Hi everyone! My name is Juan and I'm new in this forum (and in this world!). You'll have to be patient with me, I'm afraid :) Yesterday I discovered that quite a clever neigbout is acceseing to my network, so I decided it was a good time to learn to use Wireshark. I detected 2 unknown devices, a PC and something that has been continuosly connected (I've been listening the whole night). It's definitely not mine, and I suppose it's some kind of WiFi repeater or an IOT device, but those are only guesses. I was hoping somebody with more experience than me (so, someone with at least some experience) here could give me any info regarding what it could be. Let me show you:
(being 192.168.1.1 my router's ip, 192.168.1.39 my own computer's ip and 192.168.1.35 the intruder's device ip) Thanks in advance, Juan asked 27 Dec '16, 01:02  Juan_90 edited 27 Dec '16, 01:21 showing 5 of 13 show 8 more comments |
& 
One Answer:
An interesting question. The MAC Address gives a first hint to the manufacturer. In your case we are looking at "Shenzhen". I never heard of this manufacturer, but a quick visit to a search engine delivers a short text snippet:
(Note: typos are present in the original text) Please keep in mind, that MAC addresses can be changed in software or the vendor IDs (the first 3 bytes in the MAC address) can be reassigned over time, for example when a manufacturer goes out of business. Both explanations are not very likely. So we assume for the moment, that we have a genuine ShenZhen MAC address. The text snippet mentioned above suggests, that the company manufactures and sells bulk quantities of gadgets which would be labeled with another brand. Maybe you can check your home for recent new devices, gadgets, christmas presents etc. This could be a smart watch, a GPS device, a fitness tracker, that Internet-enabled refrigerator, the new boom box, cloud-connected toy, internet-ready barbie or similar battery powered devices. If nothing comes up, let's move to the next step and run through the packets. The most interesting hint comes from the ICMP port reachable: This message refers to UDP port 137. This port is used for file sharing in Windows-based networks or Linux systems running the Samba service. The ICMP port unreachable gives some insight into the device:
The second point is quite important, as it rules out media players. The new garage door opener after all? (Hint: I would expect that a media player can load video or audio streams from an SMB share). Go, get em tiger Since your trace file does not give more information it is time to go hunting. Here are a few ideas:
Please post a tracefile that shows these DHCP packets. Here is what I hope to see:
Hint: You can focus a tracefile on DHCP by using the display filter bootp Wait, there is more. Since this is your network you might want to scan the system: Use the Linux utility nmap with option -O to identify the operating system: Since this is a Wireshark forum we would like to see a trace file of the nmap scan as well. With a bit of luck you will find a web server, an SSL certificate or other information that identifies the device. If everything else fails Professional WiFi systems use dedicated probes to show fancy heat maps or locate a rogue device. For home and small business networks, you might have an access point that shows the signal strength of all client systems. If your system has that feature (and your power cable is long enough) try to walk around your home to pinpoint the location of the device. Good hunting! answered 27 Dec '16, 13:21  packethunter nmap doesn't give me (apparently) much info (appart from the aggresive OS guesses I mentioned above, in a commentary) due to having all ports closed. I did the scan after both hourly packets from our strange device and packets from his pc stopped arriving despite both devices being connected to my network in that moment (don't really now if it has something to do with it, but a pity I didn't do that scan before traffic stopped existing). I tried rebooting my access point, but no reconnections happened by either his PC or our beloved device (28 Dec '16, 04:52) Juan_90 Within all the technical explanations we should not forget to go for the simple things: a) Change the password for your wireless. b) If you use Windows 10, make sure that your password is not synchronized to the Microsoft cloud. c) If the device still returns, check if a web server will answer (both HTTP and HTTPS) Cough. Preferably check your Windows 10 setting, before changing the wireless password. cough. Good luck (29 Dec '16, 14:03) packethunter Now I am dying to know what device it is. Please solve the mystery, please! :) (30 Dec '16, 00:48) koundi The intruder hasn't returned, after changing pwd, SSID, etc. I've just checked my Windows 10 setting and no synchro is activated since I do not use my laptop with a linked Microsoft account (thankfully!). Now I'm a bit worried about what info he could have got from me. I don't know if a should open a new question to look for some help analyzing this, or this is the correct place to ask for it and you guys could help me, but here you are: https://www.cloudshark.org/captures/f1e3bf3316eb I captured it the same morning I posted this, with capture filters for the MAC addresses of the strange device (7C:DD...) and the PC (00:26...) I detected. My IP was 192.168.1.39 and my MAC is supposed to have been anonymized to 99:99:99:99:99:99. Beyond the curiosity of knowing what the device was or whose neighbour is it, I'd like to know what has he tried to do and if he succeeded. (30 Dec '16, 06:22) Juan_90 |
Hi Juan, welcome, and no worries, everybody starts at some point. Just a word of advice: if you feel you need to anonymize/sanitize your PCAP files, don't forget that all decoded MAC addresses are also seen in the hex view pane at the bottom, which you didn't mask.
