Jump to content

Unknown wireless device


tech101us
 Share

Recommended Posts

I've got a device popping up on my wireless that I'm having a hard time identifying. I scanned it with NMAP and it identified itself as a Fortigate Device (see details below). I also tried to hit it with Nessus, but unfortunately whenever I attempt to scan the device for any period of time, it drops off the network. I've blocked it from any outbound traffic in my firewall an logging packets (so far none seen). I also created a static DHCP address for the MAC address so when it does come online, it always gets the same IP address. Trying to determine whether I have a wireless interloper or this is a valid device on my network. The MAC address is an odd IEEE registered address. Appreciate any thoughts anyone has. It does have an open HTTP port with a very basic browser page that says something to the effect "this page does not exist" and a link to go "home" which returns you to the same page.

sudo nmap -sS -O xxx.xxx.xxx.xxx
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-08 09:05 CST
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.021s latency).
Not shown: 849 filtered ports, 150 closed ports
PORT STATE SERVICE
80/tcp open http
MAC Address: CC:C2:61:50:0E:7C (Unknown)
Device type: firewall
Running (JUST GUESSING): Fortinet embedded (87%)
OS CPE: cpe:/h:fortinet:fortigate_100d
Aggressive OS guesses: Fortinet FortiGate 100D firewall (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

 

 

Link to comment
Share on other sites

Nmap's OS fingerprinting is not always accurate, especially when it says it is only 87% sure, so I'd not put much weight on that.

The easiest thing to do is to change the wireless password and then see what happens. Only change the password on devices one or two at a time and see if it comes back. If it does, check on the last few you updated. If it is someone who managed to get your key, as long as you pick a good strong one this time you should be able to keep them off. At least for a while.

Did you do any check of things like HTTP headers from the web server? Banner grabbing or info in the HTML header may tell you the OS or give some indication about the device.

  • Like 2
Link to comment
Share on other sites

Thanks @digininja Didn't consider looking at the http headers. Changing my WPA2 password is something I'm due for. I just didn't want to totally disconnect this unknown device without trying to learn a bit more about it. Unfortunately, seems like whatever it is, it hasn't come back. So for the time being, I'll just change to wifi password and continue to keep an eye on things.

Appreciate the feedback and the HAK5 forums for the same.

Link to comment
Share on other sites

Happy to share that I solved this one. Turns out that this is actual our Shark Robo-Vacuum. It dawned on me when the vacuum wasn't doing anything for a couple of days after I blocked it's access to the internet. Apparently I neutered it (yes, pun intended 😀 ) when I disabled its access to the cloud. I'll have to report this one to the NMAP folks. It's running some sort of embedded linux that doesn't respond well to NMAP scans.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...