4

I've found a strange hostname in my dhcpd.leases file and I'm wondering what steps I should take in response.

I have a simple home network: my modem is plugged into a router running OpenBSD 6.0, and a laptop and an old Netgear router in WAP mode are connected to the router. (The router also has a wireless networking card that's been in host mode with a WPA key set and no physical antennas attached, so it should have been both secure and effectively invisible.)

Within the last 24 hours, I noticed my WAP behaving strangely. It's broadcasting on the 2.4 GHz and 5 GHz bands (both password protected), and while I could log in as usual using the 2.4 GHz SSID, the 5 GHz SSID was consistently rejecting my correctly entered password. I physically powered off my WAP and turned it back on, and everything started working normally again. I started poking around my router, though, and discovered something odd in /var/db/dhcpd.leases. There was a lease listed for an unfamiliar hostname, granted a couple of days ago. The hostname was human-readable and non-googleable -- something like "DESKTOP-F00BAR." The MAC address indicates that it's an Asus machine, and I don't have any Asus devices running in my home.

To my naive eyes, it looks like I've suffered a wireless network intrusion, albeit a benign-seeming one, but I have no idea how it could have happened or what to do next. I've searched my logs but haven't found anything relevant. What's the proper course of action in this situation? Is it possible that my Netgear device is on the fritz and somehow left the network open for some period of time? Is there some other obvious potential vulnerability that I'm overlooking? I apologize for the vagueness of this question, but it seems like I should do something, but I really don't know how to proceed.

Ben
  • 141
  • 4
  • 2
    Change passwords? 'Asus' might merely be the manufacturer of the NIC, and not the whole machine. – schroeder Apr 12 '17 at 06:20
  • Well, I'm embarrassed. Your comment reminded me that I briefly hooked up an old desktop with an ASUS motherboard this weekend. Sure enough, it has the same MAC address as I saw in my logs. I'd completely forgotten about it. False alarm -- but that said, I have no idea where the hostname, "DESKTOP-NE0L00T", came from. Some sort of bizarre randomly generated Windows 10 default, perhaps. – Ben Apr 13 '17 at 01:24

3 Answers3

3

You can leverage arpwatch to notify you the second it broadcasts on your network again and also use a tool like Wireshark to capture traffic and see what the device is communicating to (logging DNS queries sometimes works too). Sometimes IoT devices like thermostats, toys, equipment or even certain operating systems will call home on a regular basis looking for updates. This may help you figure out what type of device this is and make it easier to find.

Alternatively, you could get a directional antenna and a tool like Kismet next time the device is on-line and try to locate it via signal strength.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
2

I would recommend changing the password for the admin page for your router along with the wireless passwords. Might be a bit of a pain since you have to reconnect any wireless devices but depending on the complexity of the original wireless password someone might've been able to capture the WPA handshake and crack the password. If you have WPS enabled on the router I would also recommend disabling it.

Miguel
  • 21
  • 1
0

It turns out this was a false alarm. The MAC address actually came from an old desktop that I'd briefly hooked up and forgotten about.

Ben
  • 141
  • 4