Hello, I have something I have never seen before and was wondering if anyone in the community has seen something like this? So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment. I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC. AD Audit provides nonexistent machines making the requests and even blank. "User account 'Administrator' was locked from computer ''." [image: image.png] -- Thank You, Joe
mac addresses can be lies... and they can repeat... joy! On Fri, Jul 8, 2022 at 12:22 PM JoeSox <joesox@gmail.com> wrote:
Hello,
I have something I have never seen before and was wondering if anyone in the community has seen something like this?
So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC. AD Audit provides nonexistent machines making the requests and even blank. "User account 'Administrator' was locked from computer ''."
[image: image.png]
-- Thank You, Joe
Fri, Jul 08, 2022 at 12:43:49PM -0400, Christopher Morrow:
mac addresses can be lies... and they can repeat... joy!
eg; https://www.extremenetworks.com/extreme-networks-blog/wi-fi-mac-randomizatio...
On Fri, Jul 8, 2022 at 12:22 PM JoeSox <joesox@gmail.com> wrote:
Hello,
I have something I have never seen before and was wondering if anyone in the community has seen something like this?
So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC. AD Audit provides nonexistent machines making the requests and even blank. "User account 'Administrator' was locked from computer ''."
[image: image.png]
-- Thank You, Joe
I think that is a randomized address. Look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address. Per https://www.mist.com/get-to-know-mac-address-randomization-in-2020/ *Brandon Svec* On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joesox@gmail.com> wrote:
Hello,
I have something I have never seen before and was wondering if anyone in the community has seen something like this?
So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC. AD Audit provides nonexistent machines making the requests and even blank. "User account 'Administrator' was locked from computer ''."
[image: image.png]
-- Thank You, Joe
Technically the right most is multicast bit, the 2nd right most is locally assigned, it doesn't imply randomisation, it is unknowable how it was assigned. On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG <nanog@nanog.org> wrote:
I think that is a randomized address. Look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address. Per https://www.mist.com/get-to-know-mac-address-randomization-in-2020/ *Brandon Svec*
On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joesox@gmail.com> wrote:
Hello,
I have something I have never seen before and was wondering if anyone in the community has seen something like this?
So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC. AD Audit provides nonexistent machines making the requests and even blank. "User account 'Administrator' was locked from computer ''."
[image: image.png]
-- Thank You, Joe
-- ++ytti
The vendor code C0-EA-E4 looks like Sonicwall. It’s not going unusual for a device take a global address on the device and flip the local bit for some other use. On Fri, Jul 8, 2022 at 10:13 AM Saku Ytti <saku@ytti.fi> wrote:
Technically the right most is multicast bit, the 2nd right most is locally assigned, it doesn't imply randomisation, it is unknowable how it was assigned.
On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG <nanog@nanog.org> wrote:
I think that is a randomized address. Look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address. Per https://www.mist.com/get-to-know-mac-address-randomization-in-2020/ *Brandon Svec*
On Fri, Jul 8, 2022 at 9:24 AM JoeSox <joesox@gmail.com> wrote:
Hello,
I have something I have never seen before and was wondering if anyone in the community has seen something like this?
So some active directory accounts are getting locked intermittently and I had to do some sniffing and I have an IP address showing up in a non-used subnet 10.1.2.x And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment.
I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question. I don't fully understand this request. 10.1.2.18 is the mystery ip that doesn't ping, 10.1.3.9 is the DC. AD Audit provides nonexistent machines making the requests and even blank. "User account 'Administrator' was locked from computer ''."
[image: image.png]
-- Thank You, Joe
-- ++ytti
On Fri, Jul 8, 2022 at 9:22 AM JoeSox <joesox@gmail.com> wrote:
And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment. I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question.
Hi Joe, Any MAC address with the 2 bit set in the first byte (e.g. c2) is locally generated. Those are x2, x6, xA and xE. Typically this means a virtual machine but not always. Best bet: trace it through your switch. If you have managed switches, they know which port any given mac address came from. You can trace that back to the machine and then look at the virtual switch on the machine to figure out which VM. Incidentally, the 1 bit in the first byte means broadcast (1) or unicast (0). Regards, Bill Herrin -- For hire. https://bill.herrin.us/resume/
FOLLOWUP: Looks like that MAC is our Sonicwall firewall and the packets are coming in from upstream on a shared VLAN but not a shared subnet (not sure how this is happening). Our sonicwall shows one virus hit on one of the new 10.1.2.0 addresses (upstream subnet) seen today. Thanks for all the responses. The upstream is investigating now. -- Thank You, Joe On Fri, Jul 8, 2022 at 11:40 AM William Herrin <bill@herrin.us> wrote:
On Fri, Jul 8, 2022 at 9:22 AM JoeSox <joesox@gmail.com> wrote:
And it shows an unrecognized MAC address. This virtual machine is in a Nutanix environment. I am trying to figure this out without bringing in paid outside help. Thanks in advance for any responses. c2:ea:e4:c5:57:e6 is the MAC in question.
Hi Joe,
Any MAC address with the 2 bit set in the first byte (e.g. c2) is locally generated. Those are x2, x6, xA and xE. Typically this means a virtual machine but not always.
Best bet: trace it through your switch. If you have managed switches, they know which port any given mac address came from. You can trace that back to the machine and then look at the virtual switch on the machine to figure out which VM.
Incidentally, the 1 bit in the first byte means broadcast (1) or unicast (0).
Regards, Bill Herrin
-- For hire. https://bill.herrin.us/resume/
participants (7)
-
Brandon Svec
-
Christopher Morrow
-
Crist Clark
-
heasley
-
JoeSox
-
Saku Ytti
-
William Herrin