Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Duplicate/slightly modified mac address in my router's connected device list


  • Please log in to reply
9 replies to this topic

#1 watsonnn

watsonnn

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 19 October 2015 - 04:10 AM

Hy, I have two laptops and a huawei android (4.1.1 version) phone connected to a huawei hg655b router ,i know the mac addresses of all of my devices, but some time ago i noticed in my router's connected device list ,a duplicate mac address of my android phone  which made me change my wifi password.

 

I will give an exact example:

 

My phone's mac is something like 56:4G:7U:6W:34 and the unknown duplicate mac address is something like 56:4G:7U:6W:7U , with the last two numbers of the address the same as the ones in the middle

 

 

So the first time i noticed the duplicate device ,i changed my password from a 30 digits random generated one to a 60 digits random generated one and after that i thought its impossible for it to be "cracked" or something,again .

 

I didnt even checked the router's device list again from the time i changed the pass , since i've set my router so only 2 devices at a time can be connected to it (ussually one of the laptops and my phone) and it hasnt been the case so that i cant connect to it before .So my questions are :

 

1.Whats up with that slightly modified address of my phone in my routers connected device list?Could it be that my phone is seen by my router as two connected devices  ,because of  an error? Or is there another reason?

 

2.Could the "unbreakable" passwords get cracked all the time or can  they be found by someone through another way?How? 

 

I hope i described my problem in detail ,and sorry for the long post.


Edited by watsonnn, 19 October 2015 - 04:17 AM.


BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:12:35 PM

Posted 27 October 2015 - 11:45 AM

MAC addresses from the same company will be similar as part of the MAC address identifies the manufacturer.



#3 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:35 PM

Posted 29 October 2015 - 01:07 AM

2.Could the "unbreakable" passwords get cracked all the time or can  they be found by someone through another way?How? 

 

 

 

 

Typicially with Wireless Local Area Network (WLAN) cracking, the crackers look first to see if you're using WEP, which is ridiculously easy to crack. If you're not using WPA2 instead of WEP, it can still be cracked by collecting the packets involved in the four step handhake process, and then running either a dictionary attack using a long list of passwords, or a brute force attack, which tries to use every possible combination of passwords, given a certain set of parameters.

https://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_four-way_handshake

https://en.wikipedia.org/wiki/Dictionary_attack

https://en.wikipedia.org/wiki/Brute-force_attack

 

Since you're using a strong password, these two methods wouldn't prove to viable.

 

However, there's still a way to crack a WLAN, and that is through a WPS attack. WPS was created to try to make authenticating smart phones easier, since it's a lot harder to type a complex password on smartphone keyboards. It generates an 8 digit pin number, which is entered into the smart phone. The problem is with the way it's implemented. The first four digits are checked first as a group, and then the last three as a group, and the final digit is a checksum value. This reduces the total possible combinations to merely 11,000, making brute forcing it entirely viable.

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

 

So even if you use the strongest WPA2 password possible, your WLAN can still be cracked if you use WPS and your router doesn't have a good lockout mechanism, as most don't. WPS cracking can even be faster than the normal brute force if the router has a particular chipset, and is vulnerable to the pixie dust attack.

https://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup#Offline_brute-force_attack

 

So the answer to the problem of WPS is simple: Disable it.

 

As to the question of your connected devices MAC addresses, I don't know. I guess it's possible for a smart phone to have two network interfaces and for both to be connected to your WLAN, but I have no idea. In any case, if you have a very strong WPA2 password, and disable WPS, you should be fine.

 

The only attacks possible in this case would be denial of service attacks, but there's really nothing you can do about that if you want to keep using wireless ... unless you want to paint the interior side of all your external walls with paint that blocks radio waves and coat your windows with material that does the same .... 

https://www.sans.org/reading-room/whitepapers/wireless/80211-denial-service-attacks-mitigation-2108

 

So in addition to using WPA2 with a strong password, and disabling WPS, you should also configure your router to only be administered via a wired ethernet connection, and change the default administrator password. If WLANs are poorly secured, attackers can crack into them, log into the router's administrative account wirelessly, and then basically own the lives of everyone connected to that WLAN.

 

:wacko:



#4 watsonnn

watsonnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 30 October 2015 - 06:54 AM

 

2.Could the "unbreakable" passwords get cracked all the time or can  they be found by someone through another way?How? 

