By Fred Theilig – @fmtheilig
I took a look at my UniFi wifi and discovered the following:
Ah! A rogue device! Did a son bring a new device into the house? Did my neighbors break into my wifi? Is it the Russians? I name every known device, so seeing a MAC address really stands out. The majority of online sources identify the MAC as being from a company called Liteon Technology Corporation out of Taiwan. Great. Feels very IoT. For reasons I cannot explain, I went straight to looking at the traffic from my Security Onion server:
[fmt@fmt-seconion ~]$ sudo tcpdump -i eth1 | grep 192.168.1.242
[sudo] password for fmt:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
01:42:43.244156 IP 192.168.1.242.62701 > ec2-35-164-190-212.us-west-2.compute.amazonaws.com.https: Flags [P.], seq 3617655639:3617655675, ack 4225150690, win 1040, options [nop,nop,TS val 7885576 ecr 726844830], length 36
01:42:43.346091 IP ec2-35-164-190-212.us-west-2.compute.amazonaws.com.https > 192.168.1.242.62701: Flags [P.], seq 1:33, ack 36, win 277, options [nop,nop,TS val 726869835 ecr 7885576], length 32
I let it run for a bit and there wasn’t a huge amount of traffic or data. But what is this compute.amazonaws.com? Did someone bring an Alexa into the house? No, that’s an Amazon S3 bucket. Could be anybody. There must be a way to gather bucket details, but I couldn’t find anything.
Finally I did what I should have done first, which was to have nmap fingerprint it (sudo nmap -O 192.168.1.242):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-27 21:38 EDT
Nmap scan report for 192.168.1.242
Host is up (0.0022s latency).
All 1000 scanned ports on 192.168.1.242 are closed
MAC Address: B0:05:94:8A:94:03 (Liteon Technology)
Device type: firewall|general purpose|game console
Running: Cisco AsyncOS 7.X, FreeBSD 10.X|6.X|7.X|8.X|9.X, Sony embedded
OS CPE: cpe:/h:cisco:ironport_c650 cpe:/o:cisco:asyncos:7.0.1 cpe:/o:freebsd:freebsd:10.2 cpe:/h:sony:playstation_4 cpe:/o:freebsd:freebsd:6.2 cpe:/o:freebsd:freebsd:7.0:beta2 cpe:/o:freebsd:freebsd:8.2 cpe:/o:freebsd:freebsd:9.1
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.06 seconds
So, it was our Playstation 4 all along. I have two ethernet ports behind the television and it was using one of them. The PS4 doesn’t get used quite as much anymore and apparently my son moved it to wifi. I confirmed the IP address on the unit and updated my UniFi configuration.
Most threat hunting ends like this and I definitely need more practice. It didn’t turn out to be Russians or mischievous neighbors, but I learned something.