Weird device on network.
Posted by Odd_Barracuda463@reddit | sysadmin | View on Reddit | 86 comments
Is anyone familiar with what sort of device could begin like this Mac address c0:9a:f1:
Besides Internet providing decreasing the amount of internet usage per month, for the past 2 weeks or so the overall network has slowed possibly due to whatever this device is. No device is just *
Mac address searches came up with nothing. No one can figure out what it is.
TheGilmore@reddit
I would put my money on a phone with a private MAC address (iPhone does this by default) and it also being a red herring that has nothing to do with what is degrading the network. And the typical end user has no idea that phones do this, let alone what a MAC address is.
BobcatALR@reddit
Amen!
SecTechPlus@reddit
Randomised MAC addresses will have 2, 6, A, or E as the second hex digit, so it doesn't look like that for OP's device
HighRelevancy@reddit
Says who? I can type anything I want into the text box on my devices (that support setting the MAC). Is that an iPhone thing?
ElusiveGuy@reddit
Says the standard. The 2nd bit must be set for 'local' MAC addresses. When it's not set, the address must be globally unique.
If you just used any address willy-nilly, you run the risk of clashing with other devices' assigned address.
When a device lets you set an address manually, it is your responsibility to ensure the address you are setting is appropriately unique. If you choose to 'clone' another device's address (engn to bypass filtering), you must ensure they are never connected to the same subnet.
HighRelevancy@reddit
TIL "locally administered addresses". The randomised addresses I've seen on VMs still come out of the VMware OUI.
ElusiveGuy@reddit
Ah yea, some vendors will assign addresses under their own OUIs. Usually the ones that don't also make hardware (or have a separate OUI reserved for random addresses).
KnotRolls@reddit
If the address is set manually even if the 2nd bit is set for 'local' you still run the issue of a clash, but now in an even smaller pool. You clearly need to implement a MAC PEG Server like the below DHCP one.
TheGilmore@reddit
Ah good to know, thank you.
Odd_Barracuda463@reddit (OP)
Yes. We have are a few iPhones and androids with randomized Mac addresses. This one in particular isn't acting like them. I blocked it so waiting to see if another Mac address shows up with the same oddities. No one noticed any issues before it. If it doesn't come back and No one screams I'll never know what it was....
Side note I've never come across a Mac address begining with c until now. Isn't that odd.
Anyway. New theory from comments is that its some sort of docking station. Who knew they can cause so much trouble? Not me.
TheGilmore@reddit
Have you checked port stats (every port) for a potential broadcast storm? Whenever I’ve seen something internal killing the network it’s been something like a phone or dummy switch plugged into two wall ports. I know you said the strange device doesn’t appear to be wired, but I’m assuming that device isn’t the cause of the network issues.
NH_shitbags@reddit
The OUI you gave "c0:9a:f1" comes back as belonging to Hikvision camera or recording device.
ZAFJB@reddit
Fix the underlying problem:
Implement proper network authorisation so that random people cannot connect random stuff using the PSK.
bbbbbthatsfivebees@reddit
Every time you encounter one of these devices: It's an iPhone or iPad with private addressing turned on. They randomize their MAC addresses for every connection and never return a valid manufacturer on any MAC address lookup.
If you really want to know, block the MAC address and wait for someone to complain to get the full details.
Rexxhunt@reddit
That OUI is registered to Apple
Odd_Barracuda463@reddit (OP)
Where did you find that? Can you post a screenshot or link to it so I can see. Its not apple -.- how do you know!!! Who told you this?!!
ndragon798@reddit
https://www.cleancss.com/mac-lookup/C0-9A-D0
Odd_Barracuda463@reddit (OP)
What sort of hocus pocus is this? I search for three days and nothing came up. I did my final search for it last night and nothing. Not just me but others looked it up as well using different tools and look up sites.
So how come now after I see your comment it shows up as an apple Mac address registered in 2018. Hmmmmm
Who do you work for Rexxhunt? What secrets do you hold?
Rockstaru@reddit
If it's a wired device, you should be able to find the physical interface it's connected to via looking at ARP/MAC address tables, and can then shut that interface down if you just want to cut that device off. Alternatively, if you want to do some forensics, if you have an ARP entry you might be able to
nmapand see what if any ports are listening on it, which might give you a clue as to what it is (e.g. if it has a web server enabled and you connect to it in a browser and get an HP JetDirect interface, more than likely it's a printer).Odd_Barracuda463@reddit (OP)
Not wired. So no physical connection. I want to know what it is. I doubt it's something like a printer. Printers usually match a vendor. Most don't usually create randomized Mac Address. when I and others search the Mac address nothing comes up.
