36

I noticed our Internet was bogged down. I checked the IP addresses of all devices connected and found the MAC addresses of the culprits:

blacklas hijacking our wifi

Question: How to find their geographical location based on the MAC addresses?

I know they are in the neighborhood of Columbia, Md. 21045. One of them is an iPhone and another is an Android phone which would should allow GPS triangulation, but that option is only available to the carrier and law enforcement.

Top Banana
  • 409
  • 1
  • 5
  • 4
  • 4
    You have your WiFi secured with WPA2, have you? – Marcel Jan 11 '17 at 10:12
  • 33
    You'e going to struggle to resolve a mac to an identifiable person. Set up a MAC white list on your router and prevent any unknown devices connecting to it in the first place. – iainpb Jan 11 '17 at 10:26
  • 30
    What WiFi are you using? Surely your area coverage will not be huge.... They can't me further than a maximum of 150 feet (46 m) indoors and 300 feet (92 m) outdoors. So most likely it's someone around your house or a neighbour. If you absolutely don't want to allow unknown people to connect, do mac filtering. In that case, even if they get the wifi password the router should deny the connection. – sir_k Jan 11 '17 at 10:26
  • 1
    I'd most definitely take the opportunity to monitor traffic. Get wireshark, it won't only tell you what they're up to (if not 'usual' internet use), but may also provide clues to identity. –  Jan 11 '17 at 11:11
  • 4
    @iain, mac clonning is the easiest thing in the world. Set up a mac filtering is not a solution at all. You must secure your wifi: (disable wps, set up wpa2 with a very long and strong password using chars, numbers and symbols). You can reduce the power too in order to try get harder for them to use it so they will go to "bother to others" – OscarAkaElvis Jan 11 '17 at 11:38
  • 15
    @OscarAkaElvis mac cloning on an iPhone and Android device is not so easy, and whitelisting can be one of the layers of defence. Yes, it can be overcome, but it is a low-cost measure to take (as long as you take others too) – schroeder Jan 11 '17 at 11:39
  • 3
    I do mac clonning with my android and iPhone devices... so if I can, anybody can. I know you are only suggesting.... ok. But I'm only advicing that could not solve the problem, that's all :) – OscarAkaElvis Jan 11 '17 at 11:43
  • 78
    Alert your legitimate users, turn off the router and look out of the window for the person using a smartphone that suddenly complains out loud – lorenzog Jan 11 '17 at 12:01
  • 4
    - yes, the MAC can be cloned reasonably easily , but the attacker would have to compromise the router and discover the MAC white list to clone a suitable address, this requires more skill than hopping on a poorly secured wifi network. Defence in depth as @schroder says. – iainpb Jan 11 '17 at 12:14
  • 7
    @iain or they can just sniff around until a legitimate device connects... MAC addresses of clients aren't encrypted. – tangrs Jan 11 '17 at 14:55
  • 18
    @iain: You're correct that MAC whitelisting is relatively easy to defeat, and it isn't likely to foil dedicated hackers. But since OP has said that this is in a neighborhood and the leeches are likely just random neighbors looking to bum free wifi, I would say this is EXACTLY the sort of scenario where MAC whitelisting is likely to be effective. Sure, OP should tighten their WPA2 and ensure strong passwords, but MAC whitelist a great "Meh, why not" added measure in this case. – loneboat Jan 11 '17 at 15:20
  • 5
    @iain Tighten their WPA2? Does the OP ever say they have any kind of encryption enabled? Running unsecured wireless network is asking for trouble, and MAC whitelisting is absurdly low level of protection. OP should enable WPA and be done with it. – xmp125a Jan 11 '17 at 15:22
  • @xmp125a: I'm assuming you meant to @ me instead of iain (which is funny, because I made the exact same mistake in my comment above - replying to the wrong person). I had just assumed they had WPA2 enabled because good lord, who doesn't have it enabled?! ಠ_ಠ But yeah, you're right, OP doesn't mention it at all. Doh. – loneboat Jan 11 '17 at 21:22
  • 10
    "How to find their geographical location based on the MAC addresses?" - you can't, MAC addresses have nothing to do with geographical location. – user253751 Jan 12 '17 at 00:14
  • 3
    Why? What would you do if you found them? If you must run a WiFI network without WPA2 or never change your password, then setup chillispot or similar. – symcbean Jan 12 '17 at 14:05
  • 1
    Even attempting to geolocate someone is a dubious conduit legally speaking. You need to do the right thing and secure your network and banish all ideas of vigilante justice here. –  Jan 13 '17 at 05:33
  • 1
    This should answer the MAC address part of your question http://security.stackexchange.com/questions/89950/determine-the-location-of-a-laptop-based-on-its-mac-address And since you can't find a device by its MAC address, you can't get it to send its GPS location (or anything else) to you, even if you (legally or technically) could otherwise. Voting to close as a duplicate. Besides, I find it appalling that you post the addresses and hostnames without redaction -- what are you looking for, a witch hunt? Public shaming if someone happens to see the MAC somewhere? It's hardly conclusive evidence. – Luc Jan 13 '17 at 10:40
  • I used to live there (near Tamar Dr, Columbia) and I had the same issue. I was able to monitor when they connected by checking the logs on my router and I set up a security camera facing the entrance to my apartment complex. It was a group of 5 comp-sec students who lived above me. The video corresponded with the logs when they came in range. I never took it further then that because I was satisfied with my "proof" and honey-potted them. What I did was, 1. Not broadcast my routers SSID, 2. Use WPA2 3. honeypot to monitor, deflect, & counter their attempts. – Aage Torleif Jan 13 '17 at 14:52
  • If you have an open WiFi connection lots of devices will connect automatically. Either enable QoS bandwidth rules or enable WPA-2. Attempting to 'find' them might be intellectually interesting, but you can't cry foul about tresspassing when you never even put up a sign. – Jeff K Feb 24 '17 at 21:04

