[kismac] Solved it! (Re: Re: What in the world is going on? (Fake AP attack?))

  • From: Galen <gzink@xxxxxxxxxxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Sat, 8 May 2004 12:31:58 -0700

OK, so here's what happened. I went knocking after I zeroed in on where it might be. Second house, I was right.

Turns out it was a seriously misconfigured HP laptop that was positioned ideally for great coverage of the neighborhood!

The network said it had WEP on, but I could join it without WEP. The MAC address kept changing continually until I joined it, then it stopped. After finally just disabling Windows' configuring the wireless card, the network left, and the lady was very grateful, realizing that her computer could have been broken into my whoever wanted to!

On May 8, 2004, at 9:21 AM, Galen wrote:

On May 8, 2004, at 8:23 AM, Dan Oetting wrote:
On May 8, 2004, at 8:49 AM, Ray Dios Haque wrote:
OK, so the thought is that it's not a fake AP? Then what the heck is it?
Cisco has an office here in Ohio (United States). When I pass it on the
highway with KisMac open ... KisMac cripples under the load of access points
found. They do *not* exist. As long as you remain within a square mile of
the Access Point, you will find endless numbers of imaginary access points.
They can only be fake.
Cisco makes access points so maybe this is the lab where they send returned units for testing. Are all the BSSIDs in the ranges assigned to Cisco?
If you have a high gain directional antenna you could locate exactly where each access point is located.

Try doing this when each AP is up for, oh, 1 second. Or better yet, 0.25 seconds! Unless you're gonna have several machines and do instant triangulation, go figure as to where the AP(s) are.

It's funny that Cicso would be running fake APs. Having all those fake APs would (I can only surmise) interfere with people using it on their laptop(s) or any situation where it's not MAC-locked (like a GUI-select mode). And even if you had MAC-locked setups, all those random packets would slow things down I imagine. Unless of course they use 802.11a for the office and just have everyone pranked-out with 802.11b ;)

The hallmark (I think) of a truly prolific fake AP setup is that it comes and goes quickly. Is this the case with Cisco?

Oh, also, while visiting Southern California (I'm in SW Washington State) last summer, I drove by the broadcom office not too far from SNA airport. Man alive, do they ever have a lot of access points! I should note that I picked up continued activity on these and it tapered off after a while, but they must have had 30-40 APs I could detect without hardly moving! All had WEP activated, of course!

So now for the question: is there any hallmark to fake APs? Could we do a "only show networks that transmit data" function in KisMAC or something? It's making wardriving pretty obnoxious in scattered places it seems.


Other related posts:

  • » [kismac] Solved it! (Re: Re: What in the world is going on? (Fake AP attack?))