Hmmm I guess it's a temp address. I'm thinking it's some sort of live streaming device or phone. Maybe I'm paranoid. Listening device? Camera? I blocked. Waiting to see if it will make another fake mac address and reconnect .... Meh I'd hope it's something mondaine like a printer.
primalbluewolf@reddit
Wait, so it's wifi? Use aircrack-ng to hunt down the station with that BSSID, then. Fire up a laptop with kali and a monitor-mode/promiscuous-mode wifi card, run airmon-ng (part of aircrack-ng) and look for the offending BSSID, then play hotter/colder til you find it.
Odd_Barracuda463@reddit (OP)
It's not inside. Process of elimination down to three culprits. Not inside. Outside? Likely in a car.
I temporarily unblocked it. It didn't auto reconnect after an hour. it came back sometime after 5 hrs. It's not connected now.
primalbluewolf@reddit
It doesn't need to be. It does need to be connected, though. Once it is, use your tools to figure out which AP its connected to, then wander over there with a laptop and airmon-ng
Loading_M_@reddit
Does one of the cars happen to be a Tesla, or made in last couple years? It could be there infotainment system trying to pull system updates.
Ornithologist_MD@reddit
Default behavior for iPhones will spoof MAC addresses to WiFi for privacy/anti-tracking. However, most modern network equipment would also identify this as an iPhone, just not with the correct fingerprint. It's not impossible this is something on Android or Linux and spoofing via scripts.
Sometimes network devices get it wrong. One of my client's shittier servers is fittingly identified as a smart fridge on automatic scans.
From a cybersecurity standpoint, if you cannot identify the device, it should be blocked. If this is a network you have control of at work or at home it seems like it would be pretty non-negotiable what devices are connected to it. You should consider moving to a whitelist-only.
Odd_Barracuda463@reddit (OP)
Very true I can still tell an iPhone even if the Mac address is randomized. Not an android either. Not a printer. There is always some way or another to figure what is what but for this I'm stumped. I blocked it and wait to see if it comes back with a different address.
I can whitelist temporarily and I considered this but that won't do long term at all.
TuxTool@reddit
I'd check out r/netsec and see they got to say. Now you got me sucked into this.
No_Dog9530@reddit
Then at network level block the device and see who come running saying their device is not working. Very easy solution.
mr_limpet112@reddit
Google says that MAC is generally a Cisco device
BuffaloRedshark@reddit
Block it, see who complains or what breaks.
Odd_Barracuda463@reddit (OP)
I did but I'd still like to know what it is.
icehot54321@reddit
Purchase better wireless network equipment.
Pretty much any decent enterprise system can locate devices.
panopticon31@reddit
Unless they are using spoofed Mac addresses.
If you block one MAC address they can revert to their real one or generate a new one.
Odd_Barracuda463@reddit (OP)
So I unblocked it temporarily. It came back with the same mac address so likely not randomized/spoofed...right? Still lost on what is tho. Narrowed down to 3 people. Also I don't think it's even inside. But rather in one of their cars.
DarthPneumono@reddit
That only means it doesn't randomize its hardware address on reconnection. It tells you nothing else, they might be changing it on a timer or manually or by some other mechanim.
Odd_Barracuda463@reddit (OP)
Good point. I'm going off the idea the people/person is worse at IT stuff than me....so likely aren't doing manual address changes..
DarthPneumono@reddit
Well if you can see the device when it's doing the bad thing, or rule out other devices, that doesn't matter. You just need it to be online with that MAC long enough to look at the dashboard.
icehot54321@reddit
Even using spoofed mac addresses, you'd still know the location.
Even if the device cycled mac addresses once an hour, you could still figure it out .. and something like that would break the network as well because it would exhaust the DHCP leases.
Odd_Barracuda463@reddit (OP)
Usually it's not hard. I now think it's not inside but rather in someone's car. Down to 3 culprits.
Might have to just whitelist/blacklist if people just keep adding foolishness to the network. Like today but like usual I'm able to figure out what it is and where it is. Some 1 brought over a cheap Chinese streaming device Xumo.
