Identification of a laptop using a spoofed WiFi MAC address

Question

I own a small coffee shop in a highly-populated area. We've noticed that several computers are connecting to our WiFi network using spoofed MAC addresses (e.g. 11:22:33:44:55:66). Is there any way of identifying these machines? Is there any way to determine who these users are? I've been manually blocking these MAC addresses but they just create new addresses.

Why do we block them? Because we've been notified by our ISP that these devices are using our WiFi to perform nmap scans. They aren't just "browsing", they're using our account to find open ports on machines all over the net.

Why do you block them? They are honest enough to let you know they use spoofed addresses. Maybe others are using random spoofed addresses that are not viewable to the bare eye. Maybe others are even capturing real MAC addresses on the network and using them when that person/device is not there anymore.... — Toni Homedes i Saun, Apr 19 '22 at 15:11
@ToniHomedesiSaun Why do we block them? Because we've been notified by our ISP that these devices are using our WiFi to perform nmap scans. They aren't just "browsing", they're using our account to find open ports on machines all over the net. — Moth Yelby, Apr 19 '22 at 15:34
@moth-yelbi good point. Hope somebody else knows how to have a firewall detect the scans and block those machines automatically. — Toni Homedes i Saun, Apr 19 '22 at 15:45
You might want to ask a new question about how to block port scans (e.g. using a firewall that rate-limits connection initiations), instead of how to find MAC address spoofers. — Bergi, Apr 19 '22 at 23:36
Step 1 in dealing with port scans: ensure an unencumbered Linux environment on your router/server. Step 2: install `psad`: http://cipherdyne.org/psad/. — Will, Apr 21 '22 at 01:58
Please note that a lot of phones have options (that are enabled by default) to log in with random mac addresses. — PlasmaHH, Apr 21 '22 at 14:55
Some Android phones automatically use a pretend MAC address to prevent tracking, so if you block spoofed MACs you will prevent legitimate customers too! — questioner, Apr 21 '22 at 16:08

nobody · Accepted Answer · 2022-04-21T07:22:26.180

52

Detecting and blocking spoofed MAC addresses is a losing game. As Toni pointed out, the attackers could just start copying MAC addresses of real devices so you would have no practical way to stop them. In fact, it would just lead to denial of service for some of your legitimate customers.

Instead, you could configure a firewall on the router to block outgoing connections to all ports except port 53 (DNS), 80 (HTTP) and 443 (HTTPS)*. This way, most of your regular customers will be able to continue browsing normally, and your wifi will be useless for people attempting nmap scans.

^{*You might also want to allow common VPN ports, since a lot of people tend to use a VPN on public WiFis. Of course, this means people will be able to conduct nmap scans from your WiFi over VPN, but in that case, it should be the VPN providers headache.}

edited Apr 21 '22 at 07:22

answered Apr 19 '22 at 18:05

nobody

11,251
1
41
60

I don't get it. How does a FW config stop nmap scans on the intranet? – sandyp Apr 19 '22 at 20:26
6

@sandyp nmap scans are usually used to find open ports on targets. If the firewall simply drops connections to any port that is not 80 or 443, nmap will not be able to scan for any open ports other than 80 and 443. – nobody Apr 19 '22 at 21:12
15

What about email? And all the other useful ports? Depending on the clientele, just browsing the web won't be enough. – Bergi Apr 19 '22 at 23:32
3

@Bergi Unless the coffee shop is catering to a very specific audience of programmers or sysadmins, browsing the web is definitely enough. If they do cater to programmers/sysadmins, allow VPN ports and tell them to connect over a VPN if they want to ssh/ftp into a remote device. – nobody Apr 19 '22 at 23:49
1

@nobody Totally missed the comments. It makes sense now. Re: C2 traffic, sure many of them do but a lot of them don't :). – sandyp Apr 20 '22 at 00:17
23

@nobody _"Unless the coffee shop is catering to a very specific audience of programmers or sysadmins, browsing the web is definitely enough."_ - I disagree; Checking e-mail using a local client seems like a perfectly valid use-case, and that would require several more ports (I'd say at least imaps and submission). There's also plenty of "normal" people who use VPNs, especially on foreign wifi hotspots. I suspect Web + Mail + VPN would cover most people's bases though. – marcelm Apr 20 '22 at 08:41
2

@marcelm Most mail can be accessed through the web as well, so I don't think it will cause many complaints from customers. Likely the users will think its a bug with their client and just switch to the web client. If it does cause complaints though, you definitely can whitelist smtp, pop3 and imap as well. – nobody Apr 20 '22 at 10:15
On the other hand, ports 80 and 443 are pretty much enough to do a great deal of malicious things on the 'net. I think the better option is to implement some sort of authentication. – fraxinus Apr 20 '22 at 18:06
12

-1 now nobody can do any sw dev work at your coffee shop because the ssh port is blocked (needed for any authenticated git push/pull among many other things). – R.. GitHub STOP HELPING ICE Apr 20 '22 at 20:17
2

You can involve the help of these SW engineers to devise a way to protect the network. Firewall the ports, let them know there is a malicious user among them, and post a suggestion box to catch / fix the issue. The perpetrator may just leave because most of them don't expect the coffee shop to care. – Nelson Apr 21 '22 at 01:28
12

You are the reason that everything is running on port 80 and 443. DNS over HTTPS, git over https, ssh over https... Then people like you moan that DNS over HTTPS is breaking the internet. Simply rate limit the creation of entries on the NAT and you are done. – Aron Apr 21 '22 at 06:21
@R..GitHubSTOPHELPINGICE you assume the coffee shop doesn't want to kick software developers out... – user253751 Apr 21 '22 at 15:58
1

@user253751: Why would you want to kick them out if they're sitting around all day buying one expensive coffee after another? If they're not buying anything, sure, kick them out for not buying anything, but not for using the space to work while they faithfully consume your product. – R.. GitHub STOP HELPING ICE Apr 21 '22 at 16:04
@nobody Most mail ... i uses the gmail client to check mail on my isp:s imap server and another to do smtp - which means that i definitely need imaps and port 2525 or something like that. – Stefan Skoglund Apr 22 '22 at 13:05

score 18 · Answer 2 · answered Apr 20 '22 at 18:26

18

Just use authentication like a great deal of local coffee shops here do.

