Tracing Mac Addresses

[AngelicKnight]

I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.

Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.

[AngelicKnight]

I'm new to the world of wireless, but I just installed my first wireless access point here at work. Today the warning light came on and I received the message than an unauthorized Mac address tried to access the network.

Since I'm dealing with a Mac address instead of an IP, how do I trace to figure out who the culprit is? Reason I'm asking is that I think some of our laptops may not all yet be authorized, so I want to make sure it's not one of them by mistake.

[KorpDeath]

Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.

Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.

Hope that helps.

[KorpDeath]

Well, dependiong on the brand of AP it might give you the MAC address to look for, but unless you can put it together with a user that's having a problem getting on the network there's no way to find out where this MAC came from. It's up in the air, so to speak.

Does your Ap tell you what the MAC address is? If so, does the UID match on e of your devices? (A UID is the first part of the MAC address identifying the manufacturer of the NIC.) IF it is then you should get a call from someone who can't connect via their wireless card, if it isn't then you might have a n unauthorized user trying to attach to get free high speed.

Hope that helps.

[AngelicKnight]

How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.

/edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?

[AngelicKnight]

How much of the address is the first part? The first two numbers of both the unauthorized and authorized addresses are "00", but the first four numbers of the unauthorized address are "00-03", which doesn't match any of ours that are authorized.

/edit -- One other question -- If there is another wireless device, will it pop up as an intrusion possibly even if it's not trying to connect?

[Shrekkie]

Start up ethereal and see for arp requests. It might just pop up.
If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.

I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.

Just a thought,

[Shrekkie]

Start up ethereal and see for arp requests. It might just pop up.
If you changed SSID Channel and use 128bit (even 64 i guess ) encryption , I guess you're quite safe.

I'd monitor it for a while with a sniffer. Since you're new to it might give you a better view on it.

Just a thought,

[thehorse13]

Let's start with the MAC address (expanding on Korp's post).

The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:

http://standards.ieee.org/regauth/oui/index.shtml

Here is an example of the output:

00-50-DA (hex) 3COM CORPORATION
0050DA (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
MS: 4220
SANTA CLARA CA 95052
UNITED STATES

As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.

Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.

Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.

--TH13

[thehorse13]

Let's start with the MAC address (expanding on Korp's post).

The first group of 3 numbers is the manufacturer ID and the last three are the serial number of the device. You can use this info to possibly narrow down which user attempted access by looking up the manufacturer of the NIC here:

http://standards.ieee.org/regauth/oui/index.shtml

Here is an example of the output:

00-50-DA (hex) 3COM CORPORATION
0050DA (base 16) 3COM CORPORATION
5400 BAYFRONT PLAZA
MS: 4220
SANTA CLARA CA 95052
UNITED STATES

As you can see, this is a 3Com NIC so if I know that only 3 users have 3Com NICs then the job of discovery is much easier.

Now, as far as your WAP is concerned, anyone trying to associate (accidental or not) will show up as unauthorized if you are doing MAC auth. Remember, most people have their cards set to associate with any available WAP and your WAP is only reporting to you that the MAC did not match any in the auth list. My guess is that this is an accidental association attempt.

Now, as far as an IP is concerned, think about it. Unless you associate with success, you're not going to draw a DHCP address (IP handed to you from the WAP) so sniffing wont tell you a thing about IP addresses.

--TH13