Vino84@reddit
Which Android and iOS/iPadOS devices do unless you actively tell it not to for a wireless network. I don't know what MAC prefix they'd use for that. My S26 uses CA:D1:60.
Isitrelevantyet@reddit
Even a lot of “prosumer” devices can do that. As long as you know what switch port they’re plugged into or AP they are connected to + RSSI, you can get an approximate location. That being said, if it’s something malicious and wireless, it could be small enough to hide just about anywhere… you’d probably have to get some specialized equipment at that point if you’re really serious about finding the device itself.
Break2FixIT@reddit
Scream test is extremely efficient
KindPresentation5686@reddit
How can you possibly conclude that this single device has slowed your internet speed? Have you looked at your firewall logs and analyzed what it’s talking to? What protocols it’s using? How much bandwidth it’s using? What time it’s active? If you think it’s a threat, simply unplug/block it. ! I’m assuming you have no network access control in place on your network?? Looks like it’s time to fix that.
Odd_Barracuda463@reddit (OP)
At that time there was nothing else to slow the speed and using large bandwidth....
Unlike today when someone connected a cheap Chinese device that caused even more overload/lag than the mystery address device. But such is life.
Yes there are some network access control. How can there not be? Could it be better utilized/improved definitely.
I've narrowed it down and getting closer to figuring out what the mystery device is.
Odd_Barracuda463@reddit (OP)
Yes there are some network controls. I've been doing what I can. With the limited resources available. Probably not in the most proficient way but I've narrowed it down to 3 suspects. It's not inside. I think it's outside. Maybe in a car.
alpha417@reddit
literally the ideal use case for a Scream test.
Odd_Barracuda463@reddit (OP)
Chances are they won't explain or admit. When I approached the suspected culprit about the issue with the network for the pass two weeks. They ignored and did not try to assist. Clearly not interested in helping. I'm not sure if they are personally involved or someone else they gave the password to.
Toasty_Grande@reddit
Do you have telemetry or assurance data to back up the claim? If it's a wireless device and connected to any sort of enterprise WiFi (some prosumer too), you should be able to see avg data rates, total usage, etc. A wifi device is unlikely to slow your network unless your Internet bandwidth is very low i.e., it's torrenting. If your wireless solution doesn't have application visibility, wireshark will tell you what it is doing. Check your DHCP logs to see if the device provided client information back to the server e.g., jsmith-iphone.
It's not a private mac, and it could be allocated but the IEEE database has yet to be updated.
Odd_Barracuda463@reddit (OP)
Yes we need better everything at this point, more bandwidth for sure. Today someone plugged in a cheap Chinese streaming box. A Zumo. Smh caused an even worse lag than the mystery Mac address device. We got a notice about upgrades so fingers crossed.
alpha417@reddit
This sounds more like some r/homelabs nonsense, tbh.
Good luck.
Odd_Barracuda463@reddit (OP)
Noted & thanks.
trcert@reddit
Can you not check the mac-address table on switch
DLS4BZ@reddit
/r/techsupport
whitoreo@reddit
A lot of "docking stations" use random mac addresses these days. I didn't believe it until someone proved it to me with a USB C Cables 2 Go port replicator.
Odd_Barracuda463@reddit (OP)
Hmm. According to my friend Google You might be on to something. If it's this, it was definitely monopolizing.
Doesn't even need to be physically connected to the router or switch to cause us problems. The culprit might not even be doing anything unusual and is unaware there little device is causing us issues.
sirwnstn@reddit
My brother ran into a similar problem. His network slowed to a crawl and he couldn’t figure out why. Turns out my sister-in-law had a MacBook that was asleep/off with USB-C network adapter plugged into the network switch with link light blinking rapidly. When we disconnected the cable, the congestion cleared up. Those cheap USB-C network adapters or docks could be the culprit.
BWMerlin@reddit
On your core switch you should be able to see what port or ports this MAC address was learnt from. Follow that back and you should be able to physically locate the device.
Odd_Barracuda463@reddit (OP)
Not physically connected via port. WiFi. Any idea what sort of device this could be? Based on the Mac address?
KindPresentation5686@reddit
What network stack are you running?
BWMerlin@reddit
Was that the full MAC address you posted or just part of it?
If this is showing on wireless is it always the same WAP/s it is showing on?
Odd_Barracuda463@reddit (OP)
Yes
Fuzzy_Paul@reddit
Espressif Inc. (maker of ESP8266/ESP32 Wi-Fi chips) That will help you.
brutesquad01@reddit
What else have you done to narrow it down?
Can you ping it? Can you connect to it with RDP, ssh, PS session, SMB? If you have an RMM or other remote management, does it appear in that? Entra, AD, or SCCM? Does it have a web interface? You could even try to print to it if nothing else works?
Can you see which access point it connects to? Is it always the same one? What devices are in that area? Is it always connected, or does it go online/offline at a certain time everyday?
Can you see when it first appeared? Is there a new employee that started around that time? Is there a third party vendor that may have installed some device at that time?
Instead of blocking it, can you simply disconnect it? Does it reconnect? How long before it does?
If you block it, does the network return to normal performance? If not, does a new MAC address connect after the block?
RealGP@reddit
ChatGPT says that oui prefix is registered to Amazon. Alexa / Echo / Fire TV? 🤷
smnhdy@reddit
What urls is it trying to access… this will tell you a lot.
thisguy_right_here@reddit
Perhaps its a super box
undergroundsilver@reddit
Log into switch and see what ip is assigned to that machine address
TheThirdHippo@reddit
Chex which AP it connects to so you have the area pinned down and save the logs so you have a start/finish time if it’s only active during the day. Pair that with your door access logs and see who marries up
Mrh592@reddit
Maybe check what DNS lookups the device is making at the firewall, those usually give a device type away.
smooth_criminal1990@reddit
Look up MAC address flags, especially the 7th bit of the first byte.
If it's a 1 then you're looking at an address that's locally set
green_link@reddit
this is why all devices on a work network are whitelisted and documented. even with a password they can't connect without the mac address being allowed on the network.
yes, it's not perfect and if users are smart enough they can spoof the mac address, but you can just remove the troublesome mac from the whitelist and have documentation of which device and user that mac address belongs to.
and work devices, like phones or tablets that have the privacy randomised mac address? work devices are all managed with an MDM and policy enforced that setting is disabled.
aguynamedbrand@reddit
MAC filtering is not the solution. 802.1x is the correct way to do it right.
green_link@reddit
my workplace we use a hybrid of 802.1X and MAC filtering. most devices have to pass both to be able to connect, but for devices that can't do 802.1X like printers they can still get access so long as they are whitelisted.
jowdyboy@reddit
https://macvendors.com/
russellvt@reddit
You can always look up the device manufacturer from the first octets in the MACADDR
drahcirm@reddit
This is severely inaccurate information. You can specify any value MAC address you want for virtualized NICs.
russellvt@reddit
OP doesn't even know what the hardware is ... so, that generally means the MAC is still going to be within the hardware manufacturers range would be, unless OP reset it themselves.
So, likely not terribly inaccurate, let alone "severely" inaccurate. Find the hardware manufacturer and see if "it might make sense," or go through the ARP caches of locally connected devices to see "who sees it" in their hardware list to see where it's likely connected.
But, it's rather dishonest and misleading to say this is "severely" inaccurate ... everyone must start somewhere, even if that means eventually tracing interface by interface on your network switches.
Siege9929@reddit
Many modern devices randomize their MAC addresses by default, like Android phones.
russellvt@reddit
They still often adhere to the manufacturer hardware codes, at least.
Xattle@reddit
Could always try poking it with nmap and see if it comes up with any extra details.
ZealousidealFudge851@reddit
Blacklist the Mac or do some packet analysis and see where it's sending packets to and see if you can do some reverse forensics.
master_illusion@reddit
Sounds to me like it could be a randomized MAC from an iPhone or Android device.
spk_ezrider@reddit
Searched my whole ClearPass Endpoint DB of 17k devices and not one match on this partial MAC.. 🤷👀
Odd_Barracuda463@reddit (OP)
....yer I tried searching but got nothing. So what does this mean? It's a fake mac address? Virtual address? How worried should I be?
MalwareDork@reddit
Just block it. The OIU database isn't pulling anything up so I'm assuming randomized Mac address.
Otherwise you can do a pcap and see what beacons are responding to the unknown station. You could even do s rough triangulation if the radiotap headers give the RSSI info.
spk_ezrider@reddit
Possibly a virtual machine running in VM Workstation or HyperV. Do you have access to arp table entries to at least correlate to IP address?