8 Answers8

70

Physically finding them is not easy. If you are really willing to catch them, buy a couple ESP8266 modules (search eBay for them), research this project a little, drop a couple modules around and you can probably find them. But will cost a lot of time, effort and some money.

Even if you cannot physically locate them, you can play some tricks with them:

  1. Install a captive portal, saying the network is an experiment on automated hacking and ask user to only continue if they agree. Ask for email or Facebook auth, or ask for a phone number to send a PIN to login.

  2. Install something like Upside Down Ternet, Backdoor Factory or AutoPwn.

  3. Put QoS in place on your router, and 1kbps bandwidth for anyone outside of a list.

  4. Install Responder along with mitmproxy, get all auth data you can.

My network is pretty secure, but sometimes I think about installing a WEP wifi network just to play around with internet thieves.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/51683/discussion-on-answer-by-thoriumbr-unknown-suspects-hijacking-our-wifi-caught-th). – Rory Alsop Jan 12 '17 at 23:27
  • I like the idea of the guy who redirects everything to a cat picture site, for unauthorized users. – JDługosz Jan 13 '17 at 09:46
  • I would strongly suggest opting for #3 There's nothing illegal about it, and these "bad guys" may not actually know there doing it. I had a neighbor, who I "cought" only to find out they didn't know they were roaming onto my network. #3 gives honest people the ability to notice the error, and dis-honest people the incentive to look elsewhere. (NOTE: this happened back when WEP wasn't a common thing and people just let their traffic flow un-encrypted while using a VPN to tunnel sensitive data) – coteyr Jan 13 '17 at 09:49
  • 3
    This is insanely over the top for an average home user, and frankly serves only to confuse people who believe they have a problem. Would you ask your Mom to do the things you listed out above? – SnakeDoc Jan 13 '17 at 16:39
  • Please note that actual attacks are illegal in many places. And Upside-Down Ternet and such may not be so useful anymore now that TLS is so common. – forest May 16 '18 at 01:28
42

So the question is how to find their physical address location based on the mac address?

You can't, IP addresses and MAC addresses do not carry any location information.

Your access point may be able to give information on the signal strength, which could be used as an indication of the distance between the access point and the device. But not all brands are able to do so, and there are many more factors which may affect signal strength.

