[Tfug] Fraudulent airport WiFi

Harry McGregor micros at osef.org
Mon Jul 3 13:50:01 MST 2006


Not to take away from the sinister aspects...

IIRC some versions of Windows will automatically setup an Ad-Hoc network 
with the SSID of it's primary AP based network.  I could be wrong, but I 
remember coming across it before.

If course the Mac ranges being out of spec is a little bit of a tip off...

For some more interesting wi-fi reading:

http://www.evilscheme.org/defcon/

                                        Harry


Adrian wrote:
> Hehehe... yep, of the 5 access points scanned, 3 are fraudulent (I was 
> actually looking for a 6th "npwireless.com", which I couldn't quite get were 
> I was sitting). The 2 cells "tmobile" are the T-Mobile hotspots (pay-per or 
> on your cell account), the other 3 came and went as I sat in the airport.
>
> Some of the clues in the data:
>           Cell 01 - Address: 02:0E:35:00:29:FB
>                     ESSID:"Free Public WiFi"
>                     Mode:Ad-Hoc
>
>           Cell 03 - Address: 2E:BD:F0:9F:A3:0B
>                     ESSID:"Verizon Wi-Fi"
>                     Mode:Ad-Hoc
>
>           Cell 05 - Address: FA:CC:1D:44:C5:1E
>                     ESSID:"Comcast Broadband"
>                     Mode:Ad-Hoc
>
> As you said, the biggest tip-offs are the Ad-Hoc mode and the MAC addresses. 
> The "Free Public WiFi" and "trusted" names also tends to scream "come abuse 
> me". First, all 3 are running Ad-Hoc mode, not something a normal access 
> point would do (the "Free Public WiFi" came up first, followed ~5min later by 
> "Verizon" and "Comcast" at the about same time). The first MAC address, 
> 02:0E:35:00:29:FB, is infact valid, but IEEE seems not to have updated their 
> online OUI database in the last year (current assignments are in the 02:xx:xx 
> range). The OUI 02:0E:35 is, from what I can tell, assigned to DLink, mostly 
> used in their G604T DSL modem w/wireless and a few DLink 802.11G PCMCIA 
> cards.
>
> The second 2 are completely fraudulent. Cell 03 (OUI 2E:BD:F0) has not been 
> assigned and is well outside the current MAC registration range. Likewise, 
> Cell 05 is even farther outside of the registration range.
>
> In addition, all 3 were running Windows APIRA addresses, 169.254.x.x/16 (all 3 
> had the same address infact), with the "access point" periodically spitting 
> NetBios announcements of itself. Unfortunately... the person running the 
> machine appeared to have screwed up their routing. I couldn't get either of 
> the "access points" to route packets properly and none were issuing DHCP 
> responses.
>
> Adrian
>
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>   





More information about the tfug mailing list