About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!



  • 1.4.0

    Hi, today i mentioned the following, the list is much longer its only a part:

    alt text

    What happened here?
    This host it4314 never has such much macs.

    Regards X23


  • Moderator

    @x23piracy Mark as solved is only available for moderators and developers and such, to prevent people from solving too early and what not.



  • @Tom-Elliott @Wayne-Workman @george1421 Hey dudes this random mac option for wlan was really enabled, since i didn’t knew it was existing i have to disable this by gpo, this user enabled it on it’s own, he thougth it would be a good idea, no it’s not for FOG :D Thank you Tom for giving the solving idea ;)

    Where is the option to mark as solved? Can’t find it.



  • FYI, i don’t know if the random mac stuff is the issue, i could not reach the notebook today user was already gone for the weekend, i will report next week.



  • @Tom-Elliott @Wayne-Workman the system is currently not in house so i cannot proof this.
    I found the option: https://superuser.com/questions/1212736/random-hardware-addresses-in-windows-10-creators-update/1212749

    alt text

    I will check this if the system is reachable.

    Regards X23



  • @Tom-Elliott no since this notebook has been deployed with our image this can’t be enabled, the only option could be the user itself. I’ve never heared about this where can this be enabled/disabled?


  • Senior Developer

    @Wayne-Workman “In the name of security”


  • Moderator

    @Tom-Elliott Why on earth would they do such a thing.


  • Senior Developer

    @x23piracy Windows 10 has this feature to “randomize” mac’s to help prevent hijacking of your ip’s. Maybe this is enabled on this machine?


  • Moderator

    @x23piracy This is interesting. Did you only uninstall the fog client, or did you delete the host in fog too? Also, we must remember you put those MACs in the mac filter list as well. All those things are in play still. We need to eliminate variables.



  • @Tom-Elliott @george1421 @Wayne-Workman It looks like the pending macs have stopped accouring since i uninstalled the fog client from the machine it4314, can someone identify something crude in installed software, ipconfig and or network nics? My post before with the Screenshots.



  • @Tom-Elliott Information about IT4314

    ipconfig /all

    
    Windows-IP-Konfiguration
    
       Hostname  . . . . . . . . . . . . : it4314
       Prim„res DNS-Suffix . . . . . . . : haan.local
       Knotentyp . . . . . . . . . . . . : Hybrid
       IP-Routing aktiviert  . . . . . . : Nein
       WINS-Proxy aktiviert  . . . . . . : Nein
       DNS-Suffixsuchliste . . . . . . . : haan.local
                                           carbolite.local
    
    Ethernet-Adapter Ethernet:
    
       Verbindungsspezifisches DNS-Suffix: haan.local
       Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM
       Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
       Verbindungslokale IPv6-Adresse  . : fe80::6844:9327:ec81:4731%11(Bevorzugt) 
       IPv4-Adresse  . . . . . . . . . . : 172.19.101.150(Bevorzugt) 
       Subnetzmaske  . . . . . . . . . . : 255.255.252.0
       Lease erhalten. . . . . . . . . . : Donnerstag, 8. Juni 2017 13:20:03
       Lease l„uft ab. . . . . . . . . . : Freitag, 9. Juni 2017 13:20:03
       Standardgateway . . . . . . . . . : 172.19.100.1
       DHCP-Server . . . . . . . . . . . : 172.19.100.9
       DHCPv6-IAID . . . . . . . . . . . : 54571060
       DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2
       DNS-Server  . . . . . . . . . . . : 172.19.100.9
                                           172.19.100.10
       NetBIOS ber TCP/IP . . . . . . . : Aktiviert
    
    Drahtlos-LAN-Adapter LAN-Verbindung* 2:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix: 
       Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
       Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
    
    Ethernet-Adapter Bluetooth-Netzwerkverbindung:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix: 
       Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
       Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
    
    Drahtlos-LAN-Adapter WLAN:
    
       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix: haan.local
       Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
       Physische Adresse . . . . . . . . : 72-3F-F5-26-FF-6C
       DHCP aktiviert. . . . . . . . . . : Ja
       Autokonfiguration aktiviert . . . : Ja
    

    Installed Software:
    alt text

    Network devices in device manager:
    alt text



  • @Tom-Elliott after chatting with tom we decided to remove the fog client from it4314, i also removed all the pending macs again. Now lets wait what happens.


  • Senior Developer

    So what we know, so far, is it appears IT4314 IS registering these pending macs?



  • @Tom-Elliott

    172.19.101.150 - - [08/Jun/2017:13:18:25 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
    172.19.101.150 - - [08/Jun/2017:13:18:27 +0200] "GET /fog/service/usertracking.report.php?action=login&user=it4314%5Ccca&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 583 "-" "-"
    172.19.101.150 - - [08/Jun/2017:13:20:37 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
    172.19.101.150 - - [08/Jun/2017:13:23:08 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
    172.19.101.150 - - [08/Jun/2017:13:24:19 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
    172.19.101.150 - - [08/Jun/2017:13:26:44 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
    

    172.19.101.150 belongs to IT4314 :) hrhr


  • Senior Developer

    @x23piracy You can look in the access log and hopefully see the host that applied this mac address.



  • @Tom-Elliott sorry i really would do this but i am a little bit lost with it :( what should i do next? any help is appreciated.


  • Senior Developer

    @x23piracy we need to found it why it thinks it’s it4314 first.



  • @Tom-Elliott @Wayne-Workman the first pending mac is back
    alt text

    argh oh nooo :(

    I cannot find this MAC Adress (d2:b1:a5:d6:12:7c) on any MAC Vendor list, this sounds to me like a virtual adapter too.
    Would it be a good idea to also filter d2:b1:a5 without any research?



  • @Tom-Elliott ok i’ve shortened it to the first 3 octetts like you recommended. I’ve read the hint for the setting but i thougth filtering until mac change would be better, but i did what you told me ;)


Log in to reply
 

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.