RE: [Full-Disclosure] WiFi question
Well after running around for 2 days attempting to find the source of the wireless points, it stopped. We think that someone was running FakeAP, perhaps by accident (playing around at home then forgetting to switch off), all the peer-to-peer Access Points were of the same name and all the MACs were not corrupted. We narrowed the signal down to a specific desk, but there were no devices in the area (and no power leads going into drawers anywhere)... can only assume it was a PDA or something. One of lifes mysteries. Thanks for all the on and off-line responses very informative. Colin. Ron DuFresne [EMAIL PROTECTED] et.comTo Sent by: Paul Schmehl [EMAIL PROTECTED] full-disclosure-a cc [EMAIL PROTECTED] Ake Nordin [EMAIL PROTECTED], .com Lachniet, Mark [EMAIL PROTECTED], [EMAIL PROTECTED] 22/11/2004 22:51 Subject RE: [Full-Disclosure] WiFi question I'm still not convinced that, more than a few feet from a device, the interference would even be detectable. Though two devices within 10 feet both setup in the same room of another might well conflict with one another, and might be what the original poster on device contention was running into. Thanks, Ron DuFresne -- Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back. --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html *** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. *** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
--On Monday, November 22, 2004 02:26:35 AM +0100 Ake Nordin [EMAIL PROTECTED] wrote: This (the preamble especially) is what _should_ eliminate the motion sensors from the list. I'm out on this one (too lazy to do the math), but is the 802.11b air interface that resilient (does it really require that much redundancy)? It should be, but that would also be some lost (usable) bandwidth. Agreed, and I'd like to see more discussion of that aspect from knowledgeable people. Sorry. 1) The building will contain very much of that energy (which never was very much on a metropolitan scale, FCC Part 15 and all that). 2) The noise characteristics as received by those services would be intermittent, very bursty and come from many different directions all over the city. No easy clues telling what to complain about there. 3) I don't know about US emergency communication radios, but typical European systems (before Terrestrial Trunked Radio) are so bad anyway that this contributed noise hardly would be noticed. You may well be right, but keep in mind that the campus police would be operating *in and around* those building much of the time, so they might actually be affected by it, *if* thats possible. I'm still not convinced that, more than a few feet from a device, the interference would even be detectable. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
I'm still not convinced that, more than a few feet from a device, the interference would even be detectable. Though two devices within 10 feet both setup in the same room of another might well conflict with one another, and might be what the original poster on device contention was running into. Thanks, Ron DuFresne -- Sometimes you get the blues because your baby leaves you. Sometimes you get'em 'cause she comes back. --B.B. King ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
(with a nod to Esmond Kane) At 17:50 2004-11-19, Paul Schmehl thusly scribed: --On Thursday, November 18, 2004 09:32:27 AM -0600 Paul Schmehl [EMAIL PROTECTED] wrote: --On Wednesday, November 17, 2004 12:41:44 PM -0500 Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. quoted text trimmed down a bit, some lines broken in the process... After forwarding this to our wireless expert, he responded with this (which he has authorized me to forward to the list.) I find it hard to believe that this is possible. 2.4Ghz is the 9th harmonic. By the time you get to the 4th harmonic of a signal, even in very very noisy radiators, the strength of the harmonic component of the signal is extremely minute. Says what? Not every distortion mechanism give monotonically falling spectral intensity. Device resonance may tilt that spectrum substantially. If the stuff is cheap enough, it's antenna may be a vital part of that resonator (i.e. far better tuned at 2.4GHz than at 240MHz...) And, given the fact that one of those sensors (which most likely does *not* truly operate in the 240MHz portion of the spectrum) will have a very low output (Part 15 device), the 10th harmonic of that signal will be undetectible as it will be at or below the level of background noise. Low output it may be, but received power is inversely proportional to distance squared in ideal (freefield) conditions. The AP inside the same building (room?) is possibly quite close to the detector. Then consider the irregularities of radio propagation inside buildings, and the possibilities of various structures that can act as waveguides... Finally, if a device managed to get past all of the improbabilities above, the chances of it *accidentally* creating a signal that looked like an 802.11 beacon packet, complete with preamble, header, etc is so off the charts as to be laughable. This (the preamble especially) is what _should_ eliminate the motion sensors from the list. I'm out on this one (too lazy to do the math), but is the 802.11b air interface that resilient (does it really require that much redundancy)? It should be, but that would also be some lost (usable) bandwidth. One other thing... If that device truly was operating at 240MHz, then the first harmonic would be 480MHz. I'm pretty sure that frequency lies in the public service bands (ie fire/police). If not, its very close. Given that and the fact that the first harmonic would be much stronger than the 9th harmonic, I'm pretty sure someone in those bands would have complained loudly to the FCC as they don't take intereference issues in those bands lightly. Sorry. 