Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Tracing Mac Addresses

  1. #1

    Question Tracing Mac Addresses

    I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.

    Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.

  2. #2

    Question Tracing Mac Addresses

    I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.

    Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.

    Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.

    Hope that helps.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.

    Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.

    Hope that helps.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.

    /edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?

  6. #6
    How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.

    /edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?

  7. #7
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    Start up ethereal and see for arp requests. It might just pop up.
    If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.

    I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.

    Just a thought,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  8. #8
    Trumpet-Eared Gentoo Freak
    Join Date
    Jan 2003
    Posts
    992
    Start up ethereal and see for arp requests. It might just pop up.
    If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.

    I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.

    Just a thought,
    Come and check out our wargame-site @ http://www.rootcontest.org
    We chat @ irc.smdc-network.org #lobby

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Let's start with the MAC address (expanding on Korp's post).

    The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:

    http://standards.ieee.org/regauth/oui/index.shtml

    Here is an example of the output:

    00-50-DA (hex) 3COM CORPORATION
    0050DA (base 16) 3COM CORPORATION
    5400 BAYFRONT PLAZA
    MS: 4220
    SANTA CLARA CA 95052
    UNITED STATES

    As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.

    Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.

    Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Let's start with the MAC address (expanding on Korp's post).

    The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:

    http://standards.ieee.org/regauth/oui/index.shtml

    Here is an example of the output:

    00-50-DA (hex) 3COM CORPORATION
    0050DA (base 16) 3COM CORPORATION
    5400 BAYFRONT PLAZA
    MS: 4220
    SANTA CLARA CA 95052
    UNITED STATES

    As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.

    Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.

    Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •