First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

unknown mac vendor

I have a suspicious wifi access point mac address ba:b2:a3:17:7b:b3 reported/displayed in the Symantec endpoint console. The mac address vendor is unknown in the wireshark vendor lookup tool. I have scanned our network to see if this mac shows up anywhere without any luck.

Here is the "explanation" from Symantec: The system administrators of this corporate Wi-Fi defined a set of properties identifying hotspots in the network. By analyzing the data from the WiFi connection Symantec identified a discrepancy that indicates a suspicious hotspot.

What to do next? I would like to hear if anyone has experienced a similar situation?

carlsap's avatar
1
carlsap
asked 2022-02-07 12:05:19 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2022-07-14 03:23:42 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Looks like MAC address randomization:

   MAC addresses can either be universally administered or locally
   administered.  Universally administered and locally administered
   addresses are distinguished by setting the second-least-significant
   bit of the most significant byte of the address (the U/L bit).

   One way to overcome this privacy concern is by using randomly
   generated MAC addresses.  As described in the previous section, the
   IEEE 802 addressing includes one bit to specify if the hardware
   address is locally or globally administered.  This allows generating
   local addresses without the need of any global coordination mechanism
   to ensure that the generated address is still unique within the local
   network.  This feature can be used to generate random addresses,
   which decouple the globally-unique identifier from the device and
   therefore make it more difficult to track a user device from its MAC/
   L2 address [enhancing_location_privacy].

MAC format showing position of LG bit:

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

CyberChef - hex to binary for MAC address

ba:b2:a3:17:7b:b3
10111010 10110010 10100011 00010111 01111011 10110011

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
1011 1010 1011 0010 1010 0011

LG bit is set in the MAC address.

(Related where search is needed for Random MAC addresses: Wireshark Random MAC Address display filter)

Chuckc's avatar
3k
Chuckc
answered 2022-02-07 15:00:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer