I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.

Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.

I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.

Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.

Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.

Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.

Hope that helps.

Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.

Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.

Hope that helps.

How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.

/edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?

How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.

/edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?

Start up ethereal and see for arp requests. It might just pop up.
If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.

I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.

Just a thought,

Start up ethereal and see for arp requests. It might just pop up.
If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.

I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.

Just a thought,

Let's start with the MAC address (expanding on Korp's post).

The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:

http://standards.ieee.org/regauth/oui/index.shtml

Here is an example of the output:

00-50-DA (hex) 3COM CORPORATION
0050DA (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
MS: 4220
SANTA CLARA CA 95052
UNITED STATES

As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.

Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.

Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.

--TH13

Let's start with the MAC address (expanding on Korp's post).

The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:

http://standards.ieee.org/regauth/oui/index.shtml

Here is an example of the output:

00-50-DA (hex) 3COM CORPORATION
0050DA (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
MS: 4220
SANTA CLARA CA 95052
UNITED STATES

As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.

Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.

Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.

--TH13

I would take it that if anyone isn't familiar with the terms I use they'd go to www.webopedia.com or google for it. Next I'll take the time to explain it all out. Sorry if I confused you more.

Don't take this as an insult because it's not meant as one...just a really good rule to live by. "You've got to be smarter than the thing with which you are working." A blow dryer is a good example. Some people find it necessary to blow dry their hair while taking a nap. Hence the warning on it not to use it while sleeping.

Always know what you are connecting to your network and how that device works, that way you'll know what belongs and what doesn't. If you are concerned about something that possibly shouldn't be there then you have documentation to prove your hjypothesis correct or incorrect. See what I mean?

Let me know if I didn't explain this in detail enough. I will explain more.

I would take it that if anyone isn't familiar with the terms I use they'd go to www.webopedia.com or google for it. Next I'll take the time to explain it all out. Sorry if I confused you more.

Don't take this as an insult because it's not meant as one...just a really good rule to live by. "You've got to be smarter than the thing with which you are working." A blow dryer is a good example. Some people find it necessary to blow dry their hair while taking a nap. Hence the warning on it not to use it while sleeping.

Always know what you are connecting to your network and how that device works, that way you'll know what belongs and what doesn't. If you are concerned about something that possibly shouldn't be there then you have documentation to prove your hjypothesis correct or incorrect. See what I mean?

Let me know if I didn't explain this in detail enough. I will explain more.

Just an FYI,

The 1st 6 hex digits/24 bits of a MAC address are referred to as "OUI" numbers (organization unique identifier). Assigned and maintained by IEEE. Here's a link to some of major vendors. http://standards.ieee.org/regauth/oui/oui.txt

Just an FYI,

The 1st 6 hex digits/24 bits of a MAC address are referred to as "OUI" numbers (organization unique identifier). Assigned and maintained by IEEE. Here's a link to some of major vendors. http://standards.ieee.org/regauth/oui/oui.txt

Now explain hex and bits, gunit*70932.... Cause you lost me.

Now explain hex and bits, gunit*70932.... Cause you lost me.

Hi,

you might want to check the Log file of your AP, Also if it is a cisco AP then check the Association table in the settings, Under both the log and the table it will give you list of MAC Address that are getting authenticated and associated to your AP. Also you might want to run Netasyst which is a sniffer .(works with most of the cards)

MRG

Hi,

you might want to check the Log file of your AP, Also if it is a cisco AP then check the Association table in the settings, Under both the log and the table it will give you list of MAC Address that are getting authenticated and associated to your AP. Also you might want to run Netasyst which is a sniffer .(works with most of the cards)

MRG

U can us reverse ARP lookup, this enables you to convert the MAC to an IP,

The problem with this is that if someone is coming and go to and from your wireless ap, the likely hood of there IP changing is high. But there MAC address is highly unlikely to change.

It would probably be more hassle free if you just secure you network against these attacks and learn something from them instead of trying to take revenge, Its up to you though..and im not saying its good or bad (I couldnt care less). But thats probably what Id do.

i2c

U can us reverse ARP lookup, this enables you to convert the MAC to an IP,

The problem with this is that if someone is coming and go to and from your wireless ap, the likely hood of there IP changing is high. But there MAC address is highly unlikely to change.

It would probably be more hassle free if you just secure you network against these attacks and learn something from them instead of trying to take revenge, Its up to you though..and im not saying its good or bad (I couldnt care less). But thats probably what Id do.

i2c

It would probably be more hassle free if you just secure you network against these attacks and learn something from them instead of trying to take revenge

Wooooah there, when did I say anything about taking revenge? Actually, I'm trying to trace the IPs to make sure they don't belong to us. Given that this is a newly set up AP, there may still be employees with laptops whose addresses haven't been authorized yet, so if the MAC traces back to one of them, I know it wasn't an intrusion and that they simply need to be authorized. If, however, it does turn out to be an intruder, rather than taking revenge, I'd simply analyze the attack and harden defenses accordingly. The revenge thing is only asking for more trouble, and putting my employment at risk!

By the way, stupid me for not mentioning this already, but it's a US Robotics AP.

Also, we're beginning to suspect that the "intruders" are from businesses next door, unintentionally. Still better to err on the side of caution though.

It would probably be more hassle free if you just secure you network against these attacks and learn something from them instead of trying to take revenge

Wooooah there, when did I say anything about taking revenge? Actually, I'm trying to trace the IPs to make sure they don't belong to us. Given that this is a newly set up AP, there may still be employees with laptops whose addresses haven't been authorized yet, so if the MAC traces back to one of them, I know it wasn't an intrusion and that they simply need to be authorized. If, however, it does turn out to be an intruder, rather than taking revenge, I'd simply analyze the attack and harden defenses accordingly. The revenge thing is only asking for more trouble, and putting my employment at risk!

By the way, stupid me for not mentioning this already, but it's a US Robotics AP.

Also, we're beginning to suspect that the "intruders" are from businesses next door, unintentionally. Still better to err on the side of caution though.

Been a while since I visited this issue, but I have new developments. After watching the AP closely on a daily basis and talking to the AP vendor, I understood that I shouldn't be concerned with the warnings of unauthorized access attempts since they are being successfully blocked. So, I've just been writing down each MAC address it reports as unauthorized and keeping that on record as an added precaution.

Now, I notice that most of the addresses are always different, suggesting that these are just individual cases of a nearby laptop accidently scanning our network. However, there is one MAC address that appears repeatedly, about every couple of weeks or so, so evidently there is one computer out there that is trying to access our network without authorization fairly regularly.

So do I have any courses of action available beyond letting the AP continue to just block and report it, since this issue is fairly persistent?

Hmmmm... trying to track down people just based on their MAC addresses is kind of a flawed approach though, atleast as I see it. I mean you can change your MAC address easily on Linux to anything that you want and through the Windows registry you can change it as well.. no program required. MAC Address spoofing isn't hard to accomplish. Also, keep in mind that the MAC addresses recorded may be from the last router that the attempt passed through.. could be that the person is trying to access your network gateway device directly.. through a configuration page over HTTP or through telnetting into it or SSH. If a proxy is used, like through HTTP with your browser, the MAC address will change by the time it reaches the logs on your end and will have the MAC address of the last router that was hopped to and not the attacker's MAC address. When I send and recieve, being on a LAN behind a router, it will record the MAC address of my router and the opposite side will only see that address or last router that served them my packets and not actually mine. The same way when I recieve packets from the internet (WAN) they're all marked from the src MAC address of my router.. which makes sense as it served me the packets.