RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
That is the default MAC spoof address for the Cain and Able product. http://www.oxid.it/ca_um/topics/apr_related_faqs.htm You may be seeing intentional spoofs. My apologies if someone already mentioned this. http://www.oxid.it/cain.html Thanks! -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of McNealy, Justin S Sent: Wednesday, October 20, 2010 8:21 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Throwing in our 2 cent. We have seen multiple devices using that mac address with in the past year. Mainly androids but one blackberry and at least one that was wired CAM entries for this interface: Unicast Entries vlan mac address typeprotocols port ---+---++-+ 560011.2233.4455 dynamic ipFastEthernet3/9 Jay McNealy Network Engineer II Medical University Of South Carolina -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of heath.barnhart Sent: Monday, September 27, 2010 3:54 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses I've found one a possible droid as well. Heath On 9/27/2010 2:39 PM, Lee, Steven wrote: The hostname android_977... appears to be a bug affecting Motorola Droid2's where many of them share the same IMEI 'International Mobile Equipment Identity', which is supposed to be unique: http://groups.google.com/group/android-developers/browse_thread/thread/53898e508fab44f6/84e54feb28272384?lnk=raot This does not appear to have any relation to the mac address issue in this thread but you gotta wonder as were are also seeing dhcp log entries with this ID associated to the 00:11:22:33:44:55 and also on a MAC that belongs to Intel. steve From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Monday, September 27, 2010 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Jaime, I saw the exact same thing in our DHCP logs, including the hostname (android_977…) . Curious. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage Sent: Monday, September 27, 2010 9:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Just went back in our logs and we had a few hits with this MAC last week. However, the DHCP records indicate that this one has something to do with Android?? Sep 22 16:01:50 x.xx.yorku.ca dhcpd: event=dhcp_offerloglevel=infomsg=DHCPOFFER on 192.168.100.211 to 00:11:22:33:44:55 (android_9774d56d682e549c) via eth1 gw 192.168.100.2 The android reference here is the computer name which could have been entered by the user but the subsequent alpha string would indicate it's a generated name. thxJ James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From:Ingen Schenau, Jeroen van (ICTS)j.vaningensche...@utwente.nl To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date:09/27/2010 10:02 AM Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Sent by:The EDUCAUSE Wireless Issues Constituent Group ListservWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc My € 0.02: we've seen three distinct users with that MAC, over the past 7 days. Same when looking over the last 31 days. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heath Barnhart, CCNA Network Administrator
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. -- Andrew D. Clark Network Operations Engineer University of Minnesota, Networking/Telecom Services 2218 University Ave SE Minneapolis, MN 55414-3029 Phone: 612-626-4880 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
you can also run android on a jailbroken iPhone, though I'd wonder why. /john On 9/28/10 9:11 AM, Jeff Wolfe wo...@ems.psu.edu apparently wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- John L Clarke III Sr Network Administrator Central New Mexico Community College 505 224 3012 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
One more piece of info on the 00:11:22:33:44:55 weirdness: We have a user registered in NetReg with MAC address 00:11:22:33:44:55, It is an Imac and was registered on our network in Parallels (browser reference is Windows NT 6.1). I wonder how many of these strange MAC addresses are generated by virtual environments? On Sep 28, 2010, at 11:11 AM, Jeff Wolfe wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I've read anecdotal accounts that some NIC drivers default to 00:11:22:33:44:55 when an error occurs or when it's unable to determine/set the true Mac address, I didn't think that parallels would generate a fake nic though.. --- Justin Hao On Sep 28, 2010, at 2:39 PM, Hanset, Philippe C phan...@utk.edu wrote: One more piece of info on the 00:11:22:33:44:55 weirdness: We have a user registered in NetReg with MAC address 00:11:22:33:44:55, It is an Imac and was registered on our network in Parallels (browser reference is Windows NT 6.1). I wonder how many of these strange MAC addresses are generated by virtual environments? On Sep 28, 2010, at 11:11 AM, Jeff Wolfe wrote: We tracked one down yesterday and it turned out to be a Windows Mobile phone running Android. Decidedly not a MAC.. :) -JEff On 9/28/10 10:44 AM, Andrew Clark wrote: I'm seeing them here at the University of Minnesota as well. Thanks for the heads-up! I'll see what I can discover once I can get a hold of one of these clients. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
