Security Basics mailing list archives
Re: Fake AP in the Vendor field of Netstumbler
From: "Michael Puchol" <mpuchol () sonar-security com>
Date: Wed, 1 Dec 2004 00:08:24 +0100
Hi, A few months ago, someone wrote a tool to 'confuse' Netstumbler by replying it's probe requests with hundreds of 'fake' frames, containing MAC addresses and SSIDs that could be random or picked from a list. The result was the Netstumbler log file filing up with thousands of fake entries in a very short time. The reasoning behind this was that you could 'hide' a real AP behind this barrage of fake APs - it wouldn't take long to find the real AP to a trained eye, besides, you would be flooding the channel with so much bogus data that the medium would run out of space for legit data coming/going from/to legit clients. So, in recent versions of Netstumbler, a mechanism for trying to detect these fake APs was implemented, and it can sometimes trigger, giving the 'Fake' indication. If you don't see a lot of APs appearing, then maybe Netstumbler derives this 'fake' flag by some other means I am unaware of - I don't know the intricacies of Netstumbler, but you can contact Marius Milner, the author, at http://www.stumbler.net Interference in the RF medium would cause corrupt frames, which would have a non-matching checksum and would thus be discarded. It's very unlikely a bad frame would pass a checksum, and even then you would see a good result on a succesive frame. Find FakeAP here: http://www.blackalchemy.to/project/fakeap/ Best regards, Mike (Mother) ----- Original Message ----- From: "Steve Fletcher" <safletcher () insightbb com> To: "'OTTO, DOUGLAS P.'" <douglas.otto () thermo com>; <shankarnarayan.d () netsol co in>; <security-basics () securityfocus com> Sent: Tuesday, November 30, 2004 7:52 AM Subject: RE: Fake AP in the Vendor field of Netstumbler
I have seen this myself. My guess is that they are using the MAC address
of
the AP to determine the manufacturer and anything that does not match with known manufacturers is listed as a fake AP. But, if anyone can provide a definite answer on this, that would be great. Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+, CCA safletcher () insightbb com -----Original Message----- From: OTTO, DOUGLAS P. [mailto:douglas.otto () thermo com] Sent: Monday, November 29, 2004 1:39 PM To: shankarnarayan.d () netsol co in; security-basics () securityfocus com Subject: RE: Fake AP in the Vendor field of Netstumbler It could be a result of interference with another AP on the same frequency. -- Douglas Otto - Sr Network Engineer Thermo Electron Corp - Madison Site 5225 Verona Rd Bldg 4 Madison, Wisconsin 53711-----Original Message----- From: shankarnarayan.d () netsol co in [mailto:shankarnarayan.d () netsol co in] Sent: Saturday, November 27, 2004 6:24 AM To: security-basics () securityfocus com Subject: Fake AP in the Vendor field of Netstumbler Hi, Was working on the Vulnerability Assessment of a client network with about 100 Access Points. Began with Netstumbler and it started showing me some AP's as Fake in the Vendor field. I know that they are Cisco AP's, but am not too sure why they are displayed as Fake AP's I googled around a little but did not get any satisfactory answers - one on Netstumbler.org said it was a quirk in the version 0.4.0. Others suggested that I delete the Fake entry and retry - this also did not lead me anywhere Anyone 'stumbled' on some other explanations Rgds, Shankar
Current thread:
- Re: Fake AP in the Vendor field of Netstumbler Michael Puchol (Nov 30)