1) The building will contain very much of that energy (which never was very much on a metropolitan scale, FCC Part 15 and all that). 2) The noise characteristics as received by those services would be intermittent, very bursty and come from many different directions all over the city. No easy clues telling what to complain about there. 3) I don't know about US emergency communication radios, but typical European systems (before Terrestrial Trunked Radio) are so bad anyway that this contributed noise hardly would be noticed. -- . /Ake Nordin +46704-660199 [EMAIL PROTECTED] Duston Sickler: There are only 10 types of people in the world, those who understand binary and those who don't. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
--On Thursday, November 18, 2004 09:32:27 AM -0600 Paul Schmehl [EMAIL PROTECTED] wrote: --On Wednesday, November 17, 2004 12:41:44 PM -0500 Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Thanks for a particularly interesting and potentially useful bit of information, Mark. After forwarding this to our wireless expert, he responded with this (which he has authorized me to forward to the list.) I find it hard to believe that this is possible. 2.4Ghz is the 9th harmonic. By the time you get to the 4th harmonic of a signal, even in very very noisy radiators, the strength of the harmonic component of the signal is extremely minute. And, given the fact that one of those sensors (which most likely does *not* truly operate in the 240MHz portion of the spectrum) will have a very low output (Part 15 device), the 10th harmonic of that signal will be undetectible as it will be at or below the level of background noise. Finally, if a device managed to get past all of the improbabilities above, the chances of it *accidentally* creating a signal that looked like an 802.11 beacon packet, complete with preamble, header, etc is so off the charts as to be laughable. One other thing... If that device truly was operating at 240MHz, then the first harmonic would be 480MHz. I'm pretty sure that frequency lies in the public service bands (ie fire/police). If not, its very close. Given that and the fact that the first harmonic would be much stronger than the 9th harmonic, I'm pretty sure someone in those bands would have complained loudly to the FCC as they don't take intereference issues in those bands lightly. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
It shouldn't take a wireless expert to tell you that...he should try it. I pick up all types of weird stuff all the time in Kismet..and it looks like something..but I know it isn't..the SSID is A^B^C^B^D^S^G, or in other words, trash. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Schmehl Sent: Friday, November 19, 2004 10:51 AM To: Lachniet, Mark Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] WiFi question --On Thursday, November 18, 2004 09:32:27 AM -0600 Paul Schmehl [EMAIL PROTECTED] wrote: --On Wednesday, November 17, 2004 12:41:44 PM -0500 Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Thanks for a particularly interesting and potentially useful bit of information, Mark. After forwarding this to our wireless expert, he responded with this (which he has authorized me to forward to the list.) I find it hard to believe that this is possible. 2.4Ghz is the 9th harmonic. By the time you get to the 4th harmonic of a signal, even in very very noisy radiators, the strength of the harmonic component of the signal is extremely minute. And, given the fact that one of those sensors (which most likely does *not* truly operate in the 240MHz portion of the spectrum) will have a very low output (Part 15 device), the 10th harmonic of that signal will be undetectible as it will be at or below the level of background noise. Finally, if a device managed to get past all of the improbabilities above, the chances of it *accidentally* creating a signal that looked like an 802.11 beacon packet, complete with preamble, header, etc is so off the charts as to be laughable. One other thing... If that device truly was operating at 240MHz, then the first harmonic would be 480MHz. I'm pretty sure that frequency lies in the public service bands (ie fire/police). If not, its very close. Given that and the fact that the first harmonic would be much stronger than the 9th harmonic, I'm pretty sure someone in those bands would have complained loudly to the FCC as they don't take intereference issues in those bands lightly. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
On 10:50, Fri 19 Nov 04, Paul Schmehl wrote: --On Thursday, November 18, 2004 09:32:27 AM -0600 Paul Schmehl [EMAIL PROTECTED] wrote: --On Wednesday, November 17, 2004 12:41:44 PM -0500 Lachniet, Mark [EMAIL PROTECTED] wrote: I find it hard to believe that this is possible. 