Go Back   Wireless and Wifi Forums > News > Newsgroups > alt.internet.wireless
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 03-31-2011, 02:59 AM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
<Geraldeen@WATCHOUTBABE.ORG> wrote:

>What does it usually mean if I connect to one MAC unsecured AP of unknown
>origin and in the middle of browsing my connection flips to another
>unsecured MAC with same SSID name? For example, surfing
>associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
>yy:yy:yy:yy HOTSPOT Is this a hacking attack?


It means that you are hearing more than one access point with the same
SSID. For example, the local hospital has something like 20 access
points, all with SSID="CHS" (Catholic Healthcare West), but each with
a different MAC address. If your computah can do seamless roaming
(802.11r or WISPr 2.0), it will constantly switch between access
points, and therefore between MAC addresses, as you move around.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
  #2 (permalink)  
Old 03-31-2011, 04:11 PM
LouB
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

Jeff Liebermann wrote:
> On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
> <Geraldeen@WATCHOUTBABE.ORG> wrote:
>
>> What does it usually mean if I connect to one MAC unsecured AP of unknown
>> origin and in the middle of browsing my connection flips to another
>> unsecured MAC with same SSID name? For example, surfing
>> associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
>> yy:yy:yy:yy HOTSPOT Is this a hacking attack?

>
> It means that you are hearing more than one access point with the same
> SSID. For example, the local hospital has something like 20 access
> points, all with SSID="CHS" (Catholic Healthcare West), but each with
> a different MAC address. If your computah can do seamless roaming
> (802.11r or WISPr 2.0), it will constantly switch between access
> points, and therefore between MAC addresses, as you move around.
>
>

Is that good? Does it mean the new spot has a better connection?

Reply With Quote
  #3 (permalink)  
Old 03-31-2011, 04:55 PM
Edward Theodore Gein
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

In article <4D94A7B0.8070408@invalid.invalid>,
LouB <Lou@invalid.invalid> wrote:

> Is that good? Does it mean the new spot has a better connection?


Not _better_ necessarily, but equal.
--
one more silver dollar
weed whites and wine
there's no smokin' anywhere
You made me this way *******

Reply With Quote
  #4 (permalink)  
Old 03-31-2011, 08:58 PM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Thu, 31 Mar 2011 12:11:28 -0400, LouB <Lou@invalid.invalid> wrote:

>Jeff Liebermann wrote:
>> On Thu, 31 Mar 2011 00:13:49 +0000 (UTC), Geraldeen
>> <Geraldeen@WATCHOUTBABE.ORG> wrote:
>>
>>> What does it usually mean if I connect to one MAC unsecured AP of unknown
>>> origin and in the middle of browsing my connection flips to another
>>> unsecured MAC with same SSID name? For example, surfing
>>> associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to
>>> yy:yy:yy:yy HOTSPOT Is this a hacking attack?

>>
>> It means that you are hearing more than one access point with the same
>> SSID. For example, the local hospital has something like 20 access
>> points, all with SSID="CHS" (Catholic Healthcare West), but each with
>> a different MAC address. If your computah can do seamless roaming
>> (802.11r or WISPr 2.0), it will constantly switch between access
>> points, and therefore between MAC addresses, as you move around.


>Is that good?


Yes.

>Does it mean the new spot has a better connection?


Yes. There are various algorithms for selecting the "best" wireless
access point. Signal strength is unfortunately the most common, and
the least useful. The strongest signal may also have the worst SNR
(signal to noise ratio), and therefore the worst thruput. The one's
that work (per 802.11r) is the best SNR. Criteria for switching is
that that the current connection either disappears, the SNR is too
high, or the connection speed drops below a preset speed. Seamless
roaming does even better by switching access points up to several
times per second. It will also act opportunistic, and pre-connect to
several available access points just in case it has to switch rapidly.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
  #5 (permalink)  
Old 03-31-2011, 09:01 PM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Thu, 31 Mar 2011 13:58:34 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote:

I forgot to mumble that you can see the currently connected MAC
address in Vista and Windoze 7 with:
wlan show networks mode=bssid
BSSID is the same thing as the MAC address.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
  #6 (permalink)  
Old 04-01-2011, 02:47 AM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Fri, 1 Apr 2011 00:51:55 +0000 (UTC), FredFlintstone
<FredFlintstone@verizon.com> wrote:

>When mine does that some of the access points are open and allow me to
>surf, while others are blocked and do not allow any data to transfer.
>In my case one is set for WEP and the others are NONE. There's about 3-4
>of them I can surf through 2, but the others associate but won't allow
>data transfer. Is this a firewall thing or what?


