Jump to content

Recommended Posts

Posted

For a while now i have been using a wireless network watcher. this gives me a list of devices that are using my internet router. It's use was just to make sure the younger members of the household weren't secretly using the games console or mobile devices when they shouldn't. most devices give their identity, ie, what it is, and even make and model. however, some devices do not. It also logs first time device logs on to network, as well as the last or current time. ALL devices however give their 'MAC' address. 

So my query relates to...

There is a device I do not recognise. there is a 'MAC' address, and the log times. but that's it. hoping that someone hasn't hacked into my internet router, and it's innocent. I know one approach is to reset the router password, but just curious to what this device is...

62-4E-A2-EB-7E-21

the above is the 'MAC' address. i believe this is unique  to each device and the first few characters identify make and model.

a bit of searching has proved fruitless, even though there are sites which claim to be able to identify these details.

searching goes into details about 'OUI' and so forth.

anyone on here can give me a pointer?

also if it wasn't wise to give out a full 'MAC' address on a public forum, let me know!

TIA

Posted
2 hours ago, sometimewoodworker said:

Almost all Routers allow you to blacklist Mac addresses, so the easiest thing to do is to blacklist that MAC address and find out what stops working.

thanks for that @sometimewoodworker. you say 'almost all...' mine doesn't it seems. i've logged into it, searched through all options, and the nearest thing i can do to a blacklist (i think) is a 'static lease'. i've put one suspect device information into this, and will wait and see if that stops it. i turned off the router overnight, and the suspect device hasn't appeared online as yet. i will wait and see what happens. 

the router i have is a technicolor, so not an all singing dancing one. i'm due to change it soon (January'ish) so hope to get a better one. 

if limiting the static lease time to 120 seconds (minimum) for the device doesn't work, then i guess i will have to live with it...for now.

thanks for your help once again TVF guys.

Posted
3 hours ago, OneMoreFarang said:

Google mac address lookup

But like @RichCor wrote above, that does not work with all MAC addresses.

 

done that, believe me i've searched and searched, even going to the IEEE webpage, no joy. seems there are many 'ghost devices' out there.

Posted
3 hours ago, jastheace said:

thanks for that @sometimewoodworker. you say 'almost all...' mine doesn't it seems. i've logged into it, searched through all options, and the nearest thing i can do to a blacklist (i think) is a 'static lease'. i've put one suspect device information into this, and will wait and see if that stops it. i turned off the router overnight, and the suspect device hasn't appeared online as yet. i will wait and see what happens. 

the router i have is a technicolor, so not an all singing dancing one. i'm due to change it soon (January'ish) so hope to get a better one. 

if limiting the static lease time to 120 seconds (minimum) for the device doesn't work, then i guess i will have to live with it...for now.

thanks for your help once again TVF guys.

The static lease time will have no effect.

however making sure that you have a WPA password protected connection and changing the password to something like 

“m!Q_GmLMZ.9aJ3Y3AiYvrri6” will ensure that only authorised devices are able to connect.

Posted

@sometimewoodworker

YEY!!!

having changed my router name and password and the same on the 5G bit, when i scrolled down a bit further, i found the 'Access Control List', options include 'blacklist' and 'whitelist'. so have added the suspect MAC's to that also. should be all good now. ????

Many thanks !!!

Posted
4 hours ago, jastheace said:

as you said, made no difference, neither did ToD settings. 

I've copied and pasted the password suggestion so only TV users can hack in. ????????

If you want a more secure password then just add an underscore a 6 character word and an underscore somewhere in that.

& am I permitted a small  “I told you so”? ???? 

  • Thanks 1
Posted
12 hours ago, jastheace said:
15 hours ago, OneMoreFarang said:

Google mac address lookup

But like @RichCor wrote above, that does not work with all MAC addresses.

 

done that, believe me i've searched and searched, even going to the IEEE webpage, no joy. seems there are many 'ghost devices' out there.

It only confirms that the device you see has no "official" MAC address. And likely that device will be able to generate a new MAC address as soon as it needs it - if you block the current MAC.

Maybe just use a white list with devices and MAC addressed which are allowed in your network. If someone buys a new device and wants to use it they can contact you and you can add the address - if you want.

  • Thanks 1
Posted
8 hours ago, OneMoreFarang said:

It only confirms that the device you see has no "official" MAC address. And likely that device will be able to generate a new MAC address as soon as it needs it - if you block the current MAC.

