Weird Network Setup ?

[G-Stress]

Hey guys, I'm a little confused here... I just got back from this chocolate shop which provided wifi access @ a cost per usage rate. I decide to fire up Cain just to see what I could find on the network.

One thing weird is when I scan for hosts it gave me about 254 hosts, but they all had the same exact MAC Address and the same exact vendor :?

their network was setup as a class A 10.59.1.1/254 giving me the ip 10.59.1.4 and apparently I was the only real user connected, because using cain I saw no traffic on the network and the rest of the hosts had the same mac and vendor.

I was just curious what could have possibly been going on with that setup? I can only think that it was a roaming AP, with cloned mac possibly, but all the vendor names comming up the same confused me. Unless Cain still reads the vendor on a spoofed or cloned mac.

[Sparda]

It could be how the device prevents people from using there wifi with out paying.

[G-Stress]

hmmm... yea I guess I can see that, because when using Cain and scanning for hosts, usually the IP of the adapter configured to use with cain is not displayed. So when scanning for hosts it did not show my machine and I didn't look to hard but it looked like the rest of the 253 hosts were the same mac and vendor.

[Sparda]

I can't say exactly how it is working, but I can take a stab at guessing by saying that is has two networks, one of which is virtual. When you initially connect you are on the non-virtual LAN (as far as you can be that is). So when you 'login' (you didn't mention how or what you do for this to happen, so i'll just leave it at that) your computers MAC address is remembered as been valid. Your laptop is then authenticated as part of the VLAN which has normal access to the Internet like a normal LAN. I would guess it spoofs that all other IP's are in use in it's ARP tables as a way to check that the correct number of users are using the services that have paid for it.

This is just a stab in the dark based on what you said, so it's probably not even close :P

[G-Stress]

Actually no your probably right. It's one of them wifi networks where you connect to the network and then you gotta signup for an account with that wifi service provider and you pay per use. Like 6 bucks an hour or something like that. What's weird is I was able to access the gateway's gui @ 10.59.1.1 but of course needed a username and pass to access it.

Also with an nmap scan the gateway shows ports 80 and 443 open. I use http://10.59.1.1 and something different came up then when using https://

I forget now though I believe it was the gateway gui when using http and https I think was the authentication page to access the internet I meant to take notes for when I posted this but forgot that part :D