How to detect rogue device

finch · March 21, 2020, 5:15pm

Greetings friends. Looking for help.

Today, I was checking my edge router (running OpenWrt) logs. There many repeating suspicious DHCPDISCOVER and DHCPOFFER for device with mac address 00:e0:4c:6e:02:57 in the morning (like 20) and then it starts repeating again after noon.
I don't have device with such mac address and also cannot determine the manufacturer from first two hex numbers. It looks like fake mac address.

Sat Mar 21 14:56:59 2020 daemon.info dnsmasq-dhcp[10305]: DHCPDISCOVER(br-lan) 00:e0:4c:6e:02:57
Sat Mar 21 14:56:59 2020 daemon.info dnsmasq-dhcp[10305]: DHCPOFFER(br-lan) 192.168.81.137 00:e0:4c:6e:02:57
Sat Mar 21 14:57:07 2020 daemon.info dnsmasq-dhcp[10305]: DHCPDISCOVER(br-lan) 00:e0:4c:6e:02:57
Sat Mar 21 14:57:07 2020 daemon.info dnsmasq-dhcp[10305]: DHCPOFFER(br-lan) 192.168.81.137 00:e0:4c:6e:02:57
Sat Mar 21 14:57:16 2020 daemon.info dnsmasq-dhcp[10305]: DHCPDISCOVER(br-lan) 00:e0:4c:6e:02:57
Sat Mar 21 14:57:16 2020 daemon.info dnsmasq-dhcp[10305]: DHCPOFFER(br-lan) 192.168.81.137 00:e0:4c:6e:02:57

How can I identify this device? Thanks

hnyman · March 21, 2020, 5:23pm

Start with basics...

Are we talking about wired? which devices you have there?
Wireless? Which devices know your wifi password? Turn them off/on one by one, and monitor the logs.

One possibility is a random MAC set when the device can't read a proper MAC from its own setting. Even some OpenWrt targets have that fallback in case the MAC can't be read properly from the device.

fantom-x · March 21, 2020, 5:35pm

Realtek

fantom-x · March 21, 2020, 5:43pm

You can run arp to figure out what interface it is connected to.

slh · March 21, 2020, 7:06pm

Be aware that android 10 (and afaik iOS does something similar as well) devices will (by default, unless explicitly configured differently) use a unique (semi-random) MAC address for each different network.