H@L0_F00 Posted October 30, 2008 Share Posted October 30, 2008 Alright so I havn't fired up the ol' Airodump in a while so i figured might as well see if anybody got any new APs! But what I found was just the normal... Until! I found a 3 clients connected to an AP with the mac of 00:00:00:00:00:00!!! lol The clients had abnormal macs too. something like 52:a5:b3:16:e8:03 which is REALLY odd cuz from what I know, that could only mean a spoofed mac right? I was just wondering if you guys wud have any thoughts on this??? --Thanks in advance! Quote Link to comment Share on other sites More sharing options...
ne3jedi Posted October 31, 2008 Share Posted October 31, 2008 Dont exactly know the answer but that is werid you think maybe you were just out of range of that Ap but they were in range. Unless you like live on Spoofing Lane or it might be a bug that is still not known. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted October 31, 2008 Author Share Posted October 31, 2008 No it couldn't have been that I was out of range cuz I was collecting about 5-10 packets per second for a while. so I figured they werre downloading something, started up wireshark, and found nothing but broadcast Quote Link to comment Share on other sites More sharing options...
ne3jedi Posted October 31, 2008 Share Posted October 31, 2008 Wow that is strange lol well its got me puzzled 2. Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted October 31, 2008 Author Share Posted October 31, 2008 <_< k thanks anyways lol Quote Link to comment Share on other sites More sharing options...
digip Posted October 31, 2008 Share Posted October 31, 2008 It's pretty common these days for people to spoof their wireless mac address. Broadcast mac addresses I think are all f's (ex: ff:ff:ff:ff:ff:ff) Someone is most definately spoofing a mac address though. You can look up the vendor portion for mac addresses: http://www.coffer.com/mac_find/ No vendor for the one mac address 52:a5:b3:16:e8:03, so it is most likely spoofed: http://www.coffer.com/mac_find/?string=52%3Aa5%3Ab3 Xerox uses 00-00-00 for its first six hex code identification, but there should be some trailing hex values for the last six, which means, it's most definately spoofed. (A real xerox device would look something like 00:00:00:FA:05:0D) There is also a quick lookup table if you want to save it to your pc for offline lookup after a night of wardriving: http://standards.ieee.org/regauth/oui/oui.txt Quote Link to comment Share on other sites More sharing options...
H@L0_F00 Posted November 1, 2008 Author Share Posted November 1, 2008 hmm this is really weird the AP hasn't shown up again. I would have really liked to look into that <_< and as for the broadcasts being all f's. it wasn't the target mac that was all 0's it was the AP's mac Quote Link to comment Share on other sites More sharing options...
Tcstool Posted November 1, 2008 Share Posted November 1, 2008 I've seen that with some thin access points and Airodump-ng before. Not sure what exactly it is. I'll look into it and let you know what I figure out. Quote Link to comment Share on other sites More sharing options...
digip Posted November 1, 2008 Share Posted November 1, 2008 The access point with all 0's might not be a real router, but possibly someone with multiple cards and setting up a fake access point to sniff traffic. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.