flipping between MAC hotspots

What does it usually mean if I connect to one MAC unsecured AP of unknown origin and in the middle of browsing my connection flips to another unsecured MAC with same SSID name? For example, surfing associated/connected to xx:xx:xx:xx HOTSPOT then suddenly shifted to yy:yy:yy:yy HOTSPOT Is this a hacking attack?

Reply to
Geraldeen
Loading thread data ...

It means that you are hearing more than one access point with the same SSID. For example, the local hospital has something like 20 access points, all with SSID="CHS" (Catholic Healthcare West), but each with a different MAC address. If your computah can do seamless roaming (802.11r or WISPr 2.0), it will constantly switch between access points, and therefore between MAC addresses, as you move around.

Reply to
Jeff Liebermann

Is that good? Does it mean the new spot has a better connection?

Reply to
LouB

Not _better_ necessarily, but equal.

Reply to
Edward Theodore Gein

Yes.

Yes. There are various algorithms for selecting the "best" wireless access point. Signal strength is unfortunately the most common, and the least useful. The strongest signal may also have the worst SNR (signal to noise ratio), and therefore the worst thruput. The one's that work (per 802.11r) is the best SNR. Criteria for switching is that that the current connection either disappears, the SNR is too high, or the connection speed drops below a preset speed. Seamless roaming does even better by switching access points up to several times per second. It will also act opportunistic, and pre-connect to several available access points just in case it has to switch rapidly.

Reply to
Jeff Liebermann

I forgot to mumble that you can see the currently connected MAC address in Vista and Windoze 7 with: wlan show networks mode=bssid BSSID is the same thing as the MAC address.

Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

When mine does that some of the access points are open and allow me to surf, while others are blocked and do not allow any data to transfer. In my case one is set for WEP and the others are NONE. There's about 3-4 of them I can surf through 2, but the others associate but won't allow data transfer. Is this a firewall thing or what?

Reply to
FredFlintstone

Are all these assorted access points owned by one vendor or company? In order for seamless roaming (802.11r) to work, the various access points need to be connected on some kind of common backbone, in order to pass the connection from one AP to another AP. It's generally understood that they also must have the same SSID.

My guess(tm) is that your random assortment of AP's are not owned by one vendor or company, and that what you're seeing is just the usual assortment of AP's owned by different people. Seamless roaming won't work for such systems. You have to manually switch connections.

However, I'll guess that your unspecified operating system is automatically connecting to the first open access point it can find. This is convenient for some users, but not always desireable. You can disable this behavior somewhere in the wireless settings.

Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Thanks much for your good replies. I have no idea who owns these. All I know is that they have the same SSID/name of AP. The switching SEEMS to follow a pattern, i.e.- xx switches to cc or dd, yy also switches to cc or dd.

Nope it's happening on the fly without any input. I wonder if someone is injecting packets to try to capture my data stream by changing the associated MAC? I recently found a trojan on my machine and am pretty sure this came from the wifi since I always check any software and am careful not to open attachments and some email. Could possibly have come from a web page maybe, but I don't use Internet Explorer and usually have javascript off. Also I notice that frequently I can associate with good signal strength (if you can believe those adapter card client software readouts) but my data slows to a crawl. When I change my MAC and other config settings, I am back up again with good data speeds. I am thinking this could possibly be a honeypot, but I have all file transfer protocols deleted and am running pretty restrictive software firewall settings. I frequently get "destination unreachable" alerts on chat connections, but the login goes through and I am able to chat.

Using the manager that came with the adapter card REALTEK under XPsp2. It's kind of annoying because the other MAC it keeps switching to often break my data connections and I have to manually try to reestablish connection with the MAC that works. Is there a third party program I can use that will disallow association from certain MACs?

Reply to
FredFlintstone

Oops. It should be: netsh wlan show networks mode=bssid Sorry(tm).

Reply to
Jeff Liebermann

No clue what's happening. I've never seen a system like that, nor can imagine any reason why someone would do that. Since you didn't specify what you're doing, it's also possibly that you might be misinterpreting your software. AP is normally used to describe the type of device, not the SSID. The other options are client and bridge.