If you want to sanitize your PCAP you might want to check out TraceWrangler, about which I wrote a blog post here: https://blog.packet-foo.com/2016/11/the-wireshark-qa-trace-file-sharing-tutorial/
You're embarrasingly right Jasper, thanks for your appreciation. I'll take into account that tool, it might well be useful in the future. Thank you again!
Hi Juan, why do you want to know what device is connected? Do you want to block access for that device from your wi-fi router??
I'm just very curious because that's not one of my devices! If I am being stolen WiFi, at least I wanna know what it's stealing it. Blocking access for that device would be something to consider, for sure, but I suppose it'll be easier to change to a stronger pass rather than trying to block access one by one to all my intruder's devices.
As far as I know you can tell which corporation the NIC belongs to, using the MAC address. Beyond that, I am not sure If we can tell anything about the device itself. I am not too sure about this maybe some else will pitch in later.
I think you can do it the other way around as well by letting only your devices to connect to the wifi. But yes stronger password is the better idea. :)
I posted it wondering if somebody could know or think about devices which send that kind of broadcast packets every single hour in the day.
I've heard it's rather easy to fake having one of your device's MAC address to access to your network anyway, apart from the inconvenience that a 'White list' would create for non-tech members in the family and their guests.
was a filter applied on the second screenshot? or was it captured like this? It looks like the 1.35 IP address is trying to find the router which is not replying to the ARP Broadcast ??
Any IP device will try to find the MAC address of the programmed default gateway using an ARP request.(I am assuming that your static configuration has default gateway 192.168.1.1)
Try nmap or zenmap and point to the device. That can often give you more information, but no guarantee.
The only filter applied was a capture, MAC filter (capturing only the traffic from both the intruder's computer and this device, as far as I can understand), and as you may notice it's been capturing the same request from 23:00PM to 09:00AM (so I assume it needs to be a device which is permanenty connected to the network: IOT device, Smart TV, ¿?...). I keep watching, and the same ARP requests keep apprearing.
Just a workaround tip, but you may loose the current situtation,. If you have enough trace files collected. You can try to change your Wifi PWD and see what will happen.
nmap results (aggresive OS guesses, after unreliable results): 2N Helios IP VoIP doorbell (95%), Advanced Illumination DCS-100E lighting controller (95%), AudioControl D3400 network amplifier (95%), British Gas GS-Z3 data logger (95%), Denver Electronics AC-5000W MK2 camera (95%), Espressif ESP8266 WiFi system-on-a-chip (95%), Fatek FBs-CBEH PLC Ethernet communication board (95%), Grandstream GXP1105 VoIP phone (95%), iRobot Roomba 980 vacuum cleaner (95%), LaSAT satellite receiver (95%).
I think I'm changing the password soon, yeah.
You have some idea of what it is... not conclusive, but likely not a straight-up PC. Evidence supports your guess that it is an IOT type device. You can actually go find it - use signal strength to locate the device. Do you have wifi capture capability? If so, some creative filtering in Wireshark, perhaps even a graph of signal strength of this device Tx and walk around until the signal gets stronger.
What I don't have is time right now, I'm afraid... I've stopped getting packets from either the PC and our strange device and according to nmap, every port of both of them are close (altough they're still conected), so I suspect he can be aware of my research.
Just in case, I've changed the pwd and maybe I ask here for some help with the resarch of the PCAP I got this morning (if this forum is an appropiate place to do it and anyone is willing to help me). I'd like to make sure I have not had any data breach.
According to my totally novice look, I've deduced (using NetworkMiner - tool that I discovered early this morning) he has his own WorkGroup created and he may has also been using a Wiko phone and an Amazon Ebook Reader, apart from the PC and our strange device.