cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ravtek
Newcomer I

When is a device MAC address written to a router ARP table?

For forensics purposes:

 

If mobile phone or laptop comes in range of my home router with wifi and the SSID of the router is shown on the wifi networks available, is the MAC address of the device captured by the router if no authentication request or attempt is made.

 

 

 

7 Replies
JKWiniger
Community Champion

I am not 100% sure on this, but my understanding is that the router or access point broadcasts the SSID and other information to everyone. The client receives this information and shows it in the available wireless networks list. At this point the router or access point has no Information about the client since the client has not sent any information. Once the client tries to join the wireless network information including MAC address IS sent to the router or access point in order to begin the hand shake.

 

John-

AlecTrevelyan
Community Champion


@ravtek wrote:

For forensics purposes:

 

If mobile phone or laptop comes in range of my home router with wifi and the SSID of the router is shown on the wifi networks available, is the MAC address of the device captured by the router if no authentication request or attempt is made.

 

 

 


Your router won't write a MAC address into its ARP table until after a client has authenticated and obtained an IP address (either through DHCP or static assignment), and the router has a reason to try and contact the client via its IP address such as if it needs to forward reply packets to the client in relation to a web browsing session.

 

EDIT: just to add, it's rare for a home router to even allow you to see its ARP table, but it will often show you a list of connected devices which are devices that have been joined to the wifi network. These aren't necessarily the same thing. ARP is used to map IP addresses to MAC addresses, so it's quite possible for devices to be connected to the wifi network but not appear in the ARP table yet.

 

However, client devices not currently joined to a wifi network often send out wifi probes looking for familiar networks they've joined before and have been configured to remember, so your router will see those probes if any are sent by devices in range, and it will see the MAC addresses contained in the probes, but whether or not it captures/records them depends on the router but it's unlikely.

 

NB - there are lots of projects where people are trying to track wifi devices based on the probes they send out, to the point some wifi clients now send out randomised MAC addresses in the probe frames to combat this.

 

Shannon
Community Champion

 


@AlecTrevelyan wrote:

NB - there are lots of projects where people are trying to track wifi devices based on the probes they send out, to the point some wifi clients now send out randomised MAC addresses in the probe frames to combat this.

 


Yes, I forgot that my OS was doing that automatically until I attempted to get my WiFi NIC's MAC whitelisted for a network last year & found the connection attempts kept getting rejected --- after which I realized that the randomizer was on.  Man LOL

 

 

Untitled.png

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
ravtek
Newcomer I

Thank you for the replies.

If a Home router supplied by the ISP provide a "FREE" hotspot function, in the UK commonly provided by Virgin Media and BT (for example https://www.btwifi.com/find/) so home users hubs are used as a free hotspot to there where bandwidth is priorities to the home users which are paying for the service.  I wonder if the MAC address is written to the router there where the device in the vicinity of the router has pre-authenticated as some other destination to the same SSID but not at the same router.  So in passing the new premises is able to use the routers internet service without performing any further steps in authenticating.  Would the MAC address be written to the router in this case?

AlecTrevelyan
Community Champion


@ravtek wrote:

Thank you for the replies.

If a Home router supplied by the ISP provide a "FREE" hotspot function, in the UK commonly provided by Virgin Media and BT (for example https://www.btwifi.com/find/) so home users hubs are used as a free hotspot to there where bandwidth is priorities to the home users which are paying for the service.  I wonder if the MAC address is written to the router there where the device in the vicinity of the router has pre-authenticated as some other destination to the same SSID but not at the same router.  So in passing the new premises is able to use the routers internet service without performing any further steps in authenticating.  Would the MAC address be written to the router in this case?


If the router is actively communicating with a client using TCP/IP then, yes, the router will have have cached the client's MAC address.

 

I had a quick search, but could only find high-level information about how routers that participate in those types of schemes use different channels and encryption on the wireless side for separation. I couldn't find anything about the inner workings of the routers and how, or if, logical separation is performed for things like ARP caches.

 

If you have concerns about your router participating in one of those schemes, you should be able to opt out.

 

Shannon
Community Champion

 

@ravtek, while I'm not familiar with the service you just described, I'll try to make a few things clear here...

 

1) For devices with SIM cards communicating over a GSM network, the device's IMEI number is used.

2) For devices with NICs communicating over WiFi networks, the NIC's MAC address is used.

3) Prior to connecting to a WiFi access point / hotspot, the MAC address generally isn't needed --- an exception is MAC filtering, where the MAC address is stored on the access point in advance.

4) With free WiFi hotspots that aren't completely open, one may initially be given limited WiFi access to allow authentication via a 'Captive portal' which prompts for credentials that it authenticates for full internet access. (If this involves the browser, the process isn't seamless --- so the mobile service provider may offer an application for authentication)

5) Use of MAC addresses as the sole means of authentication is very risky, since MAC addresses can be easily spoofed, so I'm assuming your provider is using the MAC address for the registration / tracking of devices.

6) EAP-SIM can be utilized to authenticate using the SIM card in the device.

 

 

I'm not certain how the system of the provider you mentioned works, so perhaps it's best for you to contact them to clarify this, and address concerns you might have pertaining to security.

 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

Hey everyone, what about IoT devices embedded into your home systems too?

 

They have MACs as well as IP addresses, they also have WiFi, Bluetooth, a network, and many other attributes including the ability to record passively everything you do or say with their own camera's too.

.

So lets get real, we are surrounded with these devices.

 

https://joshmccarty.com/how-i-used-mac-addresses-to-identify-all-the-smart-devices-on-my-network/

 

How many are in your homes on average?

 

Anyone know?

 

Regards

 

Caute_cautim