Re: Fake AP in the Vendor field of Netstumbler

["Michael Puchol" <mpuchol () sonar-security com>]

Hi,

A few months ago, someone wrote a tool to 'confuse' Netstumbler by replying
it's probe requests with hundreds of 'fake' frames, containing MAC addresses
and SSIDs that could be random or picked from a list. The result was the
Netstumbler log file filing up with thousands of fake entries in a very
short time.

The reasoning behind this was that you could 'hide' a real AP behind this
barrage of fake APs - it wouldn't take long to find the real AP to a trained
eye, besides, you would be flooding the channel with so much bogus data that
the medium would run out of space for legit data coming/going from/to legit
clients.

So, in recent versions of Netstumbler, a mechanism for trying to detect
these fake APs was implemented, and it can sometimes trigger, giving the
'Fake' indication. If you don't see a lot of APs appearing, then maybe
Netstumbler derives this 'fake' flag by some other means I am unaware of - I
don't know the intricacies of Netstumbler, but you can contact Marius
Milner, the author, at http://www.stumbler.net

Interference in the RF medium would cause corrupt frames, which would have a
non-matching checksum and would thus be discarded. It's very unlikely a bad
frame would pass a checksum, and even then you would see a good result on a
succesive frame.

Find FakeAP here:

http://www.blackalchemy.to/project/fakeap/

Best regards,

Mike
(Mother)


----- Original Message ----- 
From: "Steve Fletcher" <safletcher () insightbb com>
To: "'OTTO, DOUGLAS P.'" <douglas.otto () thermo com>;
<shankarnarayan.d () netsol co in>; <security-basics () securityfocus com>
Sent: Tuesday, November 30, 2004 7:52 AM
Subject: RE: Fake AP in the Vendor field of Netstumbler


> I have seen this myself.  My guess is that they are using the MAC address
of
> the AP to determine the manufacturer and anything that does not match with
> known manufacturers is listed as a fake AP.  But, if anyone can provide a
> definite answer on this, that would be great.
>
> Steve Fletcher
> MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+,
> CCA
> safletcher () insightbb com
>
> -----Original Message-----
> From: OTTO, DOUGLAS P. [mailto:douglas.otto () thermo com]
> Sent: Monday, November 29, 2004 1:39 PM
> To: shankarnarayan.d () netsol co in; security-basics () securityfocus com
> Subject: RE: Fake AP in the Vendor field of Netstumbler
>
> It could be a result of interference with another AP on the same
> frequency.
>
> --
> Douglas Otto - Sr Network Engineer
> Thermo Electron Corp - Madison Site
> 5225 Verona Rd Bldg 4
> Madison, Wisconsin 53711
>
>
> > -----Original Message-----
> > From: shankarnarayan.d () netsol co in
> > [mailto:shankarnarayan.d () netsol co in]
> > Sent: Saturday, November 27, 2004 6:24 AM
> > To: security-basics () securityfocus com
> > Subject: Fake AP in the Vendor field of Netstumbler
> >
> >
> >
> >
> > Hi,
> >
> >
> >
> >   Was working on the Vulnerability Assessment of a client
> > network with about 100 Access Points. Began with Netstumbler
> > and it started showing me some AP's as Fake in the Vendor
> > field. I know that they are Cisco AP's, but am not too sure
> > why they are displayed as Fake AP's
> >
> >
> >
> > I googled around a little but did not get any satisfactory
> > answers - one on Netstumbler.org said it was a quirk in the
> > version 0.4.0. Others suggested that I delete the Fake entry
> > and retry - this also did not lead me anywhere
> >
> >
> >
> > Anyone 'stumbled' on some other explanations
> >
> >
> >
> > Rgds,
> >
> > Shankar