strong password, but not a full-length (64 byte) password, which i have been avoiding.
maybe it's time to bring that issue to the front.
--
".. the sofa has just vanished." ".. well, that's one mystery less."



horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms

1 edit
reply to Raphion

a fios router on the network would be truly odd because our building is wired for cable and does not have fios.
it has to be something else.

now i just want to scan the other apartments on the network for that mac address.

btw: i have cut my router output to 50% to reduce it's range.
would a vpn prevent others from connecting to my wifi?

also, my wifi is set to not broadcast. not sure how someone picked up the network name.

--
".. the sofa has just vanished." ".. well, that's one mystery less."



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

1 recommendation

reply to horacebork

mac filters are easily circumvented. It will cause trouble for legitimate clients and not affect the bad guys at all.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to StuartMW

In case you didn't know, Windows has an ARP command. This only seems to query the local ARP cache, so may be of limited use.

To resolve a MAC address to an IP address, arp -a | findstr nn-nn-nn-nn-nn-nn



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

192.168.1.104

now what?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to dave

said by dave:

In case you didn't know, Windows has an ARP command.

Yes I know.

This only seems to query the local ARP cache, so may be of limited use.

I'm aware of that too. Not knowing whether the OP let his router assign IP's (most common) or has a service on a PC doing it I wrote
quote:
...you can use an arp utility either on a PC or on your router if it supports it's use.
My router has a very good command line processor and since I have it configured as a DHCP server I'd use it's ARP command (and have).
--
Don't feed trolls--it only makes them grow!


horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms

stuartmw:

I'm aware of that too. Not knowing whether the OP let his router assign IP's (most common) or has a service on a PC doing it I wrote

quote:
...you can use an arp utility either on a PC or on your router if it supports it's use.

i like to use static ips, so i assign them. my router is an airport extreme base station.
i'm almost positive there's no command line access.
might there be a way that some mix of disabling dhcp and other configs could help secure the router?

re: arp - i'm running os x, i have arp on the command line.
how can i utilize this to help secure my network?
and would some machine on the network always have to be on?
--
".. the sofa has just vanished." ".. well, that's one mystery less."

SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2

So wait you statically assign IPs, yet you left DHCP on? From a quick Google search I see that good ol' Apple doesn't think you'd ever want to disable DHCP. Here's a workaround: »macnugget.org/projects/aebx/

Since your router has no command line access you can't check the ARP command there so you're basically at the end of the road here.


SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2
reply to Raphion

said by Raphion:

If I'm not mistaken, FiOS Actiontek routers have an "Askey Computer" MAC address.

Just to add to this, Askey is a huge Chinese OEM, they make network gear for lots of other brands (they're known to make equipment under contract for Actiontec, Netgear, and more). So you cannot really tell much of anything from the vendor name. Probably anyone with a cheap brand USB Wi-Fi adapter is using an Askey made design under the plastic encolosure.


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

cool name
Askey = ACSII


SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2

said by AVD:

cool name
Askey = ACSII

Yeah I know it is a pretty neat little name.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to horacebork

said by horacebork:

i like to use static ips, so i assign them.

Actually I have some static IP's and some pseudo-static IP's (IP's assigned through DHCP but "static" based on their MAC address).

That mean's I don't have a have a local DNS server (I use Windows HOST files to name my stuff).
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 recommendations

reply to AVD

said by AVD:

Askey = ACSII

For me Ass-Key came to mind
--
Don't feed trolls--it only makes them grow!

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

Is it related to that 'password safe' product?

Keep-Ass.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to horacebork

said by horacebork:

also, my wifi is set to not broadcast. not sure how someone picked up the network name.

You might want to read this

Myth vs. reality: Wireless SSIDs

Using WPA2 with a longish password (mine is 63-chars of pseudo-random upper/lower case, digits and symbols) is your best protection. The other stuff doesn't really help, insofar as security, but can still be useful IMO.

BTW do you have WPS (Wi-Fi Protected Setup) enabled? That is breakable.

WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs
--
Don't feed trolls--it only makes them grow!

SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2

Looks like Apple has WPS, but doesn't use it by default and they removed it from their setup wizard in more recent versions.

quote:
It seems the picture is getting clearer with every post and I think we can say that using Apple's routers is safe with respect to the current WPS-threat as long as one does not choose to run the optional "Add Wireless Clients..." function (Menu "Base Station" in Airport Utility).
Sheesh, Apple makes technical details so hard to find... People weren't even sure if it did WPS initially since they of course used a different name instead of WPS, and then they've removed the feature from their setup tool, but you can still get to it from older version of the tool, etc. etc.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by SpHeRe31459:

Sheesh, Apple makes technical details so hard to find...

Well that is consistent with their whole philosophy of hiding technical details so the "average user" can use the product (whatever it is).
--
Don't feed trolls--it only makes them grow!


horacebork
Premium
join:2011-03-17
09001

3 edits
reply to StuartMW

re: depressing info about unbroadcast ssid - got it
re: 63 char wpa2 password - next on my list [edit] done.

--
".. the sofa has just vanished." ".. well, that's one mystery less."



horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms
reply to SpHeRe31459

So wait you statically assign IPs, yet you left DHCP on?

right. there are still a couple of devices that i cannot assign static ip on the device itself.
the apple tv is one of them. i could reserve a static ip for it's mac address, i suppose ..

is there a way by disabling dhcp that i can prevent an outside machine from gaining a compatible ip address on my lan?

--
".. the sofa has just vanished." ".. well, that's one mystery less."


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to horacebork

This topic, although old, is still relevant when securing a wireless router;

»Harden your router/AP in five steps
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.


SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2
reply to horacebork

said by horacebork:

So wait you statically assign IPs, yet you left DHCP on?

right. there are still a couple of devices that i cannot assign static ip on the device itself.
the apple tv is one of them. i could reserve a static ip for it's mac address, i suppose ..

is there a way by disabling dhcp that i can prevent an outside machine from gaining a compatible ip address on my lan?

Seems to me like you pretty much already hit on what you can do. Reserve the MAC address of those devices that can't be set statically (manually). Then set the DHCP pool to exactly the number of devices that must use DHCP.

I don't know of any TCP/IP enabled device that cannot be manually assigned. I'm pretty sure to be a TCP/IP enabled device the specifications mandate that it must expose a method for manual assignment.

For example: with a simple Google search of "apple tv static ip address" I immediately found instructions for setting a static IP address for Apple TV...

Menu >> Settings
General
Network
Configure TCP/IP
Choose Manually
Enter your desired IP


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric

said by SpHeRe31459:

Reserve the MAC address of those devices that can't be set statically (manually). Then set the DHCP pool to exactly the number of devices that must use DHCP.

That'll work nicely unless someone tries to spoof one of the MAC addresses. Then, as they say, results may be unpredictable.
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2

Right, it's sort of the best that can be done in that situation. I would think that it's pretty slim chances that someone is going to try that hard to mess with some random person's wireless network that was probably just seen while wardriving around or something.