Maybe just use a white list with devices and MAC addressed which are allowed in your network. If someone buys a new device and wants to use it they can contact you and you can add the address - if you want.

good idea. will do that if it happens again, just want to see if it happens again first though.

i may change my supplier in January, which means a new router, so probably -if no problems in the mean time- will do all that at the same time.

scary that someone can log into my router and use my broadband even though the security is something like 'WPA2+WPA' (can't remember exactly, but something like that). as i said, hoping it was 'innocent', but even with the kids out, and turned off the house power except the router, the device still existed.

and @sometimewoodworkeryou can give a large portion of 'I told you so', this time anyway.

the access control list only came to light when logged into the router as 'engineer', initially i was in as 'admin' so some functions were hidden.

anyway, all good now, fingers crossed. ???? cheers again guys.

Posted
5 minutes ago, jastheace said:

even though the security is something like 'WPA2+WPA'

 

Unfortunately a 'vulnerability' for WPA was found in 2008 and one for WPA2 was discovered in 2018. So if one of your family members isn't the one giving out the passcode then it's a simple hack away.   :sad:

 

New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networks

BleepingComputer | By Lawrence Abrams | August 6, 2018 

 

Setting your router to use only WPA2 and providing it a long/complicated random alpha/num/char (as previously suggested) and WHITLISTING authorized connection devices should keep unwanted users at bay. 

 

  • Thanks 1
Posted
26 minutes ago, RichCor said:

 

Unfortunately a 'vulnerability' for WPA was found in 2008 and one for WPA2 was discovered in 2018. So if one of your family members isn't the one giving out the passcode then it's a simple hack away.   :sad:

 

New Method Simplifies Cracking WPA/WPA2 Passwords on 802.11 Networks

BleepingComputer | By Lawrence Abrams | August 6, 2018 

 

Setting your router to use only WPA2 and providing it a long/complicated random alpha/num/char (as previously suggested) and WHITLISTING authorized connection devices should keep unwanted users at bay. 

 

Humm

the important point is

Quote

It should be noted that this method does not make it easier to crack the password for a wireless network. It instead makes the process of acquiring a hash that can can be attacked to get the wireless password much easier.

So yes you can now get the hash, you are absolutely correct.

But that is extremely unlikely to help much if a random selection of characters have been used.
 

So government level computing resources have a better chance of getting access, but no, nobody is doing a drive by crack of your access point.

 

also whitelisted MAC addresses, by itself, is no protection against someone with minimum ability as they are transmitted in the clear and spoofing a MAC address is a trivial exercise, it is similar to not transmitting your SSID as a security option, yes it will stop grandma if she’s not a skilled user but not her grandkids.

Posted
2 hours ago, jastheace said:

good idea. will do that if it happens again, just want to see if it happens again first though.

i may change my supplier in January, which means a new router, so probably -if no problems in the mean time- will do all that at the same time.

scary that someone can log into my router and use my broadband even though the security is something like 'WPA2+WPA' (can't remember exactly, but something like that). as i said, hoping it was 'innocent', but even with the kids out, and turned off the house power except the router, the device still existed.

and @sometimewoodworkeryou can give a large portion of 'I told you so', this time anyway.

the access control list only came to light when logged into the router as 'engineer', initially i was in as 'admin' so some functions were hidden.

anyway, all good now, fingers crossed. ???? cheers again guys.

I am not sure, but maybe the list of connected devices shows any device which wants to use your WLAN.

Technically any device establishes a connection and then a password must be entered. But there is already some kind of connection. I don't know when a connection is officially called a connection, only if the password is correct or already before that when the device tries to connect.

 

One thing what you can do in at least some routers is to monitor which device is using which services. I.e. in my home I have of email use and my girlfriends has GBs of watching YouTube. You should see what the unknown device is using - or maybe not using anything because of a wrong password. 

 

Posted
7 minutes ago, OneMoreFarang said:

I am not sure, but maybe the list of connected devices shows any device which wants to use your WLAN.

Technically any device establishes a connection and then a password must be entered. But there is already some kind of connection. I don't know when a connection is officially called a connection, only if the password is correct or already before that when the device tries to connect.

 

One thing what you can do in at least some routers is to monitor which device is using which services. I.e. in my home I have of email use and my girlfriends has GBs of watching YouTube. You should see what the unknown device is using - or maybe not using anything because of a wrong password. 

 

it's not 'available' devices. it's devices that are logged into the router.

this is what i use to keep an eye on things.

 

1461528813_Screenshot2020-10-25wnw.png.2e68a5166ba47727b9a6e10c39cae356.png

the last 2 items are the suspects. to be picked up by this, they have to be using the router (and logged into it). i initially used this to see if the littl'uns were secretly using internet past their bedtime or other agreed times. 