Your best option is to make sure your wireless network is secure: use WPA2, change your password, and possibly consider MAC filtering.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35
  • 1
    I don't think you can put IP and MAC addresses in the same bag. Neither carry location information per se. But while the latter have absolutely no relation whatsoever to location, the former don't in theory, but they do in practice. – Martin Argerami Jan 12 '17 at 12:51
  • 5
    He's showing private (RFC1918) IP-space in his screenshot. How does that contain any location information? If it were public IP's, you could use whois databases and public GeoIP resources, but that's not the case here. – Teun Vink Jan 12 '17 at 14:43
  • Oh, if you were talking about the NAT addresses, then of course. I wasn't looking at your sentence in that context. – Martin Argerami Jan 12 '17 at 16:06
20

  1. Change your WiFi Password - make sure it's strong.

  2. Make sure you are using WPA/WPA2

  3. Check your "plugged in" devices. They show up in the MAC list as well, and just because something says "Android" doesn't mean it's a phone.

  4. Ensure your router's admin password is not the default.

Just because they are on that list doesn't mean the device is still connected. It could have been your friend that came over earlier and his phone attached to the WiFi, and you're just seeing the entry the router remembers (so that is can re-assign the same IP if that device returns shortly).

Nobody is hacking your WiFi. That's a sexy story, but it simply doesn't really happen in the real world to regular people. You're not an important enough target, and certainly not worth all the effort to crack WPA/WPA2. Follow steps 1-4 above, and you're going to be just fine.

Machavity
  • 3,766
  • 1
  • 14
  • 29
SnakeDoc
  • 357
  • 1
  • 9
17

  1. MAC addresses are tied to equipment manufacturers. So MAC address can tell you the vendor that produced the device that is accessing your network, and not a bit more. You can use that page for a lookup, there are probably many more out there:

    http://aruljohn.com/mac.pl

  2. Relying solely on whitelisting MAC addresses is an extremely bad practice security-wise, since MAC addresses of personal computers (including notebooks) can be easily changed (therefore limiting the usefulness of the MAC lookup anyway). You can bet that the malicious user will change their MAC to one of the whitelisted ones (can be obtained by sniffing the traffic), unless he is absolutely clueless.

    Please use proper encryption on your network (WPA).

e-sushi
  • 1,296
  • 2
  • 14
  • 41
xmp125a
  • 397
  • 2
  • 4
  • 2
    Equipment manufacturers have ranges of MAC addresses assigned that they are supposed to use, but often make no effort to prevent their devices from being programmed to report other MAC addresses. Indeed, on many devices there is a configuration option that can be used to set any MAC address the operator sees fit. – supercat Jan 11 '17 at 15:24
  • 2
    "So MAC address can tell you the vendor that produced the device that is accessing your network" Actually a little less, since they can be [spoofed](https://en.wikipedia.org/wiki/MAC_spoofing). – jpmc26 Jan 11 '17 at 20:34
  • MAC addresses can be spoofed. For hackers they're not just "another vector of authentication", rather, they start with your MAC addy. They don't care what they are. It doesn't matter if you're filtering. You only stop average persons with MAC filters. If a colleague were to walk up to me and ask about using MAC addresses to secure their wifi network I would say that it's probably a very, very bad idea to "secure" your network with MAC filters. I might even pantomime finger-quotes when I say "secure". Perhaps changing "extremely bad" to "extremely ineffectual" would be more defensible, though. – Shaun Wilson Jan 12 '17 at 04:57
  • @jpmc26 I agree, and I disclosed this in my answer. However, if you operate network with no security whatsoever, most people will not bother to spoof MAC on devices where this cannot be done easily (phones, tablets?) and potentially you will be able to find them by identifying the vendor. Only in this case. And yes, as soon as you start whitelisting MACs and intruders adapt, this avenue is gone. – xmp125a Jan 12 '17 at 05:31
5

If you want to find the source you need to triangulate the wifi signal with an access point, either the router itself or perhaps something small like a raspberry pi or laptop configured to look like your router (turn the router off, map the area.)

The process is similar to 'warchalking', you can expect to be on foot and checking wireless signal strengths.

You could also set up multiple hotspots around the area, then see which hotspot(s) the client connects to. This could let you map their movements if "they" are configured to autoconnect. Again, you could use some low-cost battery-powered raspberry pis for this as well. The hotspots can be placed anywhere, in theory, including intersections and paths leading in/out of your neighborhood/complex. Pair that with some cameras and you would know who was using your wifi.

