About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!

x23piracy

@Tom-Elliott @george1421 @Wayne-Workman i could get the desired info from most of the system i found with duplicate macs:

it3210: https://pastebin.com/NLU4uZjM
it3256: https://pastebin.com/4ek2esnT
it3286: https://pastebin.com/KnQ8PWZK
it3905: https://pastebin.com/BKREi3Fu
it4004: https://pastebin.com/v3kxZrk2
it4027: https://pastebin.com/sC01izYN
it4092: https://pastebin.com/v7p1SbZv

What i found out so far:

00:50:56:C0:00:01 VMWare
00:50:56:C0:00:08 VMWare
02:80:37:EC:02:00 WWAN Device (H5321) Ericsson
00:11:6B:66:3C:89 still unclear (Systems are currently not connectable)

Edit:

I could Check it3394 for the 00:11:6B:66:3C:89 mac but the system does not have any device with that mac associated so what should i do know? Set the both vmware macs oon the filter list and also add the wwan device?

My pending mac list ist getting fuller and fuller actually there are more then 300 pending macs from it4314, i need to get rid of this.

Regards X23

Wayne Workman

@x23piracy said in About 50 Pending macs for one host?:

Set the both vmware macs oon the filter list and also add the wwan device?

Correct.

x23piracy

@Wayne-Workman i’ve done the following:

I will now delete all pending macs to see if they come back or not.

Regards X23

Tom Elliott

@x23piracy You can do partial filters.

Meaning you could do:

00:50:56,02:80:37

so Any mac address that matches the prefix will be filtered.

x23piracy

@Tom-Elliott ok i’ve shortened it to the first 3 octetts like you recommended. I’ve read the hint for the setting but i thougth filtering until mac change would be better, but i did what you told me

x23piracy

@Tom-Elliott @Wayne-Workman the first pending mac is back

argh oh nooo

I cannot find this MAC Adress (d2:b1:a5:d6:12:7c) on any MAC Vendor list, this sounds to me like a virtual adapter too.
Would it be a good idea to also filter d2:b1:a5 without any research?

Tom Elliott

@x23piracy we need to found it why it thinks it’s it4314 first.

x23piracy

@Tom-Elliott sorry i really would do this but i am a little bit lost with it what should i do next? any help is appreciated.

Tom Elliott

@x23piracy You can look in the access log and hopefully see the host that applied this mac address.

x23piracy

@Tom-Elliott

172.19.101.150 - - [08/Jun/2017:13:18:25 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:18:27 +0200] "GET /fog/service/usertracking.report.php?action=login&user=it4314%5Ccca&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 583 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:20:37 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:23:08 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:24:19 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:26:44 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"

172.19.101.150 belongs to IT4314 hrhr

Tom Elliott

So what we know, so far, is it appears IT4314 IS registering these pending macs?

x23piracy

@Tom-Elliott after chatting with tom we decided to remove the fog client from it4314, i also removed all the pending macs again. Now lets wait what happens.

x23piracy

@Tom-Elliott Information about IT4314

ipconfig /all

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : it4314
   Prim„res DNS-Suffix . . . . . . . : haan.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : haan.local
                                       carbolite.local

Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM
   Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::6844:9327:ec81:4731%11(Bevorzugt) 
   IPv4-Adresse  . . . . . . . . . . : 172.19.101.150(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.252.0
   Lease erhalten. . . . . . . . . . : Donnerstag, 8. Juni 2017 13:20:03
   Lease l„uft ab. . . . . . . . . . : Freitag, 9. Juni 2017 13:20:03
   Standardgateway . . . . . . . . . : 172.19.100.1
   DHCP-Server . . . . . . . . . . . : 172.19.100.9
   DHCPv6-IAID . . . . . . . . . . . : 54571060
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2
   DNS-Server  . . . . . . . . . . . : 172.19.100.9
                                       172.19.100.10
   NetBIOS ber TCP/IP . . . . . . . : Aktiviert

Drahtlos-LAN-Adapter LAN-Verbindung* 2:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Ethernet-Adapter Bluetooth-Netzwerkverbindung:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter WLAN:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
   Physische Adresse . . . . . . . . : 72-3F-F5-26-FF-6C
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Installed Software:

Network devices in device manager:

x23piracy

@Tom-Elliott @george1421 @Wayne-Workman It looks like the pending macs have stopped accouring since i uninstalled the fog client from the machine it4314, can someone identify something crude in installed software, ipconfig and or network nics? My post before with the Screenshots.

Wayne Workman

@x23piracy This is interesting. Did you only uninstall the fog client, or did you delete the host in fog too? Also, we must remember you put those MACs in the mac filter list as well. All those things are in play still. We need to eliminate variables.

Tom Elliott

@x23piracy Windows 10 has this feature to “randomize” mac’s to help prevent hijacking of your ip’s. Maybe this is enabled on this machine?

Wayne Workman

@Tom-Elliott Why on earth would they do such a thing.

Tom Elliott

@Wayne-Workman “In the name of security”

x23piracy

@Tom-Elliott no since this notebook has been deployed with our image this can’t be enabled, the only option could be the user itself. I’ve never heared about this where can this be enabled/disabled?

x23piracy

@Tom-Elliott @Wayne-Workman the system is currently not in house so i cannot proof this.
I found the option: https://superuser.com/questions/1212736/random-hardware-addresses-in-windows-10-creators-update/1212749

I will check this if the system is reachable.

Regards X23