 

 

""As to the question of your connected devices MAC addresses, I don't know. I guess it's possible for a smart phone to have two network interfaces and for both to be connected to your WLAN, but I have no idea. In any case, if you have a very strong WPA2 password, and disable WPS, you should be fine."

 

Thanks very much for the complete answer u gave me !

 

But if its possible for a phone to have two network interfaces wouldnt it connect with both of them all the time ? In my case ,i found the other address  connected just 2 or 3 times !

 



#5 watsonnn

watsonnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 30 October 2015 - 07:12 AM

 

2.Could the "unbreakable" passwords get cracked all the time or can  they be found by someone through another way?How? 

 

 

 


 

The only attacks possible in this case would be denial of service attacks, but there's really nothing you can do about that if you want to keep using wireless ... unless you want to paint the interior side of all your external walls with paint that blocks radio waves and coat your windows with material that does the same .... 

https://www.sans.org/reading-room/whitepapers/wireless/80211-denial-service-attacks-mitigation-2108

 

So in addition to using WPA2 with a strong password, and disabling WPS, you should also configure your router to only be administered via a wired ethernet connection, and change the default administrator password. If WLANs are poorly secured, attackers can crack into them, log into the router's administrative account wirelessly, and then basically own the lives of everyone connected to that WLAN.

 

:wacko:

 

 

 

-I did disable wps a long time ago and i had a strong password for wlan and admin ,the flaw i had with securing the router was that i didnt set up a password for the "user"account which i didnt know existed at that time ,the things a user ccould do are :see the configuration of the wlan, the logs ,change the user name and  reboot my router or reset it ,i think, but i secured the user account  too, a long time ago  .

 

I still have some questions about how a denial of service attack manifest itself , how can you tell it happens?

 

Because i had some problems with my router losing its dsl and internet connection some time ago when i didnt have the user account secured ,at first i thought its just the internet going crazy ,then after i found the user section its not  secured i thought ,hmm, it could  be that somebody reboots my router from the user account ,but i saw that when u reboot it ,it  restarts losing  its power along with the dsl and internet not just the last two ,so now im thinking they were actually denial of service attacks?

 

And another thing :

you should also configure your router to only be administered via a wired ethernet connection, and change the default administrator password. 

 

I couldnt find the option to set the router so it can only be configured via wired connection and not wlan , though, i remember when i got the router i managed to  configure it that way,even if i cant  be sure that i do remember right  ,i searched online and in its manual too but didnt find the option to set it to only be configured only from the lan side . Maybe u can give me a hint?

 

 

 

 

 

 


Edited by watsonnn, 30 October 2015 - 07:21 AM.


#6 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:35 PM

Posted 30 October 2015 - 11:03 AM

I'm not sure about the smart phone network interfaces. If and when you notice this happen again, you could try blocking the MAC address in your router's security configuration, and see if it has any effects on your phone's connection. Unblock it and see if they go away. You know, do some science :wink:

 

In a denial of service attack, you just won't be able to use your wireless network at all. I think the most common with WLANs would be a deauthentication and dissociation attack, which can be easily done with the commonly used aireplay-ng tool. Read through that .pdf I linked for more information, or search for aireplay-ng. The attacker wouldn't even need to be connected to your WLAN. Even if they didn't know your WPA2 pre shared key, and you didn't have WPS enabled, and they couldn't crack into your WLAN at all, they could still perform these attacks if they were anywhere physically near you. They're dead simple with aireplay-ng.

 

As far as configuring your router to only be adminstered with a wired connection, if it's not in this documentation, you'll have to search around and try to figure it out. Sorry, I don't have a lot of time to help on the forums this weekend. Someone else might chime in though.

http://setuprouter.com/router/huawei/hg655b/manual-163.pdf



#7 watsonnn

watsonnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 30 October 2015 - 02:44 PM

I'm not sure about the smart phone network interfaces. If and when you notice this happen again, you could try blocking the MAC address in your router's security configuration, and see if it has any effects on your phone's connection. Unblock it and see if they go away. You know, do some science :wink:

 

In a denial of service attack, you just won't be able to use your wireless network at all. I think the most common with WLANs would be a deauthentication and dissociation attack, which can be easily done with the commonly used aireplay-ng tool. Read through that .pdf I linked for more information, or search for aireplay-ng. The attacker wouldn't even need to be connected to your WLAN. Even if they didn't know your WPA2 pre shared key, and you didn't have WPS enabled, and they couldn't crack into your WLAN at all, they could still perform these attacks if they were anywhere physically near you. They're dead simple with aireplay-ng.

