Unknown MAC address connected to router

  • I found an unknown MAC address connected to my home router. How would I figure out what OS the IP or MAC address is running?

    I'm not sure this is an IT Security question. Could you add more details? The MAC address itself could be useful. What is it about the MAC address that makes it seem "weird"?

    I say that because I've never seen the mac address before. Its not in itself strange. I have a lot of devices connected so I would just like to figure out a way to get more info. Maybe nmap or netstat or something could help?

    Just check all your devices? If your wireless network is protect by WPA/WPA2 and the password is strong enough its very unlikely ( as likely as cows flying ) that somebody has accessed your network without being told the password to said network. If its not being protect by WPA/WPA2 then you should enable it.

  • As @logicalscope says, you can also look at the MAC lookup chart to find out the manufacturer. This could be spoofed.

    You could try to find out the IP address of the device, then you could run nmap against it to see if you can identify the OS.

    This could be hidden from you, so an alternative would be to try and connect to it - does it give banners back? Ports 22, 23, 80, 443 etc could be useful starting points here.

    Failing that, try forcing it off the network and see if anything breaks :-)

    I would run nmap to see if there is a strange IP that would correspond to the MAC. You could also blacklist it and see what breaks. If a new strange MAC appears, they are probably spoofing.

  • You can check the first few digits of the MAC address at http://standards.ieee.org/develop/regauth/oui/oui.txt That'll give you the vendor of the device's NIC.

    If you have access to the ARP table on your router you can translate the MAC address to an IP address. Often with 'arp -a' or 'show arp' an a router commandline

    On your PC you can check hostname of the corresponding IP and whois information:

    $ nslookup <ip-address>
    $ whois <ip-address>
    $ whois <domainname from nslookup>

    Check if you can find out the current connections to your router with a netstat-like command. Check http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml what the port may be used for.

    This should give you a hand full of leads to further analyse

    Thanks a lot. Only looking into the http://standards.ieee.org/develop/regauth/oui/oui.txt list helped to find out that the unknown devices on my network were our Motorola Mobility phones.

  • One way to possibly figure out what device it is, is to examine the MAC address itself. The first 3 hexadecimal numbers can be used to determine which company the MAC was assigned to. For instance, 00-03-93 is one (of many) MAC OUI prefixes that belongs to Apple.

    This doesn't always work if the MAC has been spoofed, has been set manually, or if it is assigned to a virtual machine (or you have a lot of devices. :-)

  • There is an easy and better way

    • just log on to router's administrative panel (usually or
    • log in with the administrative username and password (usually admin admin)
    • look for a tab named or starting with or containing Interface, go to Local Area Network or LAN from there and you'll see a DHCP Clients Table.

    This table identifies all devices connected to the router by the device name, IP address and MAC address. On a Netgear router, click the “Attached Devices” link in the left navigation panel under the Maintenance heading.


    The "device name" can be very vague even without malice (I've seen "Samsung", which at the time could have been one of about 6 devices). If the router weas provided by an ISP, you don't always have even such basic features.

    Yeah "device name" is an issue. I have multiple redmi phones at home. They all are connected as "Redmi", so I couldn't figure out which is which. That is why I made a separate txt file offline that contained device name+MAC address.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM