About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!

x23piracy

@Wayne-Workman i’ve done the following:
alt text

I will now delete all pending macs to see if they come back or not.

Regards X23

Tom Elliott

@x23piracy You can do partial filters.

Meaning you could do:

00:50:56,02:80:37

so Any mac address that matches the prefix will be filtered.

x23piracy

@Tom-Elliott ok i’ve shortened it to the first 3 octetts like you recommended. I’ve read the hint for the setting but i thougth filtering until mac change would be better, but i did what you told me

x23piracy

@Tom-Elliott @Wayne-Workman the first pending mac is back
alt text

argh oh nooo

I cannot find this MAC Adress (d2:b1:a5:d6:12:7c) on any MAC Vendor list, this sounds to me like a virtual adapter too.
Would it be a good idea to also filter d2:b1:a5 without any research?

Tom Elliott

@x23piracy we need to found it why it thinks it’s it4314 first.

x23piracy

@Tom-Elliott sorry i really would do this but i am a little bit lost with it what should i do next? any help is appreciated.

Tom Elliott

@x23piracy You can look in the access log and hopefully see the host that applied this mac address.

x23piracy

@Tom-Elliott

172.19.101.150 - - [08/Jun/2017:13:18:25 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:18:27 +0200] "GET /fog/service/usertracking.report.php?action=login&user=it4314%5Ccca&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 583 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:20:37 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:23:08 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:24:19 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"
172.19.101.150 - - [08/Jun/2017:13:26:44 +0200] "GET /fog/management/index.php?sub=requestClientInfo&mac=40:B0:34:11:A6:D2%7CF4:8C:50:49:D1:AE%7CF4:8C:50:49:D1:B1%7CD2:B1:A5:D6:12:7C&newService&json HTTP/1.1" 200 1705 "-" "-"

172.19.101.150 belongs to IT4314 hrhr

Tom Elliott

So what we know, so far, is it appears IT4314 IS registering these pending macs?

x23piracy

@Tom-Elliott after chatting with tom we decided to remove the fog client from it4314, i also removed all the pending macs again. Now lets wait what happens.

x23piracy

@Tom-Elliott Information about IT4314

ipconfig /all


Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : it4314
   Prim„res DNS-Suffix . . . . . . . : haan.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : haan.local
                                       carbolite.local

Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM
   Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::6844:9327:ec81:4731%11(Bevorzugt) 
   IPv4-Adresse  . . . . . . . . . . : 172.19.101.150(Bevorzugt) 
   Subnetzmaske  . . . . . . . . . . : 255.255.252.0
   Lease erhalten. . . . . . . . . . : Donnerstag, 8. Juni 2017 13:20:03
   Lease l„uft ab. . . . . . . . . . : Freitag, 9. Juni 2017 13:20:03
   Standardgateway . . . . . . . . . : 172.19.100.1
   DHCP-Server . . . . . . . . . . . : 172.19.100.9
   DHCPv6-IAID . . . . . . . . . . . : 54571060
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2
   DNS-Server  . . . . . . . . . . . : 172.19.100.9
                                       172.19.100.10
   NetBIOS ber TCP/IP . . . . . . . : Aktiviert

Drahtlos-LAN-Adapter LAN-Verbindung* 2:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Ethernet-Adapter Bluetooth-Netzwerkverbindung:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: 
   Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter WLAN:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
   Physische Adresse . . . . . . . . : 72-3F-F5-26-FF-6C
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Installed Software:
alt text

Network devices in device manager:
alt text

x23piracy

@Tom-Elliott @george1421 @Wayne-Workman It looks like the pending macs have stopped accouring since i uninstalled the fog client from the machine it4314, can someone identify something crude in installed software, ipconfig and or network nics? My post before with the Screenshots.

Wayne Workman

@x23piracy This is interesting. Did you only uninstall the fog client, or did you delete the host in fog too? Also, we must remember you put those MACs in the mac filter list as well. All those things are in play still. We need to eliminate variables.

Tom Elliott

@x23piracy Windows 10 has this feature to “randomize” mac’s to help prevent hijacking of your ip’s. Maybe this is enabled on this machine?

Wayne Workman

@Tom-Elliott Why on earth would they do such a thing.

Tom Elliott

@Wayne-Workman “In the name of security”

x23piracy

@Tom-Elliott no since this notebook has been deployed with our image this can’t be enabled, the only option could be the user itself. I’ve never heared about this where can this be enabled/disabled?

x23piracy

@Tom-Elliott @Wayne-Workman the system is currently not in house so i cannot proof this.
I found the option: https://superuser.com/questions/1212736/random-hardware-addresses-in-windows-10-creators-update/1212749

alt text

I will check this if the system is reachable.

Regards X23

x23piracy

FYI, i don’t know if the random mac stuff is the issue, i could not reach the notebook today user was already gone for the weekend, i will report next week.

x23piracy

@Tom-Elliott @Wayne-Workman @george1421 Hey dudes this random mac option for wlan was really enabled, since i didn’t knew it was existing i have to disable this by gpo, this user enabled it on it’s own, he thougth it would be a good idea, no it’s not for FOG Thank you Tom for giving the solving idea

Where is the option to mark as solved? Can’t find it.

About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!

165

11.6k

17.1k

154.6k