strange authentication attempt logged after key handshake

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
markLopez9
DD-WRT Novice


Joined: 30 Apr 2020
Posts: 15

PostPosted: Thu Feb 10, 2022 22:25    Post subject: strange authentication attempt logged after key handshake Reply with quote
Hi,

I just granted access to a new smartphone on my guest network when I noticed these strange logs.

On the screenshot I attached (the red boxes), within 3 seconds after finishing a key handshake, an attempt to authenticate with my router was logged. That got me suspicious because no other device was connected to my router except that new smartphone. When I tried my other devices (green boxes), they don't generate such an attempt to authenticate.

You will notice that this only happens with the device with MAC address ending in A3. No authentication attempts follow the key handshakes of my other devices.

I have a security app installed and configured on that new smartphone and it says it's clean. But these strange logs make me think otherwise; either the security app is not picking up a threat hidden in the phone, or the smartphone's OS has something in it.

Has anyone encountered something like this before? Please advise. Thanks in advance.



weird.png
 Description:
screenshot of logs taken from papertrail for complete pre-reboot logs
 Filesize:  903.89 KB
 Viewed:  1564 Time(s)

weird.png


Sponsor
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Thu Feb 10, 2022 23:10    Post subject: Reply with quote
If you have a browser open to dd-wrt web interface, this A3 client device is just you spooking yourself out.
markLopez9
DD-WRT Novice


Joined: 30 Apr 2020
Posts: 15

PostPosted: Sat Feb 12, 2022 10:23    Post subject: Reply with quote
blkt wrote:
If you have a browser open to dd-wrt web interface, this A3 client device is just you spooking yourself out.


I just saw your reply. I'm familiar with the logs about errors due to inactivity when I leave the web interface open. No, I don't have a browser open to the web interface during those instances.

That A3 client is the only one connected: all other devices are either turned off or disconnected. And I waasn't even trying to access the web interface using the A3 client (I even disabled the Wireless GUI access under Wireless > Basic Settings > VAP > Advanced Settings), which is why it bothers me.

Any other ideas on what it could be?
markLopez9
DD-WRT Novice


Joined: 30 Apr 2020
Posts: 15

PostPosted: Sat Feb 12, 2022 10:52    Post subject: Reply with quote
blkt wrote:
If you have a browser open to dd-wrt web interface, this A3 client device is just you spooking yourself out.