We too are seeing that MAC address in our logging for our wireless service, although it doesn't look like there is an actual full user(s) log-in. It might be pure chance that we have a device which should be using that MAC address but I'm not convinced! So the issue may not just be limited to the USA. Many Thanks Peter Mr Peter Methven, Network Specialist Information Technology (IT) Allen McTernan Building, Edinburgh Campus Tel: 0131 451 3516 For IT support queries or requests, please email ith...@hw.ac.uk or phone ext 4045, with full details of your query or request and your contact details. http://www.hw.ac.uk/it -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Watters, John Sent: 27 September 2010 04:34 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heriot-Watt University is a Scottish charity
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. My guess would be a manufacturing problem. When I was working for a broadband provider, we sent out a boatload of NICs that had all been shipped from the manufacturer with the MAC address FF:FF:FF:FF:FF:FF. This was, unsurprisingly, problematic. -- Matt Gracie (716) 888-8378 Information Security Administrator grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Let me get this straight. Are you guys saying that each address is exactly the same? Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Matthew Gracie Sent: Monday, September 27, 2010 9:09 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. My guess would be a manufacturing problem. When I was working for a broadband provider, we sent out a boatload of NICs that had all been shipped from the manufacturer with the MAC address FF:FF:FF:FF:FF:FF. This was, unsurprisingly, problematic. -- Matt Gracie (716) 888-8378 Information Security Administrator grac...@canisius.edu Canisius College ITSBuffalo, NY http://www2.canisius.edu/~graciem/graciem_public_key.gpg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc My € 0.02: we've seen three distinct users with that MAC, over the past 7 days. Same when looking over the last 31 days. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edumailto:greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edumailto:j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Just went back in our logs and we had a few hits with this MAC last week. However, the DHCP records indicate that this one has something to do with Android?? Sep 22 16:01:50 x.xx.yorku.ca dhcpd: event=dhcp_offerloglevel=infomsg=DHCPOFFER on 192.168.100.211 to 00:11:22:33:44:55 (android_9774d56d682e549c) via eth1 gw 192.168.100.2 The android reference here is the computer name which could have been entered by the user but the subsequent alpha string would indicate it's a generated name. thxJ James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From: Ingen Schenau, Jeroen van (ICTS) j.vaningensche...@utwente.nl To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: 09/27/2010 10:02 AM Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc My ? 0.02: we've seen three distinct users with that MAC, over the past 7 days. Same when looking over the last 31 days. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I see a one too..Interesting! Manoj P. Manoj Abeysekera, CWNA, ACMP Network Engineer American University 4200 Wisconsin Ave, NW Washington DC. 20016 202-885-2702 From: Holland, Ryan C. holland@osu.edu To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: 09/27/2010 10:11 AM Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
We are also seeing a client with that MAC address (00:11:22:33:44:55) on our system. John V. Duran Network Engineer University of New Mexico Information Technologies Ph: (505) 249-7890 Fax: (505) 277-8101 Holland, Ryan C. holland@osu.edu 9/27/2010 8:10 AM I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
On 9/27/10 11:26 AM, John Duran wrote: We are also seeing a client with that MAC address (00:11:22:33:44:55) on our system. Just a sanity check here, since most management systems seem to use MAC address as a primary key, it's likely you'll only 'see' one 00:11:22:33:44:55 address associated at any given time, right? DHCP logs or other auth logs may provide a more comprehensive list of how many devices are around, correct? Has anyone contacted their respective Wireless hardware vendors for comments? -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
keep in mind that in airwave, the clients are uniquely identified by their mac address, so you'll need to check if multiple usernames show up associated to this single mac address, if this is the case, most likely it is multiple clients with either a manually configured mac address (due to WEP sniffing guides on the internet) or with possibly defective wireless NICs. Airwave (and other monitoring systems) won't be able to show you the real manufacturer because they're only performing a standard oui lookup on the first 3 octet. what James (YorkU) did is the next logical step in trying to identify these clients by other metrics (hostname, useragent, etc) depending on how much time and interest you have in this. We've seen at least 4 users all claiming to be 00:11:22:33:44:55 in the past week and we're internally discussing options on how to deal with this issue. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edumailto:j...@austin.utexas.edu - On Sep 27, 2010, at 9:10 AM, Holland, Ryan C. wrote: I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edumailto:greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edumailto:j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Thanks. And the other sanity check would be that we haven't seen any evidence yet that this is anything other than someone configuring their NIC with this address. Perhaps we should be concerned about the security issues regarding this but until I see two different pictures of vendor MAC address stickers that have the same MAC address printed, count me as a skeptic. Pete M. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jeff Wolfe Sent: Monday, September 27, 2010 11:32 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses On 9/27/10 11:26 AM, John Duran wrote: We are also seeing a client with that MAC address (00:11:22:33:44:55) on our system. Just a sanity check here, since most management systems seem to use MAC address as a primary key, it's likely you'll only 'see' one 00:11:22:33:44:55 address associated at any given time, right? DHCP logs or other auth logs may provide a more comprehensive list of how many devices are around, correct? Has anyone contacted their respective Wireless hardware vendors for comments? -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Justin, Thank you for pointing out that most management systems (AirWave, etc) use the MAC address as a unique identifier - it is supposed to be a unique hardware address. I've seen indication of that MAC on our Airwave Management Platform at Emory and can deduce we had 3-4 unique visitors, mostly on our guest network, but no successful authentications on our WPA-Enterprise network. The first sighting was on 07/23/2010, there was a sighting on 09/01/2010, and the last time I saw that MAC (possibly two separate users) was on 09/16/2010. I do have two different email addresses for the last two sightings, but will probably not pursue this further unless we have more sightings. This doesn't seem like a big issue here, but it is troubling if a manufacturer is putting out product with duplicate unique hardware identifiers (MAC addresses). - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.commailto:wlans...@hotmail.com GoogleTalk: wlans...@gmail.commailto:wlans...@gmail.com From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 27, 2010 11:37 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses keep in mind that in airwave, the clients are uniquely identified by their mac address, so you'll need to check if multiple usernames show up associated to this single mac address, if this is the case, most likely it is multiple clients with either a manually configured mac address (due to WEP sniffing guides on the internet) or with possibly defective wireless NICs. Airwave (and other monitoring systems) won't be able to show you the real manufacturer because they're only performing a standard oui lookup on the first 3 octet. what James (YorkU) did is the next logical step in trying to identify these clients by other metrics (hostname, useragent, etc) depending on how much time and interest you have in this. We've seen at least 4 users all claiming to be 00:11:22:33:44:55 in the past week and we're internally discussing options on how to deal with this issue. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edumailto:j...@austin.utexas.edu - On Sep 27, 2010, at 9:10 AM, Holland, Ryan C. wrote: I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. == Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 holland@osu.edumailto:holland@osu.edu On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike Michael Dickson 413.545.9639 Network AnalystUniv. of Massachusetts Amherst On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDUmailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I've seen two unique logins with that MAC in the past month. -- Daniel Eklund Director, Networking Wayne State University 313-577-5558 Justin, Thank you for pointing out that most management systems (AirWave, etc) use the MAC address as a unique identifier - it is supposed to be a unique hardware address. I’ve seen indication of that MAC on our Airwave Management Platform at Emory and can deduce we had 3-4 unique visitors, mostly on our guest network, but no successful authentications on our WPA-Enterprise network. The first sighting was on 07/23/2010, there was a sighting on 09/01/2010, and the last time I saw that MAC (possibly two separate users) was on 09/16/2010. I do have two different email addresses for the last two sightings, but will probably not pursue this further unless we have more sightings. This doesn’t seem like a big issue here, but it is troubling if a manufacturer is putting out product with duplicate unique hardware identifiers (MAC addresses). - Stan Brooks - CWNA/CWSP Emory University University Technology Services 404.727.0226 AIM/Y!/Twitter: WLANstan MSN: wlans...@hotmail.com GoogleTalk: wlans...@gmail.com ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Jaime, I saw the exact same thing in our DHCP logs, including the hostname (android_977…) . Curious. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage Sent: Monday, September 27, 2010 9:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Just went back in our logs and we had a few hits with this MAC last week. However, the DHCP records indicate that this one has something to do with Android?? Sep 22 16:01:50 x.xx.yorku.ca dhcpd: event=dhcp_offerloglevel=infomsg=DHCPOFFER on 192.168.100.211 to 00:11:22:33:44:55 (android_9774d56d682e549c) via eth1 gw 192.168.100.2 The android reference here is the computer name which could have been entered by the user but the subsequent alpha string would indicate it's a generated name. thxJ James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From:Ingen Schenau, Jeroen van (ICTS) j.vaningensche...@utwente.nl To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date:09/27/2010 10:02 AM Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc My € 0.02: we've seen three distinct users with that MAC, over the past 7 days. Same when looking over the last 31 days. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
The hostname android_977... appears to be a bug affecting Motorola Droid2's where many of them share the same IMEI 'International Mobile Equipment Identity', which is supposed to be unique: http://groups.google.com/group/android-developers/browse_thread/thread/53898e508fab44f6/84e54feb28272384?lnk=raot This does not appear to have any relation to the mac address issue in this thread but you gotta wonder as were are also seeing dhcp log entries with this ID associated to the 00:11:22:33:44:55 and also on a MAC that belongs to Intel. steve From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Monday, September 27, 2010 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Jaime, I saw the exact same thing in our DHCP logs, including the hostname (android_977…) . Curious. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage Sent: Monday, September 27, 2010 9:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Just went back in our logs and we had a few hits with this MAC last week. However, the DHCP records indicate that this one has something to do with Android?? Sep 22 16:01:50 x.xx.yorku.ca dhcpd: event=dhcp_offerloglevel=infomsg=DHCPOFFER on 192.168.100.211 to 00:11:22:33:44:55 (android_9774d56d682e549c) via eth1 gw 192.168.100.2 The android reference here is the computer name which could have been entered by the user but the subsequent alpha string would indicate it's a generated name. thxJ James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From:Ingen Schenau, Jeroen van (ICTS) j.vaningensche...@utwente.nl To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date:09/27/2010 10:02 AM Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Sent by:The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc My € 0.02: we've seen three distinct users with that MAC, over the past 7 days. Same when looking over the last 31 days. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I've found one a possible droid as well. Heath On 9/27/2010 2:39 PM, Lee, Steven wrote: The hostname android_977... appears to be a bug affecting Motorola Droid2's where many of them share the same IMEI 'International Mobile Equipment Identity', which is supposed to be unique: http://groups.google.com/group/android-developers/browse_thread/thread/53898e508fab44f6/84e54feb28272384?lnk=raot This does not appear to have any relation to the mac address issue in this thread but you gotta wonder as were are also seeing dhcp log entries with this ID associated to the 00:11:22:33:44:55 and also on a MAC that belongs to Intel. steve From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Johnson, Neil M Sent: Monday, September 27, 2010 1:01 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Jaime, I saw the exact same thing in our DHCP logs, including the hostname (android_977…) . Curious. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Jamie Savage Sent: Monday, September 27, 2010 9:18 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Just went back in our logs and we had a few hits with this MAC last week. However, the DHCP records indicate that this one has something to do with Android?? Sep 22 16:01:50 x.xx.yorku.ca dhcpd: event=dhcp_offerloglevel=infomsg=DHCPOFFER on 192.168.100.211 to 00:11:22:33:44:55 (android_9774d56d682e549c) via eth1 gw 192.168.100.2 The android reference here is the computer name which could have been entered by the user but the subsequent alpha string would indicate it's a generated name. thxJ James Savage York University Senior Communications Tech. 108 Steacie Building jsav...@yorku.ca4700 Keele Street ph: 416-736-2100 ext. 22605Toronto, Ontario fax: 416-736-5830M3J 1P3, CANADA From:Ingen Schenau, Jeroen van (ICTS)j.vaningensche...@utwente.nl To:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date:09/27/2010 10:02 AM Subject:Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Sent by:The EDUCAUSE Wireless Issues Constituent Group ListservWIRELESS-LAN@LISTSERV.EDUCAUSE.EDU On Mon, 2010-09-27 at 09:39 -0400, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc My € 0.02: we've seen three distinct users with that MAC, over the past 7 days. Same when looking over the last 31 days. Regards, Jeroen van Ingen ICT Service Centre University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Heath Barnhart, CCNA Network Administrator Information Systems and Services Washburn University Topeka, KS 66621 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I actually have a picture of the box... I think I would need to ask permission to post but indeed the sticker on the box has the 001122...mac on it for an Airport ID. -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Saturday, September 25, 2010 9:31 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Wow- that's one to get a picture of! -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana Sent: Friday, September 24, 2010 5:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana [dcor...@miami.edu] Sent: Friday, September 24, 2010 4:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Wow- that's one to get a picture of! -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana Sent: Friday, September 24, 2010 5:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