 

As far as configuring your router to only be adminstered with a wired connection, if it's not in this documentation, you'll have to search around and try to figure it out. Sorry, I don't have a lot of time to help on the forums this weekend. Someone else might chime in though.

http://setuprouter.com/router/huawei/hg655b/manual-163.pdf

 

 

 

Thanks

 

-I  blocked the duplicate address and if i remember corectly my phone still could connect.


-And btw , some time ago  when i used to lose my dsl connection all the time i even  had my download and streaming speed cut down to a half or even less ,was that a symptom of an attack or what could have caused this kind of thing?

 

-There is nothing in the manual about accesing the router only through wired  connection,from what i can see .What's that option's name or how is it ussually  called or how is a router ussually set up to do that ? So ill know how to search  for online or in my router's options !

 

 

 

 


Edited by watsonnn, 30 October 2015 - 02:47 PM.


#8 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:35 PM

Posted 31 October 2015 - 08:55 AM

I can't tell you what caused your speed to cut in half. It probably wasn't a deauthentication or dissociation DOS attack, because during those you completely lose authentication or association to the access point, and your connection is totally dead.

 

If you want to, you could post screen shots of all the configuration pages for your router, and I'll try to take a look this weekend and see if you should be able to configure it to be administered only through a wired connection.



#9 watsonnn

watsonnn
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:35 PM

Posted 13 November 2015 - 06:23 AM

I can't tell you what caused your speed to cut in half. It probably wasn't a deauthentication or dissociation DOS attack, because during those you completely lose authentication or association to the access point, and your connection is totally dead.

 

If you want to, you could post screen shots of all the configuration pages for your router, and I'll try to take a look this weekend and see if you should be able to configure it to be administered only through a wired connection.

Sorry for the late reply i had some problems,i cant go posting all the screens of my router's settings they must be over 30 screens ,i thought u could tell me whats that option called in other routers you know or seen ,i dont know , its ok you have been very helpfull thus far,thank you ery much ,i dont see it as a big problem that my router can be accesed via wifi if it has a strong password because i think thats even harder to crack than the wifi pass itself ,or i could be wrong?

 

Anyway i wanted to ask something about the deauthentication or dissociation DOS attack, so when u are attacked like that ,u cant connect to your wifi ? or u can connect to it  but u get disconnected ? or you can connect to it but u cant acces the internet ?



#10 irvin_than_allyl

irvin_than_allyl

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:35 PM

Posted 30 November 2015 - 09:45 AM

 

I can't tell you what caused your speed to cut in half. It probably wasn't a deauthentication or dissociation DOS attack, because during those you completely lose authentication or association to the access point, and your connection is totally dead.

 

If you want to, you could post screen shots of all the configuration pages for your router, and I'll try to take a look this weekend and see if you should be able to configure it to be administered only through a wired connection.

1. Sorry for the late reply i had some problems,i cant go posting all the screens of my router's settings they must be over 30 screens ,i thought u could tell me whats that option called in other routers you know or seen ,i dont know , its ok you have been very helpfull thus far,thank you ery much ,i dont see it as a big problem that my router can be accesed via wifi if it has a strong password because i think thats even harder to crack than the wifi pass itself ,or i could be wrong?

 

2. Anyway i wanted to ask something about the deauthentication or dissociation DOS attack, so when u are attacked like that ,u cant connect to your wifi ? or u can connect to it  but u get disconnected ? or you can connect to it but u cant acces the internet ?

 

 

 

1. It should say something like web access, router access, or administrative access, something like that. You may just not have the option. If you have a strong password, then you should be fine. You just don't want to keep the default administrative password and allow wireless administrative access of your router, because if your wireless network is accessed by a hacker, they could easily access your router's management interface wirelessly and do all sorts of fun things. Fun for them, but horrible for you, of course. 

 

2. You just wouldn't be connected (associated) at all with your router. You couldn't use the internet, you couldn't merely ping websites, and you probably couldn't even ping your router.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users