Here's a fresh set of logs to look at:
Code:
Feb 12 11:10:55 mr3220-dd user.info : sfe : shortcut forwarding engine successfully stopped
Feb 12 11:10:55 mr3220-dd user.info : sfe : shortcut forwarding engine successfully started
Feb 12 11:36:31 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: auth request, signal -71 (Accepted)
Feb 12 11:36:31 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: authenticated
Feb 12 11:36:31 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: assoc request, signal -72 (Accepted)
Feb 12 11:36:31 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: associated (aid 1)
Feb 12 11:36:31 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> RADIUS: starting accounting session ***
[color=red]Feb 12 11:36:31 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> WPA: pairwise key handshake completed (RSN)
Feb 12 11:36:33 mr3220-dd daemon.info httpd1587: httpd : Authentication fail
Feb 12 11:36:34 mr3220-dd daemon.err httpd1587: httpd : Request Error Code 401: Authorization required. Wrong username and/or password!
Feb 12 11:43:20 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> WPA: group key handshake completed (RSN)
Feb 12 11:43:22 mr3220-dd daemon.info httpd1587: httpd : Authentication fail
Feb 12 11:43:22 mr3220-dd daemon.err httpd1587: httpd : Request Error Code 401: Authorization required. Wrong username and/or password![/color]
Feb 12 12:10:56 mr3220-dd daemon.debug ntpclient8865: Connecting to 2.pool.ntp.org 23.131.160.7 ...
Feb 12 12:10:56 mr3220-dd daemon.info ntpclient8865: Time set from 2.pool.ntp.org 23.131.160.7.
Feb 12 12:10:56 mr3220-dd daemon.info process_monitor3682: cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
...
Feb 12 13:10:57 mr3220-dd user.info : sfe : shortcut forwarding engine successfully stopped
Feb 12 13:10:58 mr3220-dd user.info : sfe : shortcut forwarding engine successfully started
Feb 12 13:33:33 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: auth request, signal -66 (Accepted)
Feb 12 13:33:33 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: authenticated
Feb 12 13:33:33 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: assoc request, signal -66 (Accepted)
Feb 12 13:33:33 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: associated (aid 1)
Feb 12 13:33:33 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> RADIUS: starting accounting session ***
[color=red]Feb 12 13:33:33 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> WPA: pairwise key handshake completed (RSN)
Feb 12 13:33:35 mr3220-dd daemon.info httpd1587: httpd : Authentication fail
Feb 12 13:33:35 mr3220-dd daemon.err httpd1587: httpd : Request Error Code 401: Authorization required. Wrong username and/or password![/color]
Feb 12 13:48:15 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: auth request, signal -60 (Accepted)
Feb 12 13:48:15 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: authenticated
Feb 12 13:48:15 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: assoc request, signal -62 (Accepted)
Feb 12 13:48:15 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: associated (aid 1)
Feb 12 13:48:15 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> RADIUS: starting accounting session ***
[color=red]Feb 12 13:48:15 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> WPA: pairwise key handshake completed (RSN)
Feb 12 13:48:17 mr3220-dd daemon.info httpd1587: httpd : Authentication fail
Feb 12 13:48:17 mr3220-dd daemon.err httpd1587: httpd : Request Error Code 401: Authorization required. Wrong username and/or password![/color]
Feb 12 14:10:58 mr3220-dd daemon.debug ntpclient9161: Connecting to 2.pool.ntp.org 50.205.244.39 ...
Feb 12 14:10:58 mr3220-dd daemon.info ntpclient9161: Time set from 2.pool.ntp.org 50.205.244.39.
Feb 12 14:10:58 mr3220-dd daemon.info process_monitor3682: cyclic NTP Update success (servers 2.pool.ntp.org 212.18.3.19 88.99.174.22)
...
Feb 12 17:11:06 mr3220-dd user.info : sfe : shortcut forwarding engine successfully stopped
Feb 12 17:11:07 mr3220-dd user.info : sfe : shortcut forwarding engine successfully started
[color=green]Feb 12 17:32:21 mr3220-dd daemon.info hostapd: wlan0: STA <e8 client> MLME: auth request, signal -35 (Accepted)
Feb 12 17:32:21 mr3220-dd daemon.info hostapd: wlan0: STA <e8 client> IEEE 802.11: authenticated
Feb 12 17:32:21 mr3220-dd daemon.info hostapd: wlan0: STA <e8 client> MLME: assoc request, signal -34 (Accepted)
Feb 12 17:32:21 mr3220-dd daemon.info hostapd: wlan0: STA <e8 client> IEEE 802.11: associated (aid 1)
Feb 12 17:32:21 mr3220-dd daemon.info hostapd: wlan0: STA <e8 client> RADIUS: starting accounting session ***
Feb 12 17:32:21 mr3220-dd daemon.info hostapd: wlan0: STA <e8 client> WPA: pairwise key handshake completed (RSN)[/color]
Feb 12 17:49:18 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: auth request, signal -65 (Accepted)
Feb 12 17:49:18 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: authenticated
Feb 12 17:49:18 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> MLME: assoc request, signal -64 (Accepted)
Feb 12 17:49:18 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> IEEE 802.11: associated (aid 1)
Feb 12 17:49:18 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> RADIUS: starting accounting session ***
[color=red]Feb 12 17:49:18 mr3220-dd daemon.info hostapd: wlan0.1: STA <a3 client> WPA: pairwise key handshake completed (RSN)
Feb 12 17:49:20 mr3220-dd daemon.info httpd1587: httpd : Authentication fail
Feb 12 17:49:20 mr3220-dd daemon.err httpd1587: httpd : Request Error Code 401: Authorization required. Wrong username and/or password![/color]


For the logs stamped prior to 17:00, I was asleep and no one else was connected to this DD-WRT which I use for work and guest access (other household devices managed by me are on a separate router). The logs in red are the same strange behavior from the A3 client. I highlighted the E8 client in blue because that's me connecting to the work wireless, and there isn't any strange failed authentication attempt after the key handshake. On the other hand, the A3 client connected minutes after me and it did it again.

I have telnet and SSH disabled both for local and remote management, which gives me some level of comfort. The wireless GUI access from the guest VAP side is also disabled, so an additional layer of protection. I also have AP isolation enabled to prevent it from talking to other devices on the network.

But it still disturbs me at the A3 client does that when it shouldn't. I hope I'm making sense with my concern. Please help.