It's less work to reconfigure your network (MACs can be spoofed, so, really you want a better authentication protocol and to routinely change out secrets/passwords/keys).

Shaun Wilson
  • 151
  • 5
  • 1
    You could also use directional antennas on a router to target a specific direction. If the device disappear from the table you now it's in another direction. The narrower the beam, the more precise it can be to pin point. Using a cantena you could probably use it to pin point it. – werfu Jan 13 '17 at 21:43
4

A MAC adress may have once been conceived of as a unique identifier for a piece of hardware, but in reality its just a configurable driver parameter.

If your culprits have the know-how of how to circumvent even the simplest of real-world security measures, you can be pretty sure they know how to change their MAC-address.

There is a great utility called macchanger for Linux, that is really easy to use. For windows, your wifi driver has this function (unless purposefully stripped of it by the vendor).

It is a security issue that people believe that a MAC address is something unchangeable. Consider that the MAC address is sent un-encrypted with every packet, so anyone can mask as anyone else, as far as the MAC-address goes. Finding someones MAC address gives you next to nothing to identify them. Think of it only as a parameter used to make low-level communication work, nothing more.

Stefan Karlsson
  • 41
  • 1
4

Following ThoriumBR's excellently nefarious suggestions you could possibly (if the perpetrators are not smart) create a trap page that requests the device's location - obviously most computers won't have this, and security conscious types will turn it off, but most mobile devices by default have location services enabled, allowing you to snag a GPS coordinate or (less accurate) location based on the SSID's of nearby hotspots.

Triangulating wifi devices by signal strength etc. sounds like it should be easy but it's not, there has been so many attempts and no-one has yet managed it to any convincing level. What law enforcement have access to is triangulation based on the locations of cell towers that can "see" the phone, obviously that requires access to the carrier's backend network and you're not getting that.

GPS location you can get through a simple web page served from your network with some javascript.

In general though - secure your router, create a MAC whitelist, perhaps upgrade to a better/smarter router with stronger security etc. and/or OpenWRT if yours has some known weakness or is a cheapy consumer-grade device.

schroeder
  • 123,438
  • 55
  • 284
  • 319
John U
  • 367
  • 1
  • 6
2

Capture the HostTrace.. if you have HostTrace and MAC it should be easy for a team to nail down the location. FYI : some equipment allows MAC spoofing, so I always capture the PCName as well.

old school server method.. Request.ServerVariables[""] .NET commands require [control.]

control.Request.ServerVariables["HTTP_X_FORWARDED_FOR"]
control.Request.ServerVariables["REMOTE_ADDR"]
control.Request.UserHostAddress
control.Request.ServerVariables["REMOTE_HOST"]
control.Request.UserHostName
control.Request.Browser.Browser
control.Request.Browser.Platform
control.Request.UserAgent;

//trace // use this to trace all IPs returned on user when they are connected.
string[] pop = System.Net.Dns.GetHostEntry(control.Request.UserHostAddress).HostName.Split(new Char[] { '.' });
Joseph Poirier
  • 121
  • 2
  • 2
    OP wants to know how to geographically locate a person from a MAC address. How does your post answer that? I don't see how it does. – user2320464 Jan 12 '17 at 20:17
  • if you use the trace method, you can trace router to router to PC. That is usually enough. Often times the Points of Presence (POP)s along the way have names similar to the way airports are named, like OHTOL for Toledo, Ohio. – Joseph Poirier Jan 17 '17 at 03:51
  • ps. Technically this is not the same question as the one from 2015. However, if there was a valid answer on the other question I could see pointing to it. But as it stands the other question's answers really have no relevance to this one. In fact, without a single answer of value, the forum team should probably just remove the other question if resolved. – Joseph Poirier Jan 17 '17 at 04:03
  • came back to review my answer here, needed it for another website plugin I'm working on. LOL. I'm completely shocked that someone marked this question as duplicate to a completely different type of question. This question is from a Server perspective.. the other question would require a global sniffer or geolocation beacon to resolve the issue. It's about a stolen PC. An admin should really review the differences between these two questions. – Joseph Poirier Apr 11 '19 at 22:20