I've seen some rather bizarre junk being sent via wi-fi. However, these tend to be experimenters and hackers playing around. The weirdness lasts for a few hours, perhaps a day, but not much longer. If this is going on day after day, I would try sniffing with a different machine and see if it persists.

It's unlikely that it arrived via email. The current malware seems to arrive via hijacked web sites, usually with Javascript code attached to buttons. You can can get infected by simply clicking on anything on a hijacked web site. For prime target machines (such as non-updated Windoze running unpatched browsers), it is possible to get infected by simply visiting the web site and not clicking on anything.

That will certainly minimize the opportunities. However, there are other ways to get infected via the browser. Try Firefox with Noscript.

Some fancy routers have bandwidth managers that are capable of imposing a download cap on high traffic connections. You should be able to identify the manufacturer of the access points by the MAC address.

It might be a honey pot, but that's not the way they are normally configured.

Hint: XP SP3 has been out for quite some time. You might want to upgrade your XP installation so that perhaps you won't be susceptible to known vulnerabilities.

Again, this is not normal behavior. I can't determine what's happening partly because your description is completely devoid of any specifics such as numbers, actual MAC addresses, equipment used, software used, results, etc. You'll get more specific answers if you supply specific information.

It's built into literally every wireless router. You can filter by IP or MAC address and create a black list and a white list.

However, it's a miserable way to impliment security and is only done by admins that believe in the obstacle course theory of security. More commonly, the MAC address is used to control some sort of download or connect time quota, as is common in coffee shop hotspots.

Reply to
Jeff Liebermann

snipped-for-privacy@verizon.com replies:

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

&> Subject: Re: flipping between MAC hotspots &>On Fri, 1 Apr 2011 23:07:31 +0000 (UTC), FredFlintstone &> wrote: &> &>>I have no idea who owns these. All I know is that they have the same &>>SSID/name of AP. The switching SEEMS to follow a pattern, i.e.- xx &>>switches to cc or dd, yy also switches to cc or dd. &> &>No clue what's happening. I've never seen a system like that, nor can &>imagine any reason why someone would do that. Since you didn't &>specify what you're doing, it's also possibly that you might be &>misinterpreting your software. AP is normally used to describe the &>type of device, not the SSID. The other options are client and &>bridge.

ok, does this help? 4 MAC addresses call them a,b,c,d

According to the link you gave me, they are all Cisco-Linksys. I can get data through c,d although with problems I have already descibed. When I associate and try to connect to c or d, they keep flipping back to a or b and then my data stream is interrupted and ceases and I can get nothing. I am still associated and UDP DNS lookups go out, but cannot come in on my static self chosen IP. The c and d will occasionally hand out a DHCP IP when I am in auto assign mode but rarely,so I usually have to choose my own IP. I frequently get socket not connected errors but if I associate to the two MACs that work I get data transfer regardless, usually at pretty slow speeds and page delivery often stalls.

&> &>>Also I notice that frequently I can associate &>>with good signal strength (if you can believe those adapter card client &>>software readouts) but my data slows to a crawl. When I change my MAC &>>and other config settings, I am back up again with good data speeds. &>>I am thinking this could possibly be a honeypot, but I have all file &>>transfer protocols deleted and am running pretty restrictive software &>>firewall settings. I frequently get "destination unreachable" alerts on &>>chat connections, but the login goes through and I am able to chat. &> &>Some fancy routers have bandwidth managers that are capable of &>imposing a download cap on high traffic connections. You should be &>able to identify the manufacturer of the access points by the MAC &>address. &> &>It might be a honey pot, but that's not the way they are normally &>configured. &>

They do seem to have control over when the let me through and bears no relationship to signal strength or link quality. I frequently have no problems late at night when everyone is sleeping. The quality of throughput seems unrelated or only marginally related to signal strength and quality.

&> &>>Using the manager that came with the adapter card REALTEK under XPsp2. &> &>Hint: XP SP3 has been out for quite some time. You might want to &>upgrade your XP installation so that perhaps you won't be susceptible &>to known vulnerabilities.