Posted
5 hours ago, jastheace said:

the last 2 items are the suspects. to be picked up by this, they have to be using the router (and logged into it)

It appears that your using both Dynamic (DHCP) and Static (Fixed, manually assigned) IP addresses on your LAN. You don't remember assigning .137 or .215? They seem like odd LAN IP Address numbers for DHCP devices (that typically are configured in-router to start at .100)

 

Would be interesting to monitor the network chatter with WireShark and see what those two devices were doing.

Posted
21 minutes ago, RichCor said:

It appears that your using both Dynamic (DHCP) and Static (Fixed, manually assigned) IP addresses on your LAN. You don't remember assigning .137 or .215? They seem like odd LAN IP Address numbers for DHCP devices (that typically are configured in-router to start at .100)

 

Would be interesting to monitor the network chatter with WireShark and see what those two devices were doing.

i had WireShark ages ago, and i forget what i had it for. i found it complicated, somewhere between a headache and a nervous breakdown (i joke of course, but what i wanted it for wasn't worth the 3 year uni course. again i jest by exaggeration ) the program/app has been deleted now.  .137 and .215 weren't assigned by me, none of what you see were. they got assigned 'automatically' i guess. this whole subject is beyond me IMHO, hence the request for advice. i've had no problems so far-fingers crossed- and will go the whitelist way once i get the new router. i'm sure this was some kinda innocent occurrence, but as i was aware of it, i wasn't comfortable with it. thanks @RichCor .

Posted
5 hours ago, jastheace said:

i had WireShark ages ago, and i forget what i had it for. i found it complicated, somewhere between a headache and a nervous breakdown (i joke of course, but what i wanted it for wasn't worth the 3 year uni course. again i jest by exaggeration ) the program/app has been deleted now.  .137 and .215 weren't assigned by me, none of what you see were. they got assigned 'automatically' i guess. this whole subject is beyond me IMHO, hence the request for advice. i've had no problems so far-fingers crossed- and will go the whitelist way once i get the new router. i'm sure this was some kinda innocent occurrence, but as i was aware of it, i wasn't comfortable with it. thanks @RichCor .

WireShark is something for professionals and total overkill for what you want.

You should be able to see in your router who is connected and what they do. It obviously depends on the capabilities of your router.

Here is what I see in my ASUS router. My gf watching lots of videos.

I logon to the router, often 192.168.x.x.

Traffic.png.240a2de76ba2ecac15781150615f83e8.png

 

  • Like 1
Posted
10 hours ago, OneMoreFarang said:

WireShark is something for professionals and total overkill for what you want.

You should be able to see in your router who is connected and what they do. It obviously depends on the capabilities of your router.

Here is what I see in my ASUS router. My gf watching lots of videos.

I logon to the router, often 192.168.x.x.

Traffic.png.240a2de76ba2ecac15781150615f83e8.png

 

can i guess what you both do between 0300 and 0400 ?

quality time together ? ????.....????.....????.....☺️....

  • Haha 1
Posted
4 minutes ago, jastheace said:

can i guess what you both do between 0300 and 0400 ?

quality time together ? ????.....????.....????.....☺️....

...and all I saw was them being ON THE NET 23 hours a day.

 

(must be a glass half-full vs half-empty difference of perspective between us)  ????

Posted

Any device can have more than one MAC address.\

 

Your wireless MAC differs from your wired and Bluetooth MAC address. If you have a wireless access point somewhere in the house it will also have a MAC address

Posted
On 10/25/2020 at 11:58 AM, OneMoreFarang said:

I am not sure, but maybe the list of connected devices shows any device which wants to use your WLAN.

Technically any device establishes a connection and then a password must be entered. But there is already some kind of connection. I don't know when a connection is officially called a connection, only if the password is correct or already before that when the device tries to connect.

 

that's interesting. because i've noticed the device regularly uncouples or disconnects for, say, half a minute, then is back on for , say, a few minutes, and repeat. i haven't measured the timings, or even how regular.

up to now however, since i changed password and blacklisted, the device has not registered as being logged in. if what you say is true, then maybe innocent. but i wasn't happy about it. definitely going down the new router option in January, as mine is relatively 'old', and hope a new one will have better security. 

edit. i've a couple of devices which i only use on mobile network, even for data. i've done the bit -log in, enter password and it didn't show on my network watcher. once password was entered, it showed up after a few seconds, so password defo needs putting in to network for device to use it and hence show up.

need new router. 100% (with up to date security... obviously ....WPA3 or whatevers new now) 

  • Like 1
Posted
2 hours ago, jastheace said:

edit. i've a couple of devices which i only use on mobile network, even for data. i've done the bit -log in, enter password and it didn't show on my network watcher. once password was entered, it showed up after a few seconds, so password defo needs putting in to network for device to use it and hence show up.

Thanks, I learned something.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...