2.4Ghz is the 9th harmonic. By the time you get to the 4th harmonic of a signal, even in very very noisy radiators, the strength of the harmonic component of the signal is extremely minute. And, given the fact that one of those sensors (which most likely does *not* truly operate in the 240MHz portion of the spectrum) will have a very low output (Part 15 device), the 10th harmonic of that signal will be undetectible as it will be at or below the level of background noise. Despite your disbelief, this is basic physics and a core component of musical amplification. It may not be solely due to the device. There may be building cavities amplifying the signal. The is a radio wave we're talking about after all. Sufficient Harmonic Oscillation can result in a boosted signal or Resonance: http://www.sasked.gov.sk.ca/docs/physics/u5c42phy.html Finally, if a device managed to get past all of the improbabilities above, the chances of it *accidentally* creating a signal that looked like an 802.11 beacon packet, complete with preamble, header, etc is so off the charts as to be laughable. Its not an accident. Cheap equipment = low quality control = no suppression and filtering. One other thing... If that device truly was operating at 240MHz, then the first harmonic would be 480MHz. I'm pretty sure that frequency lies in the public service bands (ie fire/police). If not, its very close. Given that and the fact that the first harmonic would be much stronger than the 9th harmonic, I'm pretty sure someone in those bands would have complained loudly to the FCC as they don't take intereference issues in those bands lightly. Eh, not only does this happen, heres a recent story on one instance: http://www.technewsworld.com/story/37435.html Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Esmond Kane Sys Admin HUAM DIT ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
--On Wednesday, November 17, 2004 12:41:44 PM -0500 Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Thanks for a particularly interesting and potentially useful bit of information, Mark. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
Okay, enough people commented on this that I had to dig out my documentation. FWIW, this is what my co-worked documented. My previous summary was not totally accurate. This was discovered by one of my co-workers, not myself. -snip From: [EMAIL PROTECTED] (name withheld to protect against spam) Subject: Some Occupancy Sensors May Cause WiFi Interference So what interferes with 802.11b/g wireless? So far the list seems to be short; microwaves, 2.4 GHz cordless telephones, existing WiFi or Bluetooth equipment.. nuclear reactors!? Now add some occupancy sensors to the list. Specifically, Hubbell MyTech 24KHz ceiling mount sensors, manufactured about ten years ago. I've attached a picture of a newer model; the one that I had problems with is shaped more like a square. They're used to turn lights on and off when people enter large rooms and to regulate heating and air conditioning. 24KHz doesn't sound like WiFi right? Most wireless devices have emissions at some multiple of their operating frequency, in this case 10x. This is called a harmonic frequency and normally these emissions are filtered out. Ten years ago there wasn't much going on with the unlicensed ISM band so my best guess is that the 2.4 GHz harmonic was not filtered out to save costs. I first observed the interference using our Surveyor software although Surveyor did not detect any wireless devices. Curiously, NetStumbler detected an infinitely increasing number of wireless MAC address on an invisible SSID, all operating on channel 10. If I place the NetStumbler tool next to one of the sensors, the SNR goes off the charts every time I wave my hand in front of the sensor. A new random MAC address often times pops up. The MAC addresses aren't registered with any specific manufacturer. They start out with 02:00 and are random for the remaining characters. It might be that NetStumbler is attempting to treat the interference as an actual WiFi device. Anyways, it's something to look out for! -snip Mark Lachniet ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
fake ap http://bsdvault.net/bsdfap.txt http://www.blackalchemy.to/project/fakeap/ -KF [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
As far as handheld devices to aid you in your quest go, there are several options. If you've got a Pocket PC around you can try ministumbler, which is basically the Pocket PC version of netstumbler. It's free and would probably do most of what you want. If you want more and you're willing to fork out some cash (I believe it's around $3000) AirMagnet can do some really cool stuff but it's probably overkill for you. If you're feeling brave and can get a hold of an Ipaq you can replace Windows with Familiar Linux (www.handhelds.org) and then install Kismet (www.kismetwireless.net) which is a great free WiFi detecting/sniffing utility. Kismet can even work with a gps reciever and triangulate the location of the access point (although gps systems don't tend to work well in buildings). This option is what I use since I could run it on an Ipaq I picked up off Ebay cheap and has all the features I need, plus it's free. Laters, Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
I'm not 100% on this, as it could be something I've never heard of (of course). However, it sounds a lot like someone is playing with FakeAP: - http://www.blackalchemy.to/project/fakeap/ It's not real difficult to setup and only requires a Prisim chipset card (one or more) and a compatible Linux distro. It's been around for over 2 years, but hasn't been touched for about the same amount of time. See the site for more. -- Peace. ~G On Wed, 17 Nov 2004 13:53:07 +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Mark Lachniet -Original Message- From: KF_lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 10:21 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question fake ap http://bsdvault.net/bsdfap.txt http://www.blackalchemy.to/project/fakeap/ -KF [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] WiFi question
A very good point indeed Mark; one that shouldn't be dismissed even WITH common SSIDs. Other technology clashing with WiFi certainly isn't new... in fact it getting worse! Besides motion sensors, also look for wireless phones, security systems (like ADT's window/door systems - they use wireless to communicate with some systems), things like that. With the amount of wireless technology out there, it's becoming less and less common to find unaffected WiFi. -- Peace. ~G On Wed, 17 Nov 2004 12:41:44 -0500, Lachniet, Mark [EMAIL PROTECTED] wrote: Could also be RF interference. One of my coworkers tracked down a particularly interesting problem with motion sensor lights. Turns out the motion sensors worked at the 240mhz range, which has resonance at 2.4ghz, or something like that. Hence every time the motion sensor worked, it would spew what the wardriving (site survey) apps thought was a zillion different access points with widely varying MAC addresses. I would have though it was a FAKEAP program also. I would assume the same could happen with other interference. Having a common SSID would seem to indicate this is not the problem, but just thought I'd mention it. Mark Lachniet -Original Message- From: KF_lists [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 17, 2004 10:21 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question fake ap http://bsdvault.net/bsdfap.txt http://www.blackalchemy.to/project/fakeap/ -KF [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
If you want to do Kismet, get a Sharp Zaurus handheld and install OpenZaurus. Been running Dsniff, Kismet and Nmap on my handheld. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave King Sent: Wednesday, November 17, 2004 10:52 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question As far as handheld devices to aid you in your quest go, there are several options. If you've got a Pocket PC around you can try ministumbler, which is basically the Pocket PC version of netstumbler. It's free and would probably do most of what you want. If you want more and you're willing to fork out some cash (I believe it's around $3000) AirMagnet can do some really cool stuff but it's probably overkill for you. If you're feeling brave and can get a hold of an Ipaq you can replace Windows with Familiar Linux (www.handhelds.org) and then install Kismet (www.kismetwireless.net) which is a great free WiFi detecting/sniffing utility. Kismet can even work with a gps reciever and triangulate the location of the access point (although gps systems don't tend to work well in buildings). This option is what I use since I could run it on an Ipaq I picked up off Ebay cheap and has all the features I need, plus it's free. Laters, Dave King http://www.thesecure.net [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. * ** *** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. * ** *** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] WiFi question
I would have to agree with GuidoZ. The changing MAC would point to something being up. AP using different channels is pretty common in some models but the MAC changing and being different vendors points to fake AP. I bet you 10 bucks the WEP key changes on all but one of them each time too..lol -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GuidoZ Sent: Wednesday, November 17, 2004 12:42 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] WiFi question I'm not 100% on this, as it could be something I've never heard of (of course). However, it sounds a lot like someone is playing with FakeAP: - http://www.blackalchemy.to/project/fakeap/ It's not real difficult to setup and only requires a Prisim chipset card (one or more) and a compatible Linux distro. It's been around for over 2 years, but hasn't been touched for about the same amount of time. See the site for more. -- Peace. ~G On Wed, 17 Nov 2004 13:53:07 +, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: List, I'm an expert in nothing so when I saw this I had to ask, as Im sure theres someone out there that is a WiFi expert. Google has found no answer so here goes. Last night we saw a new access point appear. No problems its an ad-hoc network so its someone's machine with XP on configured for their home W-LAN probably. Running Netstumbler shows more on it though. You get 2 Access Points showing this ESSID for a few seconds. Then you get a 3rd, then a 4rth. Then the first two drop off, this repeats forever. Always using a different MAC address when a new AP appears. The APs are all WEP enabled (which I cant crack cos I dont have the savvy or the tools :) ) and this goes on forever. The MACs are all from different pools (i.e. assigned to different manufacturers) so the only conclusion is that they are all spoofed MACs. I have walked around the office and as far as I can tell its coming from this office (the IT dept), basing that assumption on signal strength. Anyone seen any tools that do this? I would love a little hand-held gadget that would help me find it (like the scanner in Alien!) Answers on a post card :) Colin. ** This e-mail is confidential and may contain privileged information. If you are not the addressee or if you have received the e-mail in error, it may be unlawful for you to read, copy, distribute, disclose or otherwise use the information which it contains. Under these circumstances, please notify us immediately by returning this mail to '[EMAIL PROTECTED]' and deleting this e-mail from your system. Any views expressed by an individual within this e-mail do not necessarily reflect the views of Cadbury Schweppes Plc or its subsidiaries. Cadbury Schweppes Plc will not be bound by any agreement entered into as a result of this email, unless its intention is clearly evidenced in the body of the email. Whilst we have taken reasonable steps to ensure that this e-mail and attachments are free from viruses, recipients are advised to subject this mail to their own virus checking, in keeping with good computing practice. Please note that email received by Cadbury Schweppes Plc or its subsidiaries may be monitored in accordance with the prevailing law in the United Kingdom. ** ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