You mean trade XP vulnerabilitys for Win 7 vulnerabilitys? Seems ever version of Windoze has it's own problems.

&> &>>It's kind of annoying because the other MAC it keeps switching to often &>>break my data connections and I have to manually try to reestablish &>>connection with the MAC that works. &> &>Again, this is not normal behavior. I can't determine what's &>happening partly because your description is completely devoid of any &>specifics such as numbers, actual MAC addresses, equipment used, &>software used, results, etc. You'll get more specific answers if you &>supply specific information.

Already said I have a Realtek 8187 with it's consumer config software and the APs are all Cisco-Linksys. What other info do you need?

&> &>>Is there a third party program I can &>>use that will disallow association from certain MACs? &> &>It's built into literally every wireless router. You can filter by IP &>or MAC address and create a black list and a white list. &> &>However, it's a miserable way to impliment security and is only done &>by admins that believe in the obstacle course theory of security. More &>commonly, the MAC address is used to control some sort of download or &>connect time quota, as is common in coffee shop hotspots.

Not using a router only a software firewall. Is there a software app that will do this?

&> &> &>-- &>Jeff Liebermann snipped-for-privacy@cruzio.com &>150 Felker St #D
formatting link
Santa Cruz CA 95060
formatting link
Skype: JeffLiebermann AE6KS 831-336-2558
Reply to
FredFlintstone

That makes them Linksys only. Cisco access points have their own set of OUI's.

Please make up your mind. If you can "get data through c,d" whatever that means, it should not "flip" you back to a or b. It would appear that you're not getting data through c,d".

Hint: The more detail you supply, the less vague I need to be. Try: arp -a route -print and see if it offers any clues, especially if it changes.

Perhaps this strange system doesn't appreciate your selection of IP's? Perhaps a duplication or it's in the wireless router black list?

Would that IP perhaps be 169.254.xxx.xxx? If so, it's not a valid IP but the default that your Windoze XP machine assigns if DHCP fails.

Is it my imagination, or did you previously mention that these access point are encrypted with a mix of WEP and WPA? How are you getting past the encryption?

What are you using for the default gateway IP?

If c and d "flip" you back to a or b, it's not working.

Well, it could be excessive traffic. Have you sniffed for wireless traffic using Kismet or WireShark?

Sorry, I wasn't clear enough. Please upgrade your XP SP2 machine to SP3 by installing XP Service Pack 3.

As for vulnerabilities, see: (Win 7) 59 Secunia advisories 96 Vulnerabilities Unpatched: 10% (6 of 59 Secunia advisories)

(XP Home) 320 Secunia advisories 399 Vulnerabilities Unpatched: 13% (40 of 320 Secunia advisories)

Realtek 8187 is a chip. What's the product? Consumer software isn't a great description. Perhaps the name and version number? Some vendors run ship of date software with known bugs. Without a name, I can't search for these. Running out of date software, such as your XP SP2 system is an open invitation to bugs and oddities. Perhaps it would be helpful if you disclosed whether you have permission to use the target system? Indications seem to be that you're trying to hack into someone else's network. If you don't mind, I'm not interested in helping you do that.

While we're on the topic of sufficient information, please ask yourself what response you would receive if you went to an auto parts store and asked for a spark plug for a Ford? The mostly likely reply would be what model, what year, what engine, etc. It's the same with wireless. If you have a problem, be prepared to supply numbers with your description. I can be very helpful, but only if you supply numbers.

I guess you mean do this on a PC running some software that emulates a wireless router. Sure.... I was running numerous single floppy disk routers (i.e. FreeSCO) for many years until the dedicated variety became sufficiently powerful. Try:

There are plenty others.

There are also some Windoze software routers, but since you thing Windoze XP and Win 7 are vulnerable, you probably shouldn't try those.

However, although that's what you apparently ask for, it's probably not what you want. If you're at the client end of the wireless link, the only thing you need a software firewall to do is block entry to your machine from the internet. ZoneAlarm and other such "personal firewall" products will do that. You could use one of the software firewall products I mentioned, but you'll probably find yourself disabling or not using most of the features, that are really designed to manage incoming connections, not outgoing.

Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Means exactly what I said. I can load a webpage (not from cache). I can login to chat. But the connection is not stable and will "flip" to one of the other MAC addresses in the list of four which then interrupts and blocks any throughput of data, including DNS lookups.

No has nothing to do with it, no pattern there. Could be the blocking MACs are firewalling my browsers whereas the other two are not.

No, it's not that. When they do hand out an IP it's a valid one, but that rarely happens. And it doesn't matter which IP I choose if I set to static, same problems.

ONE of the MACS broadcasts WEP (the one that my client radio often flips to which give no connection of course), the others are OPEN.

The default for Linksys routers.

Last time I checked one cannot use either on an XP system. You have to have nix. Yes, could be because the connection improves at night.

I am in the process of doing just that, but all of the insecure services in XP2 have been disabled and/or removed, including any file share protocols.

I am not trying to hack anyone just availing myself of free , albeit very slow browsing on a MAC that is broadcasting as OPEN, which as far as I am concerned means "help yourself" (at least as far as simple net browsing goes). If I was so interested in hacking them, I'd be spending my time on installing backtrack and going after their WEP or more. My post is simply trying to learn more about how wifi works, mostly. I will try to upgrade the drivers for my radio and see if that helps. I still don't understand and maybe you can explain why it is my client radio software cannot be set to only associate with the MAC I choose and why it flips all over the place. I guess they are telling me I have to buy a router.

Why so someone can accuse me of robbing the bank and then try to use that information to further block/sniff/hack me when they are the ones who could be running a honeypot or more likey are just too lame not to run an open AP? The owners of the MACs in question could very well be reading this group.

I guess you did not understand me correctly. I already have a good software firewall and usually know how to use it. The problem I am thinking is that these are probably all MACs from the same "target" and maybe some are firewalled and some are not. Either that or they are using some type of sophisticated router that limits or on the fly corrects for unauthorized rogue clients or blocks out of LAN requests. But I don't think they are that smart as they have not kept me out thus far and I am not sure that is even their intention, since why would they have one MAC broadcasting a weak WEP and the others open? As an aside question, when you see a MAC broadcasting, how do YOU determine who owns it and how to contact them. If they are using a major COMM provider all their trace information is just general to that provider, does not identify them specifically? Thanks for your replies.

Reply to
FredFlintstone

We are. You have been found out.

Reply to
Warren Oates
[lots snipped. way too much verbiage]

Sounds like there are a half dozen access points in range of your system, all of which (for this purpose) are left to their default SSID of "linksys" (and probably the default channel, 6).

And it also sounds like some of them are hooked into an "open" internet connection, while _others_ are either going through some validation/verification checking before letting you get through, and quite possibly one or two of them are just sitting on a desk, sending out their WiFi signal, but have no internet connection on the other side.

So... when you hook up to (for illustration) any of the three that are "open", you do ok. But you're sometimes grabbing onto the Linksys that has no internet beyond it, or to the one where the owner hasn't paid his ISP bill.

I've seen this behaviour in legitimately public facilities with multiple access points, such as a library, where there's a unit sitting on top of a filing cabinet which was moved there by someone in that section hoping for better connectivity. They plugged in the power, but didn't have an e-net jack. So anyone in that side of the building was screwed.

Is there a way to make sure you only latch onto Linksys "a" or Liknksys "c", but not onto "b"? Unfortunately, not with the built in Windows WiFi connection programs.

Now since each Linksys also has its very own MAC (the loose equivalent of an electronic serial number) there are ways to preferentially go to one or the other, but I have no idea what Windows programs will let you do that. Perhaps someone else can advise.

Reply to
danny burstein

FredFlintstone wrote in news:ine6d2$q9b$1 @speranza.aioe.org:

Ok thanks for the reply. I see the idiots running the honeypot I am connecting to finally got smart enough to change their router's default password :-(. Jeff musta thought I am an evil hacker, haha.

Reply to
FredFlintstone

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.