-
May 5th, 2004, 04:47 PM
#1
Tracing Mac Addresses
I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.
Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.
-
May 5th, 2004, 04:47 PM
#2
Tracing Mac Addresses
I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.
Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.
-
May 5th, 2004, 05:00 PM
#3
Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.
Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.
Hope that helps.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
May 5th, 2004, 05:00 PM
#4
Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.
Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.
Hope that helps.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
May 5th, 2004, 05:04 PM
#5
How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.
/edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?
-
May 5th, 2004, 05:04 PM
#6
How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.
/edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?
-
May 5th, 2004, 05:37 PM
#7
Start up ethereal and see for arp requests. It might just pop up.
If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.
I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.
Just a thought,
-
May 5th, 2004, 05:37 PM
#8
Start up ethereal and see for arp requests. It might just pop up.
If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.
I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.
Just a thought,
-
May 5th, 2004, 06:20 PM
#9
Let's start with the MAC address (expanding on Korp's post).
The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:
http://standards.ieee.org/regauth/oui/index.shtml
Here is an example of the output:
00-50-DA (hex) 3COM CORPORATION
0050DA (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
MS: 4220
SANTA CLARA CA 95052
UNITED STATES
As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.
Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.
Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
May 5th, 2004, 06:20 PM
#10
Let's start with the MAC address (expanding on Korp's post).
The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:
http://standards.ieee.org/regauth/oui/index.shtml
Here is an example of the output:
00-50-DA (hex) 3COM CORPORATION
0050DA (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
MS: 4220
SANTA CLARA CA 95052
UNITED STATES
As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.
Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.
Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|