Last edited by markLopez9 on Sat Feb 12, 2022 10:59; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Feb 12, 2022 10:55    Post subject: Reply with quote
WPA3 enabled?
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
markLopez9
DD-WRT Novice


Joined: 30 Apr 2020
Posts: 15

PostPosted: Sat Feb 12, 2022 10:59    Post subject: Reply with quote
egc wrote:
WPA3 enabled?


No, just WPA2.
IONK
DD-WRT Guru


Joined: 19 Aug 2011
Posts: 951

PostPosted: Sun Mar 13, 2022 16:55    Post subject: Re: strange authentication attempt logged after key handshak Reply with quote
markLopez9 wrote:
Has anyone encountered something like this before? Please advise. Thanks in advance.
I can't say I have encountered this before, but here are my thoughts:
  • Is that new smartphone linked to any other smart devices?
    Some devices under the same account can share the WiFi network login info among themselves (Android/Chromebook). Maybe Apple devices?
  • How do you set up your guest network? Is it a normal WiFi AP or there's login page or a welcome page with countdown? Some smart devices will try to auto open the welcome page in the background.
  • Have you tried doing OUI lookup on that **:**:**:**:**:A3 device?
My housemate used to have a smart weighing scale, and it made me anxious for a while.

_________________
▫ RSS feed for DD-WRT releases (2024): https://rsseverything.com/feed/7d36ab68-7733-46c3-bd8a-9c54c5cef08c.xml
easyddup - A simple upgrade/downgrade utility by yoyoma2 --- as featured in 📌 Reference Links, stickies retired back to forum (Moderator's Pick 🌟)
markLopez9
DD-WRT Novice


Joined: 30 Apr 2020
Posts: 15

PostPosted: Fri Aug 12, 2022 12:30    Post subject: Re: strange authentication attempt logged after key handshak Reply with quote
IONK wrote:
markLopez9 wrote:
Has anyone encountered something like this before? Please advise. Thanks in advance.
I can't say I have encountered this before, but here are my thoughts:
  • Is that new smartphone linked to any other smart devices?
    Some devices under the same account can share the WiFi network login info among themselves (Android/Chromebook). Maybe Apple devices?
  • How do you set up your guest network? Is it a normal WiFi AP or there's login page or a welcome page with countdown? Some smart devices will try to auto open the welcome page in the background.
  • Have you tried doing OUI lookup on that **:**:**:**:**:A3 device?
My housemate used to have a smart weighing scale, and it made me anxious for a while.


Hi there,

I haven't checked my post in a while, so I missed your response.
  • Is that new smartphone linked to any other smart devices? > No, it's not.
  • How do you set up your guest network? Is it a normal WiFi AP or there's login page or a welcome page with countdown? > It's just a normal AP using a pre-shared key.
    Some smart devices will try to auto open the welcome page in the background. > This might make sense, but I'm not sure how to determine this. Would you know how?
  • Have you tried doing OUI lookup on that **:**:**:**:**:A3 device? > I haven't tried this, and I'm not sure if I should use ouilookup.com or the lookup tool in wireshark.org. Can you share what that lookup can tell me?
IONK
DD-WRT Guru


Joined: 19 Aug 2011
Posts: 951

PostPosted: Fri Aug 12, 2022 13:06    Post subject: Re: strange authentication attempt logged after key handshak Reply with quote
markLopez9 wrote:
  • Have you tried doing OUI lookup on that **:**:**:**:**:A3 device?
> I haven't tried this, and I'm not sure if I should use ouilookup.com or the lookup tool in wireshark.org. Can you share what that lookup can tell me?
I have no good suggestion, I usually google for "oui lookup" and try a few (Wireshark is one of them). The reason is some websites have the old database and can't lookup new devices. Also, some devices use random MAC, so there's a chance there's no result everywhere.

EDIT: after re-reading your problem, I realize that OUI lookup has no use here. Sorry for the wrong suggestion.

_________________
▫ RSS feed for DD-WRT releases (2024): https://rsseverything.com/feed/7d36ab68-7733-46c3-bd8a-9c54c5cef08c.xml
easyddup - A simple upgrade/downgrade utility by yoyoma2 --- as featured in 📌 Reference Links, stickies retired back to forum (Moderator's Pick 🌟)


Last edited by IONK on Fri Aug 12, 2022 13:57; edited 4 times in total
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Fri Aug 12, 2022 13:20    Post subject: Reply with quote
On current releases, you should be able to use the MAC filter on this wireless interface and keep only known devices whitelisted and block access to devices not in the whitelist.
_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum