Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Weird WiFi AP?

Status
Not open for further replies.
kmcferrin

kmcferrin

MIS
Jul 14, 2003
2,938
US
I had an interesting situation come up this morning while at work. I was trying to get a laptop's wireless connection working when I noticed a new SSID being broadcast in my area. The SSID was "Free Public WiFi". Now we have 15 APs at my company, and all of them were broadcasting the correct SSID. So figured that someone had installed a rogue access point. It was then that I noticed that the AP for the "Free Public WiFi" SSID was actually showing up in Windows as a Peer-to-Peer wireless network, rather than a true AP. This obviously concerned me.

So I loaded NetStumbler onto my laptop and did a brief tour of the campus to see where the signal was strongest, and I traced it to the laptop of a user that isn't in the office today, though the laptop was running and the user was logged in. Netstumbler showed that the MAC associated with the "AP" began with the "02-15-00" sequence, which according to the IEEE is not an assigned sequence. NetStumbler identifies the manufacturer as "user-defined". Apparently this "AP" is being generated in software, and it seems like it is trying to hide details of it's existance.

I wanted to make sure that I did have the correct culprit, so I hit the button to disable the WiFi card on that user's laptop. Netstumbler showed the AP disappearing. When I re-enabled the WiFi card it immediately showed up again, only the MAC address had changed (though it still started with the "02-15-00" manufacturer code. So I definitely know what device is responsible.

I was able to unlock the user's PC without logging them out, and I didn't see anything out of the ordinary. The only programs that were installed that aren't part of our standard were MSN and Windows Desktop Search. I couldn't see anything fishy about the way that WiFi was configured (no connection bridging, etc). So I decided to reboot and log in as admin to see if I could find anything else. However, when I rebooted the "AP" disappeared, and didn't come back when I logged in. So I logged out and logged in as the user who the laptop belongs to, and it still didn't show up. I tried enabling/disabling WiFi several times but it didn't show back up again.

I have two working theories. The first is that the user (or some piece of malware unknowingly installed by the user) has created this peer-to-peer wireless hotspot and is allowing anyone who stops by unsecured wireless access to my LAN and/or the Internet. The second theory is that the user (or the malware) has created a fake hotspot, possibly proxying true web requests, in order to capture passwords, credit card numbers, etc. Either way, it's bad. I just can't find any details about what it might actually be, and how to remove it. Googling "Free Public WiFi" results in thousands of hits pointing to articles about cities that are implementing Free Public WiFi. McAfee and Symantec don't have anything referring to that phrase in their databases. Does anyone have any idea what it is that I am seeing?
 
Sort by date Sort by votes
So I definitely know what device is responsible.
Click to expand...

Don't kill the rabbit too fast.... MAC spoofing is very easy....

Which security are you using on your network?
 
Upvote 0 Downvote
In fact HP Network cards do a form of Spoofing when the set up Network Teams on Servers.

Only the truly stupid believe they know everything.
Stu.. 2004
 
Upvote 0 Downvote
<quote>Don't kill the rabbit too fast.... MAC spoofing is very easy....

Which security are you using on your network?</quote>

Right, I was basing my belief that I had located the correct device on three pieces of information:

1. By measuring the strength of the radio signal coming from the AP that advertised itself as "Free Public WiFi" using NetStumbler and another wireless device. The signal was strongest directly next to the laptop in question, and moving any distance away from that laptop in any direct resulted in a reduced signal.

2. HP laptops have a wireless enable/disable button on the case. They also have an indicator light on the case that flashes while the adapter is being enabled or disabled, remains lit when the adapter is on, and goes out when the adapter is turned off. When I turned off the wireless adapter using this button on the suspect laptop I was able to see a reduction in signal strength (again using NetStumbler) that corresponded to the wireless adapter light's flashing, and then the signal went completely dead when the wireless adapter on the suspect device was completely shut down (light off). When I hit the button to re-enable the wireless connection, the "AP" came back up.

I am aware that MAC address spoofing is easily done. In fact, I pointed out in my first post that when the AP came back online after re-enabling the wireless adapter on the suspect laptop, that it actually had a different MAC address than it had previously. I also noted that in both cases the MAC address began with a bogus manufacturer's sequence, and that it shows up as a "user-defined" manufacturer. All of this clearly indicates that the MAC address isn't an actual hardware address. At no point did I indicate that I believed that this "suspect laptop" was responsible based on the MAC address, so I'm not even sure why anyone thinks that it is particularly relevant, especially given that it is a bogus address.

Rest assured, I am 100% confident that the laptop that I identified is the culprit. What I was hoping is that somenoe had seen a similar problem in the past and knew what the cause was (presumably some form of malware, so I have posted in that forum as well).

Regarding which security I use on my network, what piece of security are you referring to? All of my legitimate APs are Cisco Aironet 1100s, and we use Cisco ACS to restrict access to them to only authenticated RADIUS users. I'm more concerned about this laptop being used to proxy a wireless connection through our wired LAN for snooping purposes.

What I discovered after my first post was that when I rebooted the laptop, the rogue AP didn't show back up, even after the user logged in. However, I had the user launch IE and the AP immediately showed up. Apparently it is at least smart enough to only advertise itself if it detects an Internet connection (which is more backing to the proxying concerns I have).
 
Upvote 0 Downvote
Our wireless console saw the same ad-hoc "Free Public WiFI" SSID today for several MACs over a couple of hours. We had several visitors in and I am assuming it was one of them as the console is no longer reporting their presence. Were you able to locate any malware or configuration problems on your user's laptop?

Tim
 
Upvote 0 Downvote
I sent the IT director to have a word with their boss about the situation, and it turned out that it was something that the user had installed themselves so that they could supposedly get free WiFi wherever they went. They obviously didn't realize that they were also opening up our systems in the process. Once this was pointed out, they uninstalled it.

I heard all of that from the IT director, and nobody has been able to tell me what the program was called. I haven't seen the AP ever since. I'm thinking that it was "FON" or something similar.
 
Upvote 0 Downvote
Yes me too i saw this dam 2 months ago !!!!! EURO wireless i think it was called as soon as i did the above mentioned it also disapeared, i got out my PDA and did a quick search with WIFIFOFUM but found nothing very interesting, ill keep this in mind for a search of the bosses laptop lol

thanks

Stand up wherever you are, go to the nearest window and yell as loud as you can, 'I'm mad as hell, and I'm not going to take it anymore.'
 
Upvote 0 Downvote

So the "infected" computer isn't the one which finds the "free public wifi" after scanning but well an other computer which broadcast the network, is it?

Has someone however solved the problem?
 
Upvote 0 Downvote
Correct. The "infected" computer advertises itself as "free public wifi", and other wireless devices (in theory) are able to use it to connect into our network (which is usually secured). Basically it is sharing our network via unsecured wireless.

As I stated previously, it was a program that the user had installed on the laptop to allow them to access WiFi for free. Apparently it shares itself out as part of the deal. Once they removed the software the problem was resolved.
 
Upvote 0 Downvote
Sorry for misreading your post, I read it prety fast, but I am glad you had the problem fixed.

I am now just wondering, the users were using a program that gave out the network through their computers, has a proxy like you thought, which seemed to be the only possible thing... but it got me wondering...

how did your network allow a passthrough, and could it be controled... I can see you have prety high security in your network...

What about the strenght of that unsecure door that opened itself.... and finaly, I am not familiar with those AP what kind of encryption to they use, ill do a quick search on that at the most...

thanks

 
Upvote 0 Downvote
Hmmmm,

In regards to the network allowing passthrough, the logged on user already has rights to the network.

I imagine the program made its own DHCP or the like and passed off the traffic as if it was from the local machine.

Its do-able, we use a similar method when "auditing" a network.

Cya.

Brett

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NSW, Australia
(Unless you want to pay for our trip?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upvote 0 Downvote
I have just seen this (found this forum while searching to see if anyone else had see this). I was in a government run conference center last week and pulled my laptop out to see if there was any free wireless. Low and behold there was a SSID listed as "Free Public WiFi" without thinking (dumb) I clicked on it, it said 'connecting' then it was connected and of course, no real connection. Then I noticed it was peer to peer. The signal was very good, yet there were no other laptops in the room (there were a few blackberries). Didn't think much of it. Came home...and this weekend, my girlfriend and I are sitting on the couch, both with our laptops going, and my own Linksys rounter droppped the signal for both of us. We were both trying to connect again, and we both saw a "Free Public WiFi" SSID on our available networks (again, perfect signal). It was again, peer-to-peer. Very, very odd. As soon as I got my router rebooted, it was gone. Anyone figured this out? My laptop is an HP V4000 and my GF's is an HPDV1000. I'm somewhat worried about this, especially in light of the news article that came out this week regarding the posibility of a wifi virus.
 
Upvote 0 Downvote
Hi all,

Not to dismiss that it is something more malicious, but, I believe that it is most likely, someone who connected to a peer-to-peer network named "free public wifi" at one point.

If you have ever connected to a peer-to-peer network, your machine will continue to advertise that network pretty much forever if you don't specifically turn off the ad hoc connection capability.

So spimby when you got home, you had connected to the Ad-Hoc and now are advertising it.

Thats what I think anyway,

Cya,

Brett


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NSW, Australia
(Unless you want to pay for our trip?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upvote 0 Downvote
I've seen this twice at two different locations, one just today. I used MiniStumbler but didn't have time to locate the machine broadcasting the ID. The MACs identified by MiniStumbler were different (and bogus, with prefixes of 2A:9E:1F and FA:AD:4D).

I was able to connect to the one I found today. I considered doing a ping sweep of 169.254.0.0/16 to see if I could locate its IP and then other identifying information, but I'm way out of my league already.

Any other thoughts on this? It's a bit disturbing?

Thanks,

kensec
 
Upvote 0 Downvote
If you look at what kmcferrin did you might find your solution
kmcferrin said:
I was basing my belief that I had located the correct device on three pieces of information
Click to expand...

Signal strenght is the best indicator you have...
 
Upvote 0 Downvote
I need to know how to tell if my roomate is getting access to my computer. We share a Wireless at the house and the other day I logged in to my computer ,launched i-tunes (music program) and in my music list his music folder there. That night I told my friend to shut down my laptop when they were finished using it cause i didnt want anyone accessing it and my roomate said oh no will do that. And the next day I logged back on and his music folder was gone. So what utlity or what settings should i check out to see if he is listening in on my laptop? Thanks in advance
 
Upvote 0 Downvote
I would suggest making a new post in this forum, since it would probably get more attention than posting in a thread that is a couple of months old.

The only thing that immediately comes to mind is that iTunes has the capability to remotely connect to other music libraries that are on the same network. It's possible that you are configured to do this automatically.
 
Upvote 0 Downvote
Hey,

Just to clarify feelinfroggy,

Are you worried that they are using the music by being at your pc, or over the network?

Thanks,

Brett

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NSW, Australia
(Unless you want to pay for our trip?)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Upvote 0 Downvote
If you have ever connected to a peer-to-peer network, your machine will continue to advertise that network pretty much forever if you don't specifically turn off the ad hoc connection capability."


Is everyone happy with this explanation? I noticed it earlier this year, but this week I had 9 such connections show up when we had guests. The names of the connections varied and sure seemed to be with the intent of getting people to connect. One was HotelWifi and variationws of the free wifi mentioned by the original poster. I frequently see HOYAs show up, and Google shows that name in use by a couple of colleges (Not Georgetown :) )

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

sartechy
  • Locked
  • Question
Mobile Data or Pocket WiFi? 1
Replies
3
Views
302
teknance
teknance
hipath4k
  • Locked
  • Question
WIFI router with inbuilt multiple user login and password
Replies
0
Views
93
hipath4k
hipath4k
topdogkaine2009
  • Locked
  • News
Mobile Wifi - A crazy Idea
Replies
2
Views
114
krabban
krabban
theniteowl
  • Locked
  • Question
Tracking down WiFi interference
Replies
8
Views
173
goombawaho
goombawaho
kenthephoneman
  • Locked
  • Question
wifi distribution in all concrete motel
Replies
1
Views
77
jsaad
jsaad

Part and Inventory Search

Sponsor

Back
Top