[Battlemesh] Extremely odd wireless network in the air causing problems

Ben West ben at gowasabi.net
Wed Nov 27 18:37:08 CET 2013


If there is any remote chance the party operating these radios is using
atheros chipsets with the ath9k_htc driver, then it may be possible to
spoof them into revealing their actual MAC addresses.

http://www.mathyvanhoef.com/2013/11/unmasking-spoofed-mac-address.html


On Wed, Nov 27, 2013 at 3:19 AM, Musti <musti at wlan-si.net> wrote:

> Hi folks,
>
> I am writing to you all with a description of a problem I am facing at the
> moment here in Slovenia, where a very odd wireless network is causing
> problems in existing networks. Any thoughts and ideas would be welcome.
>
> Location: Maribor, Slovenia
>
> A few days ago a network appeared in the air, that uses 802.11 but is not
> a conventional AP or mesh, transmitting at a rather high power in several
> directions, possibly omni at 5680MHz (ch 136). Triangulation of the signal
> thus-far has been a failure, not being able to find any consistent
> direction of the origin and perform triangulation. But looking at the
> traffic generated by this “thing” is where it gets weird.
>
> All the packets transmitted have a common BSSID: DE:6C:11:9E:DE:6C and
> originate from the following devices:
>
> 10:0E:DE:6C:11:9E
> E8:00:DE:6C:11:9E
> 28:00:DE:6C:11:9E
> 3E:00:DE:6C:11:9E
> 64:00:DE:6C:11:9E
> 30:00:DE:6C:11:9E
>
> As well as
> 10:0E:00:00:00:00
> E8:00:00:00:00:00
> 28:00:00:00:00:00
> 3E:00:00:00:00:00
> 64:00:00:00:00:00
> 30:00:00:00:00:00
>
> The MAC addresses do not appear to be from a valid vendor, first to
> sections changing make no sense really.
>
> Now things get even more strange, the traffic is of 6M bitrate, consisting
> only of DeAutehntication packets, utilising the maximum throughput of the
> channel, mostly originating from 28:00:DE:6C:11:9E. Example from tcpdump
> verbose output:
>
> 01:54:32.120993 30290112us tsft 6.0 Mb/s 5680 MHz 11a -87dB signal antenna
> 1 DeAuthentication (28:00:de:6c:11:9e (oui Unknown)): Reserved
>
> Some other packets of type ACK and RTS have been seen, but absolutely no
> data of any form.
>
> The measurements and observations were made using Ubiquiti Nanostation
> Loco M5, Nanobridge M5 25dB running openwrt AA, using Horst and tcpdump.
> Btw, on these devices the only way how to make horst listen on a specific
> channel appears to be by creating an ap on that channel and then adding a
> mon0 interface. Any ideas how to use it more conveniently or use automatic
> channel hopping. Manual setting of the channel allows only the first two
> digits to be entered.
>
>
> Any ideas on what other experiments to do and how to go about finding the
> source of this “noise” would be appreciated.
>
> Kind regards,
> Musti
> wlan slovenija
>
>
>
> _______________________________________________
> Battlemesh mailing list
> Battlemesh at ml.ninux.org
> http://ml.ninux.org/mailman/listinfo/battlemesh
>



-- 
Ben West
http://gowasabi.net
ben at gowasabi.net
314-246-9434
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.ninux.org/pipermail/battlemesh/attachments/20131127/936ba8ef/attachment-0001.html>


More information about the Battlemesh mailing list