Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: WiFi question
From: "Todd Towles" <toddtowles () brookshires com>
Date: Wed, 17 Nov 2004 15:15:37 -0600

I would have to agree with GuidoZ. The changing MAC would point to
something being up. AP using different channels is pretty common in some
models but the MAC changing and being different vendors points to fake
AP.

I bet you 10 bucks the WEP key changes on all but one of them each time
too..lol  

-----Original Message-----
From: full-disclosure-admin () lists netsys com 
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of GuidoZ
Sent: Wednesday, November 17, 2004 12:42 PM
To: colin.scott () csplc com
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] WiFi question

I'm not 100% on this, as it could be something I've never 
heard of (of course). However, it sounds a lot like someone 
is playing with
"FakeAP":
 - http://www.blackalchemy.to/project/fakeap/

It's not real difficult to setup and only requires a Prisim 
chipset card (one or more) and a compatible Linux distro. 
It's been around for over 2 years, but hasn't been touched 
for about the same amount of time. See the site for more.

--
Peace. ~G


On Wed, 17 Nov 2004 13:53:07 +0000, colin.scott () csplc com 
<colin.scott () csplc com> wrote:
List,

I'm an expert in nothing so when I saw this I had to ask, 
as Im sure 
theres someone out there that is a WiFi expert.

Google has found no answer so here goes.

Last night we saw a new access point appear. No problems 
its an ad-hoc 
network so its someone's machine with XP on configured for 
their home 
W-LAN probably.  Running Netstumbler shows more on it though.

You get 2 Access Points showing this ESSID for a few 
seconds. Then you 
get a 3rd, then a 4rth. Then the first two drop off, this 
repeats forever.
Always using a different MAC address when a new AP appears. The APs 
are all WEP enabled (which I cant crack cos I dont have the 
savvy or 
the tools :) ) and this goes on forever.

The MACs are all from different pools (i.e. assigned to different
manufacturers) so the only conclusion is that they are all 
spoofed MACs.

I have walked around the office and as far as I can tell its coming 
from this office (the IT dept), basing that assumption on 
signal strength.

Anyone seen any tools that do this?   I would love a little 
hand-held
gadget that would help me find it (like the scanner in Alien!)

Answers on a post card :)

Colin.


**********************************************************************
****************

This e-mail is confidential and may contain privileged 
information.  
If you are not the addressee or if you have received the e-mail in 
error, it may be unlawful for you to read, copy, 
distribute, disclose 
or otherwise use the information which it contains.  Under these 
circumstances, please notify us immediately by returning 
this mail to 
'mailerror () csplc com' and deleting this e-mail from your system.

Any views expressed by an individual within this e-mail do not 
necessarily reflect the views of Cadbury Schweppes Plc or its 
subsidiaries.  Cadbury Schweppes Plc will not be bound by any 
agreement entered into as a result of this email, unless 
its intention is clearly evidenced in the body of the email.
Whilst we have taken reasonable steps to ensure that this 
e-mail and 
attachments are free from viruses, recipients are advised 
to subject 
this mail to their own virus checking, in keeping with good 
computing 
practice. Please note that email received by Cadbury 
Schweppes Plc or 
its subsidiaries may be monitored in accordance with the 
prevailing law in the United Kingdom.


**********************************************************************
****************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]