We just had our first... Ken Connell Intermediate Network Engineer Computer Communication Services Ryerson University 350 Victoria St RM AB50 Toronto, Ont M5B 2K3 416-979-5000 x6709 -Original Message- From: Lee H Badman lhbad...@syr.edu Sender: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Date: Sat, 25 Sep 2010 21:31:17 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Reply-to: The EDUCAUSE Wireless Issues Constituent Group Listserv WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Wow- that's one to get a picture of! -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Cortes, Diana Sent: Friday, September 24, 2010 5:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
That's really odd, apple supposedly doesn't own 00:11:22 as an oui, they do own 00:11:24.. This is drawn from the IEEE.org oui lookup btw. --- Justin Hao On Sep 24, 2010, at 4:17 PM, Cortes, Diana dcor...@miami.edu wrote: Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
I just found an old apple discussion thread from 2008 where another user claims he received this Mac straight from the factory http://discussions.apple.com/thread.jspa?threadID=1775581 This could be some kind of manufacturing defect? Unless by chance your user has the exact MacBook mentioned in the thread --- Justin Hao On Sep 24, 2010, at 4:17 PM, Cortes, Diana dcor...@miami.edu wrote: Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
On Mon, 20 Sep 2010 18:21:37 -0400, Cortes, Diana dcor...@miami.edu said: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. That's the same MAC address I have on my luggage! I just checked through all of our Cisco WLC logs, that address made several appearances in May and June of last year, but not since then. -- Nick Kartsioukas Cuesta College Computer Services 805-546-3248 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
your wlc logs go back to may and june? wow.. our wlc logs barely contain information from the last hour much less a day or more.. heh (i'm assuming you have the logs pushed somewhere else for long term storage) - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:36 PM, Nick Kartsioukas wrote: On Mon, 20 Sep 2010 18:21:37 -0400, Cortes, Diana dcor...@miami.edu said: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. That's the same MAC address I have on my luggage! I just checked through all of our Cisco WLC logs, that address made several appearances in May and June of last year, but not since then. -- Nick Kartsioukas Cuesta College Computer Services 805-546-3248 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
On Mon, 20 Sep 2010 17:51:46 -0500, Hao, Justin C j...@austin.utexas.edu said: your wlc logs go back to may and june? wow.. our wlc logs barely contain information from the last hour much less a day or more.. heh (i'm assuming you have the logs pushed somewhere else for long term storage) Yeah, most of our gear logs to syslog on a box that has a bunch of storage. -- Nick Kartsioukas Cuesta College Computer Services 805-546-3248 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Thanks... we actually visited the student and saw that this was the MAC address configured on the system. The student also claims this is the MAC address on the box but we are still waiting to verify... (i.e. see the box) Thanks for the feedback... Diana -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. smime.p7s Description: S/MIME cryptographic signature
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
The MAC should also be on a label inside the battery compartment as I recall. -Chris On Sep 20, 2010, at 7:02 PM, Cortes, Diana dcor...@miami.edu wrote: Thanks... we actually visited the student and saw that this was the MAC address configured on the system. The student also claims this is the MAC address on the box but we are still waiting to verify... (i.e. see the box) Thanks for the feedback... Diana -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
it is highly unlikely that the original mac address on the box is 00:11:22:33:44:55 as this block belongs to CIMsys which is a korean company that produces wireless adapters for analog/serial conversion/relay as well as wireless repeaters and zigbee APs. They don't produce wireless adapters/cards for computers as far as i can tell, and is even more unlikely to be the manufacturer of the wireless card of a macbook. (those are all atheros and broadcom i believe?) - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 6:02 PM, Cortes, Diana wrote: Thanks... we actually visited the student and saw that this was the MAC address configured on the system. The student also claims this is the MAC address on the box but we are still waiting to verify... (i.e. see the box) Thanks for the feedback... Diana -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 6:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses
Not sure if there is software out there for the mac to change this automatically, if you just do an ifconfig en1 ether xx:xx:xx:xx:xx:xx, the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs greg.willi...@uccs.edu -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to 00:11:22:33:44:55 manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. - Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin j...@austin.utexas.edu - On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
