Broadband Tech → Security → Wireless Security > identifying devices on my wireless network

identifying devices on my wireless network

Hello,

Part 1:
This all started when I noticed the WPS button flashing red on my ZyXel (CenturyLink) modem, and learned that my suspicion that it was getting access attempts was likely correct (see this thread: »[CenturyTel] ZyXel 5001Z WPS button).

I never really liked the WPS button being activated when we received the modem, but also never looked into the possibility of deactivating it until a couple of days ago. Last night, I did deactivate it, and ended up with no internet access at all (connected to the network, but no internet access). I finally managed to get the button deactivated AND have internet access this morning. My husband has internet access, but also has a yellow exclamation point over his network icon. (?) Still tweaking settings, may revisit this later.

Part 2:
A couple of months ago I found a gem of a piece of software called WiFiGuard, which scans the network and tells me if it finds any unauthorized devices. Initially I was surprised to acknowledge that I have almost a dozen devices connected to my network, but then after identifying them one by one, I guess that's probably pretty average.

Last night, after messing with the modem settings, I got an alert of an unrecognized device, identified at MAC address 00-00-00-00-00-00, with a vendor name of Xerox Corp. This morning there was another unrecognized device at IP address 192.168.0.169, which was alternately identified by WiFiGuard as Dell-PC (assumed to be my PC) and Xerox Corp. (?)

Following instructions found here: »Security »What is using port XXX on my computer? I found the following:
- 192.168.0.169 is using "subports" 137, 138, 1900, and 58967
- all are using UDP protocol
- Foreign Address is *:*
- the PIDs are 4 (two processes identified as System NT Kernel & System,
and 1060 (two processes identified as Local Service Host Process for Windows Services)

So, now that the groundwork is laid, I'll ask:
1) Is it likely that this unrecognized device is my own computer, and if so, why is it using a different IP address than mine?
2) Is there a way to identify a device by looking up its MAC address?
3) If a MAC address identified as 00-00-00-00-00-00 is "unresolved", how can I resolve it to find out what it is?

Ports 137 and 138 are windows NetBIOS, port 1900 is upnp, and port 58967 could be anything.

Can you "intensive scan" that IP with nmap / zenmap »nmap.org/ and paste the results?
--
Scott Brown Consulting

1) MAC addresses are supposed to be UNIQUE on the local LAN -- best way to figure out who has what MAC is go host
by host figuring out what MAC address it has. On windows, "getmac" is a pretty handy command. In *nix, "ifconfig"
is a similar command. If you've devices like iPhones, tablets, etc., you may have to read over the label stickers
and see if it lists the MAC address somewhere.

2) is [url=http://coffer.com/mac_find/] this what you mean?

3) depends if your equipment is "managed" or not. By that I mean via a CLI or GUI, you can determine what's in
a device's ARP table, and from which actual phyiscal interface a MAC address is being learned from.

I should add that it's child's play to spoof a MAC address these days; standard warning(s) of "low hanging fruit"
security measures like MAC filtering apply, and ensuring your home network, both wired and wireless, are as secure
as possible.

My 00000010bits

Regards

The "Xerox" identification is false you realize. 00-00-00 is technically the prefix of a mac address of a Xerox device, and that's why the lookup is returning Xerox, but 00-00-00-00-00-00 is either unresolved or falsified.
--
Scott Brown Consulting

I'm going to try to reply to everything, so forgive me if I miss something.

Scott, I downloaded nmap (which I used to have but couldn't figure out how to use), and ran an intense scan on 192.168.0.169. In the midst of the long results I saw this: "Skipping OS Scan against 192.168.0.169 because it doesn't work against your own machine (localhost)". But my IP address is .132! I also noticed a line that listed an iPhone, which I do not nor have ever owned.

Hellfire, that coffer.com link is awesome! Thanks! It ID'd my unknown MAC address as Dell - again, could be my computer. I'll make a list of all my devices' MAC addresses later today, when I have the time, for future reference. I didn't understand what you said about ARP tables. I used to use MAC filtering, but a few years back, someone (perhaps in this forum, can't remember) told me it was passe, and easy to bypass. I do have WPA2 enabled with "both" kinds of encryption.

Back to Scott, WiFiGuard is alerting me as I type this message that the .169 device has a MAC address of 00 etc. So is .169 my own computer? Why isn't it showing up at .132? If it's unresolved, how do we resolve it, or figure out if it's falsified? Maybe you need that log...

Just a few more notes:
1) I've had the power set at 40% since getting this modem about a year ago, because I don't want my signal broadcasting all over the neighborhood, and this morning I dropped it down to 20%, which still seems to be working fine.
2) My husband rebooted, and the yellow exclamation point went away, so we are live and connected without the WPS button enabled.
3) One of the things I did last night was to hide my SSID. I used to have it hidden all the time, until we got more active with multiple devices, and it was easier to broadcast it. Because of connection issues last night & this morning, I re-set it back to broadcast, but I'd like to work toward getting everything working with it hidden.
4) Once an unauthorized device has gotten access to the network, is there any way to get it off without changing the password?
5) Oh - I forgot to mention I use Privoxy - will that skew all of this?

If you still want the results of the intensive scan, I'll post them.

How about just the output of ipconfig /all from a command prompt.
--
Scott Brown Consulting

Well, you're not .169.

WiFiGuard could be reporting you stale information. Try an alternative like NirSoft WNetWatcher.
--
Scott Brown Consulting

I rebooted (something I rarely do these days), and the unidentified device has not (yet) returned...

If you are really unable to rule out the (more likely) explanation that .169 is one of your own clients, your avenue of recourse is as you mentioned to change the passphrase.
--
Scott Brown Consulting

you could try blocking the IP and then see if your computer can connect afterwards...

However... as a wise man once repeated and repeated and repeated .... Consistently and Frequently changing your passphrase (to a more complex and unrelated topic with each change) can only make your connection safer and harder to crack.

Scott, at this point the explanation I'm leaning toward is that it was my own computer, three-way ID'd as .132, .169, and with the 0000... MAC address. I'm also thinking that this phenomena was somehow generated by my tweaking the modem settings because it was immediately after this that the device(s) showed up. We live in a quiet neighborhood with few neighbors, and the likelihood of one of them hacking into my network is slim. Still, seeing two unidentified devices on one's network is unsettling!

downclick, you are preaching to the choir about passwords! As the sole IT person in my small office, I in turn preach this message which mostly falls on deaf ears. Having studied the various techniques for the creation of difficult-to-crack passwords and considering the number of passwords I have (about 200), I have arrived at a compromise which works for me - I use a memorable passphrase which contains upper & lower case letters, numbers, and symbols, with additional letters to identify each website. This allows me to log on to most websites without opening my password manager (I don't believe a single secure passphrase combo works everywhere because of the different requirements websites have for passwords; e.g. some won't accept symbols & some only allow 8 characters). I don't change the passphrase more than once every year or two because of the volume of places it needs to be changed. This system has worked well for me for a long time.

...So I guess I'll wait and see what develops - or hopefully doesn't - on my network. And in the meantime, I'll change the passphrase just to be on the safe side, and go ahead and set up the MAC filters and try beefing up the modem's security settings, which I so far haven't found to my liking, but also haven't understood some of the options. Funny how we're provided with equipment which has the potential of being quite secure, but not given user guides which clearly outline and define what the options are and how to use them...

Thanks to all you guys for your help!

Did you have the computer connected with a wired connection at some point? To me it looks as though the 169 was assigned to your Ethernet and the 132 to the wireless.