[SOLVED] What OUI is this mac address 20:00:FF ?

Status
Not open for further replies.

borris618

Distinguished
May 6, 2013
78
9
18,545
Does anyone know what devices are using the mac starting with 20:00:FF ?
We have multiple devices on our network starting with this but i cant find out what company they are from or what devices they are.

Obviously they are blocked network access, but would be nice to know what it actually where.
 
Solution
If you physically disconnect the printer (at the printer) do those phantom MAC's go away as well? And, have you (or an assistant) visually traced and verified that there is only the one device attached to that specific port? It's not unknown to have a user, in need of an extra port, connect some random router/switch to a wall port rather than go through proper channels.

Another thought, do any of those printers have any integrated network functions (other than printing) that may not be disabled (such as wireless printing)?
Should be easy to find just unplug cables until it goes away and then follow the cable. If it is wifi it should never even be on your network to start with unless you gave someone your password.

Mac addresses don't mean much. Most devices you can set them to anything you want. The owner part of the id means very little anyway. Many companies no longer even exist or have been purchased or merged since things were allocated. Since almost everything is manufacture by foxconn or one of the other large china based manufactures many times devices come back to those anyway so you don't really know what it is.
 

borris618

Distinguished
May 6, 2013
78
9
18,545
Thanks for the reply, but i think i need to clarify a bit.
Our company has many remote locations and it is at one of them that i see the mac address in my logging.
The device is blocked by the network so i know it cant send traffic, but i was just curious as to what is was.

We see these adresses on a few locations and i think it maybe has to do with building management (heating, water, ventilation or electricity) but as long as I dont get any complaint from employees about things not working my assumption is that it is not supposed to be on the network.

Guess i'll have to wait it out, but seen as they have been blocked for multiple months i dont think i will ever learn what they are..
 
Does anyone know what devices are using the mac starting with 20:00:FF ?
We have multiple devices on our network starting with this but i cant find out what company they are from or what devices they are.

Obviously they are blocked network access, but would be nice to know what it actually where.

Enter the entire MAC address (Including all leading 00's) and it will give you the vendor. Given the fragment here there is no way to identify the vendor. However, adding a leading "00:" one gets Lexmark as the assignee.
 
Thanks for the reply, but i think i need to clarify a bit.
Our company has many remote locations and it is at one of them that i see the mac address in my logging.
The device is blocked by the network so i know it cant send traffic, but i was just curious as to what is was.

We see these adresses on a few locations and i think it maybe has to do with building management (heating, water, ventilation or electricity) but as long as I dont get any complaint from employees about things not working my assumption is that it is not supposed to be on the network.

Guess i'll have to wait it out, but seen as they have been blocked for multiple months i dont think i will ever learn what they are..

It is possible it is some sort of building system. But it's unlikely. Most of them use proprietary interfaces like BACnet.

https://en.m.wikipedia.org/wiki/BACnet

If they are a building mission critical system like fire control and suppression, or pump head pressure sensors then they will likely exist on their own isolated subnet. Contractors should be shot and hung otherwise.

Fing will use the Mac address to discover the oem based on the table above. It also runs a series of link layer and tcp web services on said target to determine its purpose and type. It's pretty good at what it does. it discovered my robot vacuum is an expressif esp32 and i used that information to reverse hack the device and examine it's data traffic over my network using a reverse compiler. And best of all the price is free.

If it's a wireless device you can use free wifi analyzing tools to determine your distance to said device if it supports wifi direct. If you have a high end wireless AP or router you can determine distance to the client also.

Some devices like amazon alexa or smart watches will auto share conmection crefentials without asking. Also if you have an employee break room they will devices plug in automatically (ie: game consoles.)

I agree with your approach though. Trust nothing till you know what it is.
 
Last edited:

borris618

Distinguished
May 6, 2013
78
9
18,545
Thanks so much for the replies.
All the devices are on ethernet.
I have been using https://macvendors.com/ for a wile now and love it, but it does not always find the vendor.

On the 60 locations i looked at there are 54 devices that start with 20:00:FF:11
I guess on the last 130 there will be some too.
I simply cant believe that they are not the same kind of device.

I think i will try enabeling one of them on our test vlan and monitor the traffic in the FW.

ohh and regarding building mission critical systems on existing installation i couldn´t agree more, however you wont believe how many times contractors do that even if specified otherwise in the contract.
Ive seen fire alarms, ventilation systems and other stuff just being plugged in to the normal network because its cheaper and faster.
and then I get the blame for 'breaking' stuff after doing upgrades to the network and end up having to contact like a million people to try and find out how their system is stitched together...


anyways...
Gonna keep you updated on my findings.
 
After some more digging it appears that that particular vendor may be paying the higher annual registration fee to keep their name off the public lists. Got any generic Chinese stuff on your network?

https://standards.ieee.org/products-services/regauth/oui/index.html

Highly suspicious. If it were secret macs, they could just randomize them to avoid detection.

Starting with Android v9 (P) they now by default connect to the network with a randomized MAC to prevent tracking. They memorize the MAC for the network in question. Irony this is coming from Alphabet/Google.
 

borris618

Distinguished
May 6, 2013
78
9
18,545
Ok, this is very strange...

On one of the affected ports i have a sharp printer with a mac of 24:26:42:XX:XX:XX wich can be seen from the switch.
In addition to this i have (depending on location) between 3 - 20 mac's starting with 20:00:ff:11:XX:XX.
The printer works flawlessly and has the same configuration as others but are of different models.

Could it be some kind of mac randomization from the printer? Dont know why it would though.

I think i'll try to contact sharp and ask if its something they are aware of.
 
If you physically disconnect the printer (at the printer) do those phantom MAC's go away as well? And, have you (or an assistant) visually traced and verified that there is only the one device attached to that specific port? It's not unknown to have a user, in need of an extra port, connect some random router/switch to a wall port rather than go through proper channels.

Another thought, do any of those printers have any integrated network functions (other than printing) that may not be disabled (such as wireless printing)?
 
Solution

borris618

Distinguished
May 6, 2013
78
9
18,545
The way i see the mac's is through Cisco ISE logs.
I had a collegue confirm that there is nothing but the printers on said port. But even if, what is the chance that all other devices have the same mac.

On the printer all other network interfaces (wifi) and protocols (netware, ethertalk netbios ect.) are disabled.

i think i'll try to remove all the mac's from ISE and over a week or so see if they come back or not.
 

borris618

Distinguished
May 6, 2013
78
9
18,545
It seems like when i delete the MAC's they appear again after a few minutes.
Think i'll just ignore them as they dont do any harm.
The printers are on the way out in a year or so anyways, so its not really worth doing captures and stuff.
 

Ralston18

Titan
Moderator
Curious:

Do you see the MACs via "arp -a" alongside any corresponding IP addresses?

On a wireless device "netsh wlan show all" - anything there?

Or, using Powershell:

Get-WmiObject win32_networkadapterconfiguration | select description, macaddress
 
Status
Not open for further replies.