Are all these assorted access points owned by one vendor or company?
In order for seamless roaming (802.11r) to work, the various access
points need to be connected on some kind of common backbone, in order
to pass the connection from one AP to another AP. It's generally
understood that they also must have the same SSID.

My guess(tm) is that your random assortment of AP's are not owned by
one vendor or company, and that what you're seeing is just the usual
assortment of AP's owned by different people. Seamless roaming won't
work for such systems. You have to manually switch connections.

However, I'll guess that your unspecified operating system is
automatically connecting to the first open access point it can find.
This is convenient for some users, but not always desireable. You can
disable this behavior somewhere in the wireless settings.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
  #7 (permalink)  
Old 04-02-2011, 02:27 AM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Thu, 31 Mar 2011 14:01:51 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote:

>On Thu, 31 Mar 2011 13:58:34 -0700, Jeff Liebermann <jeffl@cruzio.com>
>wrote:
>
>I forgot to mumble that you can see the currently connected MAC
>address in Vista and Windoze 7 with:
> wlan show networks mode=bssid


Oops. It should be:
netsh wlan show networks mode=bssid
Sorry(tm).

>BSSID is the same thing as the MAC address.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Reply With Quote
  #8 (permalink)  
Old 04-02-2011, 04:16 PM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Fri, 1 Apr 2011 23:07:31 +0000 (UTC), FredFlintstone
<FredFlintstone@verizon.com> wrote:

>I have no idea who owns these. All I know is that they have the same
>SSID/name of AP. The switching SEEMS to follow a pattern, i.e.- xx
>switches to cc or dd, yy also switches to cc or dd.


No clue what's happening. I've never seen a system like that, nor can
imagine any reason why someone would do that. Since you didn't
specify what you're doing, it's also possibly that you might be
misinterpreting your software. AP is normally used to describe the
type of device, not the SSID. The other options are client and
bridge.

>> My guess(tm) is that your random assortment of AP's are not owned by
>> one vendor or company, and that what you're seeing is just the usual
>> assortment of AP's owned by different people. Seamless roaming won't
>> work for such systems. You have to manually switch connections.

>
>Nope it's happening on the fly without any input. I wonder if someone is
>injecting packets to try to capture my data stream by changing the
>associated MAC?


I've seen some rather bizarre junk being sent via wi-fi. However,
these tend to be experimenters and hackers playing around. The
weirdness lasts for a few hours, perhaps a day, but not much longer.
If this is going on day after day, I would try sniffing with a
different machine and see if it persists.

>I recently found a trojan on my machine and am pretty
>sure this came from the wifi since I always check any software and am
>careful not to open attachments and some email.


It's unlikely that it arrived via email. The current malware seems to
arrive via hijacked web sites, usually with Javascript code attached
to buttons. You can can get infected by simply clicking on anything
on a hijacked web site. For prime target machines (such as
non-updated Windoze running unpatched browsers), it is possible to get
infected by simply visiting the web site and not clicking on anything.

>Could possibly have come
>from a web page maybe, but I don't use Internet Explorer and usually
>have javascript off.


That will certainly minimize the opportunities. However, there are
other ways to get infected via the browser. Try Firefox with
Noscript.
<https://addons.mozilla.org/en-US/firefox/addon/noscript/>

>Also I notice that frequently I can associate
>with good signal strength (if you can believe those adapter card client
>software readouts) but my data slows to a crawl. When I change my MAC
>and other config settings, I am back up again with good data speeds.
>I am thinking this could possibly be a honeypot, but I have all file
>transfer protocols deleted and am running pretty restrictive software
>firewall settings. I frequently get "destination unreachable" alerts on
>chat connections, but the login goes through and I am able to chat.


Some fancy routers have bandwidth managers that are capable of
imposing a download cap on high traffic connections. You should be
able to identify the manufacturer of the access points by the MAC
address.
<http://www.coffer.com/mac_find/>
It might be a honey pot, but that's not the way they are normally
configured.
<http://labrea.sourceforge.net/Intro-History.html>

>Using the manager that came with the adapter card REALTEK under XPsp2.


Hint: XP SP3 has been out for quite some time. You might want to
upgrade your XP installation so that perhaps you won't be susceptible
to known vulnerabilities.

>It's kind of annoying because the other MAC it keeps switching to often
>break my data connections and I have to manually try to reestablish
>connection with the MAC that works.


Again, this is not normal behavior. I can't determine what's
happening partly because your description is completely devoid of any
specifics such as numbers, actual MAC addresses, equipment used,
software used, results, etc. You'll get more specific answers if you
supply specific information.

>Is there a third party program I can
>use that will disallow association from certain MACs?


It's built into literally every wireless router. You can filter by IP
or MAC address and create a black list and a white list.
<http://www.tech-faq.com/mac-address-filtering.html>
However, it's a miserable way to impliment security and is only done
by admins that believe in the obstacle course theory of security. More
commonly, the MAC address is used to control some sort of download or
connect time quota, as is common in coffee shop hotspots.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote
  #9 (permalink)  
Old 04-05-2011, 01:52 AM
Jeff Liebermann
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

On Mon, 4 Apr 2011 22:33:10 +0000 (UTC), FredFlintstone
<FredFlintstone@verizon.com> wrote:

>ok, does this help? 4 MAC addresses call them a,b,c,d
>
>According to the link you gave me, they are all Cisco-Linksys.


That makes them Linksys only. Cisco access points have their own set
of OUI's.

>I can get
>data through c,d although with problems I have already descibed. When I
>associate and try to connect to c or d, they keep flipping back to a or
>b and then my data stream is interrupted and ceases and I can get
>nothing.


Please make up your mind. If you can "get data through c,d" whatever
that means, it should not "flip" you back to a or b. It would appear
that you're not getting data through c,d".

Hint: The more detail you supply, the less vague I need to be. Try:
arp -a
route -print
and see if it offers any clues, especially if it changes.

>I am still associated and UDP DNS lookups go out, but cannot
>come in on my static self chosen IP.


Perhaps this strange system doesn't appreciate your selection of IP's?
Perhaps a duplication or it's in the wireless router black list?

>The c and d will occasionally hand
>out a DHCP IP when I am in auto assign mode but rarely,


Would that IP perhaps be 169.254.xxx.xxx? If so, it's not a valid IP
but the default that your Windoze XP machine assigns if DHCP fails.

Is it my imagination, or did you previously mention that these access
point are encrypted with a mix of WEP and WPA? How are you getting
past the encryption?

>so I usually
>have to choose my own IP.


What are you using for the default gateway IP?

>I frequently get socket not connected errors
>but if I associate to the two MACs that work I get data transfer
>regardless, usually at pretty slow speeds and page delivery often
>stalls.


If c and d "flip" you back to a or b, it's not working.

>They do seem to have control over when the let me through and bears no
>relationship to signal strength or link quality. I frequently have no
>problems late at night when everyone is sleeping. The quality of
>throughput seems unrelated or only marginally related to signal strength
>and quality.


Well, it could be excessive traffic. Have you sniffed for wireless
traffic using Kismet or WireShark?

>&>Hint: XP SP3 has been out for quite some time. You might want to
>&>upgrade your XP installation so that perhaps you won't be susceptible
>&>to known vulnerabilities.
>
>You mean trade XP vulnerabilitys for Win 7 vulnerabilitys? Seems ever
>version of Windoze has it's own problems.


Sorry, I wasn't clear enough. Please upgrade your XP SP2 machine to
SP3 by installing XP Service Pack 3.
<http://www.microsoft.com/downloads/en/details.aspx?FamilyID=5b33b5a8-5e76-401f-be08-1e1555d4f3d4>

As for vulnerabilities, see:
<http://secunia.com/advisories/product/27467/> (Win 7)
59 Secunia advisories
96 Vulnerabilities
Unpatched: 10% (6 of 59 Secunia advisories)

<http://secunia.com/advisories/product/16/> (XP Home)
320 Secunia advisories
399 Vulnerabilities
Unpatched: 13% (40 of 320 Secunia advisories)

>Already said I have a Realtek 8187 with it's consumer config software
>and the APs are all Cisco-Linksys. What other info do you need?


Realtek 8187 is a chip. What's the product?
Consumer software isn't a great description. Perhaps the name and
version number? Some vendors run ship of date software with known
bugs. Without a name, I can't search for these.
Running out of date software, such as your XP SP2 system is an open
invitation to bugs and oddities.
Perhaps it would be helpful if you disclosed whether you have
permission to use the target system? Indications seem to be that
you're trying to hack into someone else's network. If you don't mind,
I'm not interested in helping you do that.

While we're on the topic of sufficient information, please ask
yourself what response you would receive if you went to an auto parts
store and asked for a spark plug for a Ford? The mostly likely reply
would be what model, what year, what engine, etc. It's the same with
wireless. If you have a problem, be prepared to supply numbers with
your description. I can be very helpful, but only if you supply
numbers.

>&>>Is there a third party program I can
>&>>use that will disallow association from certain MACs?
>&>
>&>It's built into literally every wireless router. You can filter by IP
>&>or MAC address and create a black list and a white list.
>&><http://www.tech-faq.com/mac-address-filtering.html>
>&>However, it's a miserable way to impliment security and is only done
>&>by admins that believe in the obstacle course theory of security. More
>&>commonly, the MAC address is used to control some sort of download or
>&>connect time quota, as is common in coffee shop hotspots.


>Not using a router only a software firewall. Is there a software app
>that will do this?


I guess you mean do this on a PC running some software that emulates a
wireless router. Sure.... I was running numerous single floppy disk
routers (i.e. FreeSCO) for many years until the dedicated variety
became sufficiently powerful. Try:
<http://www.pfsense.org>
There are plenty others.
<http://en.wikipedia.org/wiki/Comparison_of_firewalls>
<http://www.bsdrouter.org>
There are also some Windoze software routers, but since you thing
Windoze XP and Win 7 are vulnerable, you probably shouldn't try those.

However, although that's what you apparently ask for, it's probably
not what you want. If you're at the client end of the wireless link,
the only thing you need a software firewall to do is block entry to
your machine from the internet. ZoneAlarm and other such "personal
firewall" products will do that. You could use one of the software
firewall products I mentioned, but you'll probably find yourself
disabling or not using most of the features, that are really designed
to manage incoming connections, not outgoing.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote
  #10 (permalink)  
Old 04-05-2011, 12:30 PM
Warren Oates
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

In article <ine6d2$q9b$1@speranza.aioe.org>,
FredFlintstone <FredFlintstone@verizon.com> wrote:

> Why so someone can accuse me of robbing the bank and then try to use
> that information to further block/sniff/hack me when they are the ones
> who could be running a honeypot or more likey are just too lame not to
> run an open AP? The owners of the MACs in question could very well be
> reading this group.


We are. You have been found out.
--
If you could teach a cat to dance,
you'd never have to leave the house.
-- Pat Sajak

Reply With Quote
  #11 (permalink)  
Old 04-05-2011, 01:43 PM
danny burstein
Guest
 
Posts: n/a
Default Re: flipping between MAC hotspots

In <ine6d2$q9b$1@speranza.aioe.org> FredFlintstone <FredFlintstone@verizon.com> writes:

[lots snipped. way too much verbiage]

>The default for Linksys routers.


Sounds like there are a half dozen access points in range
of your system, all of which (for this purpose) are left
to their default SSID of "linksys" (and probably the
default channel, 6).

And it also sounds like some of them are hooked into
an "open" internet connection, while _others_ are
either going through some validation/verification checking
before letting you get through, and quite possibly one
or two of them are just sitting on a desk, sending
out their WiFi signal, but have no internet connection
on the other side.

So... when you hook up to (for illustration) any of the
three that are "open", you do ok. But you're sometimes
grabbing onto the Linksys that has no internet beyond it,
or to the one where the owner hasn't paid his ISP bill.

I've seen this behaviour in legitimately public facilities
with multiple access points, such as a library, where
there's a unit sitting on top of a filing cabinet which
was moved there by someone in that section hoping for
better connectivity. They plugged in the power, but didn't
have an e-net jack. So anyone in that side of the building
was screwed.

Is there a way to make sure you only latch onto Linksys "a"
or Liknksys "c", but not onto "b"? Unfortunately, not
with the built in Windows WiFi connection programs.

Now since each Linksys also has its very own MAC (the
loose equivalent of an electronic serial number) there
are ways to preferentially go to one or the other, but
I have no idea what Windows programs will let you
do that. Perhaps someone else can advise.


--
__________________________________________________ ___
Knowledge may be power, but communications is the key
dannyb@panix.com
[to foil spammers, my address has been double rot-13 encoded]

Reply With Quote
Reply


« Basic Understanding | I give up. I am just going to block gmail »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux software to randomize PC hostname & wireless MAC for privacyat hotspots Y Knot alt.computer.security 14 10-01-2010 08:44 PM
New World Wi-Fi Hotspots Directory unwired Interesting Links 9 07-20-2010 06:50 AM
iPhone:AT&T will now offer free Wi-Fi @ 10.000 Hotspots 4phun alt.cellular.attws 3 01-24-2008 03:17 PM
From Internet to Wireless Fidelity (Wi-Fi): A Study of Wi-Fi Public Hotspots Users. EsPUdeh@gmail.com alt.internet.wireless 1 07-31-2006 08:26 PM


All times are GMT. The time now is 06:00 PM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45