Their usual strategy is to change the password every day and post it on a note near the cash desk. Or print it on the receipts. Or give it on request.

This way they weed out the bandwidth abusers that are not their clients, but also the malicious users.

Annoying, but also safer and brings a better experience to the legitimate users who don't share the bandwidth with the nearby leechers.

answered Apr 20 '22 at 18:26

fraxinus

3,425
5
20

5

And if you notice someone completely new who starts walking in every day to check the note with the password and then just walks out, you'll have with great likelihood identified the suspect. – vsz Apr 21 '22 at 04:40
2

@vsz Not necessarily. It just means you've very likely identified a user of the network who was not a customer. This may mean they're not a "legitimate user" in the sense that they are patrons of the coffee shop, but it doesn't imply they're the problem user who is performing the port scans. – forest Apr 22 '22 at 21:35
@vsz the one doing the port scans is most probably a single visit customer with a sunglasses who paid in cash. On the other hand, depending on the season and location, half of the customers may look exactly like this. – fraxinus Apr 22 '22 at 22:14
@fraxinus : the point was, that by changing the password frequently, being a "single-visit customer" won't be viable any longer. – vsz Apr 23 '22 at 13:11

forest · Answer 3 · 2022-04-21T21:19:52.563

This is a theoretical technique and may not be practical without putting in sufficient effort to develop and test your own detection tool. I'm leaving this here because it is a possible technique and it works.

You may be able to fingerprint the MAC address, and in some cases, even discover the original, unspoofed address. This would allow you to match two spoofed MAC addresses as belonging to the same machine, and apply a block to that new MAC address. From a research paper on the subject:

We present several novel techniques to track (unassociated) mobile devices by abusing features of the Wi-Fi standard. This shows that using random MAC addresses, on its own, does not guarantee privacy.

First, we show that information elements in probe requests can be used to fingerprint devices. We then combine these fingerprints with incremental sequence numbers, to create a tracking algorithm that does not rely on unique identifiers such as MAC addresses. Based on real-world datasets, we demonstrate that our algorithm can correctly track as much as 50% of devices for at least 20 minutes. We also show that commodity Wi-Fi devices use predictable scrambler seeds. These can be used to improve the performance of our tracking algorithm. Finally, we present two attacks that reveal the real MAC address of a device, even if MAC address randomization is used. In the first one, we create fake hotspots to induce clients to connect using their real MAC address. The second technique relies on the new 802.11u standard, commonly referred to as Hotspot 2.0, where we show that Linux and Windows send Access Network Query Protocol (ANQP) requests using their real MAC address.

While (theoretically) workeable and absolutely fascinating, implementing this paper may be a bit high effort-wise for the benefit. OP: if you do decide to go that route, give us a followup pls — Hobbamok, Apr 20 '22 at 10:54

score 3 · Answer 4 · answered Apr 22 '22 at 11:38

Based on your updated question, this is a classic case of an XY problem. Specifically, what you really want here is to stop people engaging in abusive activity on your internet link, they just happen to be using spoofed MAC addresses to do this.

Blocking spoofed MAC addresses won’t actually stop anybody from engaging in abusive activity, and it may actually block legitimate customers (most devices these days support MAC randomization, where they use a randomly selected spoofed MAC address for each unique network they connect to to prevent tracking, and it is becoming increasingly common for this to be enabled by default).

The correct approach here is to block the abusive behavior. There are a couple of ways you can do this:

Limit which ports you actually allow connections to. This only partially solves the problem (because people could still just abuse those ports you allow through), and runs the risk of preventing otherwise legitimate usage of your network, so I really would not recommend this approach, but it’s also the easiest to implement.
Make it difficult for people who are not actual customers to use your WiFi. Change the password regularly, and then only provide it on receipts or somewhere else that someone who is not a customer could not easily check. This will prevent somebody from sitting in a car on the street in front of your store from readily using your WiFi, which will significantly disincentivize abusive behavior (because the perpetrators will have to actually come into the store), and is generally a good idea anyway (as it will also disincentivize people using your WiFi to attack your customers systems for the same reasons).
Use a captive portal setup requiring some initial manual interaction before a system can access the internet. These are relatively normal at many businesses for public WiFi, and will trivially shut down many opportunistic attackers (because they won’t take the time to work around it). In some places, if done correctly, this can also be used to at least partially waive your legal liability for any activity your customers take online by presenting appropriate terms of service to the user and requiring them to accept it to connect.
Limit the rate at which new connections can be established. Ideally in such a way that a given client can establish a few dozen all at once, and then after that is limited to something much lower, such as 1-2 per second (this is trivial to implement on any Linux or FreeBSD based firewall system). This will effectively shut down port scanning without significantly disrupting legitimate usage, because port scanning is only practical if it can be done quickly, and doing it quickly means hundreds or thousands of new connections per second, but 99% of legitimate usage only needs a small burst of a dozen or so new connections every now and then.
Use an active detection system, such as psad, and leverage the logging from that to actively block such activity. This is the most complicated option to implement, but if done right will also result in the least disruption to legitimate usage.

Identification of a laptop using a spoofed WiFi MAC address

4 Answers4