Netstumbler "Vendor: Fake"
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Netstumbler "Vendor: Fake"

  1. #1
    Junior Member
    Join Date
    May 2005
    Posts
    11

    Exclamation Netstumbler "Vendor: Fake"

    As the title states im connecting to a AP that reads "fake" as the vendor in netstumbler. The even more interesting thing is that i decided to do a tracert to google.com and i saw this:

    Tracing route to google.com [216.239.37.99]
    over a maximum of 30 hops:

    1 3 ms 3 ms 3 ms 192.168.1.1
    2 9 ms 9 ms 9 ms 10.102.96.1
    3 220 ms 10 ms 11 ms atm3 *
    4 11 ms 13 ms 19 ms *
    5 10 ms 8 ms 9 ms *
    6 15 ms 11 ms 11 ms *
    7 32 ms 27 ms 35 ms *
    8 41 ms 28 ms 27 ms * "These other IPs did show up i jus marked them out"
    9 28 ms 27 ms 28 ms *
    10 27 ms 27 ms 29 ms *
    11 55 ms 48 ms 40 ms *
    12 42 ms 45 ms 51 ms *
    13 54 ms 43 ms 49 ms *
    14 244 ms 42 ms 43 ms *
    15 44 ms 43 ms 42 ms 216.239.37.99

    The line of interest to me is ofcourse the second one.....a private IP address "after" the packet leaves the AP Some people have said that the fake vendor is nothing really but may a glitch in netstumbler or the way an AP might present itself but in this case it seems to b more...So does this mean that this AP is forwarding everything to a private network and then to it the internet from there?

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Netstumbler might not have an updated mac/vendor list.
    I see this often with the newer westel dsl modem/wireless access point combos.

    You can manually look them up.
    http://www.cavebear.com/CaveBear/Ethernet/vendor.html

    There are several sites out there that have the mac/vendor list. I'm not sure which are kept up to day.

    As far as your trace route... your ISP (or whoever setup that AP) could be NATing out your "WAN" ip address. This is done for a variety of reasons... they are short on IP addresses and NAT can solve that problem. They can filter the services you are allowed using NAT.

    I do that on my home network.

    WAN (public IP) <--> WAN port (Wired Router) LAN port <--> Private LAN Subnet 1
    LAN (private IP) <--> WAN port (W/less Router) LAN port <--> Private LAN Subnet 2

    I have the WAN port of the wireless router hooked into a switch port on the Private LAN that gets assigned a private IP address.

    So, my wired and wireless clients are on separated via router/firewall on different subnets. I can limit what services the Wireless hosts can use.

    In your traceroute from the AP, the first public IP address should be your "true gateway" address if you are being NAT'd.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    A "whois" suggests the address belongs to IANA:

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 10.0.0.0 - 10.255.255.255
    CIDR: 10.0.0.0/8
    NetName: RESERVED-10
    NetHandle: NET-10-0-0-0-1
    Parent:
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 1918 for additional information.
    Comment:
    RegDate:
    Updated: 2002-09-12

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: abuse@iana.org

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: abuse@iana.org

    # ARIN WHOIS database, last updated 2005-07-05 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    If you are connecting from your workstation to the AP, that first IP is the internal address of the AP (the one you see from your system). The AP has an external IP that is probably assigned by the ISP (whoever that may be). The next IP is the internal IP of the next system downstream from you. That is the gateway provided by your ISP. Probably a firewall and you are seeing the internal IP. The next IP, 3, is the IP of the next router downstream from there, etc., etc.

    Nothing weird or mysterious here.

  5. #5
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Its not really possible for you to go from #1 your internal network of 192.168.x.x to #2 10.x.x.x unless you have some routing configured. I mean once it left your network how could a 10.x.x.x be handled on the internet. But it is very possible to have any internal network routed out through another internal network (ie the 10.x.x.x network).
    That which does not kill me makes me stronger -- Friedrich Nietzche

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    But it is very possible to have any internal network routed out through another internal network (ie the 10.x.x.x network).
    Thats what I think is happening... but thats just by looking at part of a traceroute.

    It could be the ISP that NAT'd out their addresses (happens quite often), or they could be using someone elses AP and doesn't know how it is setup.

    Nihil: aren't all ip addresses "owned" by IANA? customers just "rent" them?

    Any IP in these ranges will should show up with the same "whois".

    10.0.0.0 - 10.255.255.255
    172.16.0.0 - 172.31.255.255
    192.168.0.0 - 192.168.255.255

    Those IP addresses are the IPs that ANYONE can "own".
    They can't be routed over the internet and are only for use on private networks.

    Only one person can have any one public IP address... but anyone can have the private addresses that are listed above.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    469
    Do you know who/what the AP really is? My gut feeling is honeypot.

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Phish~

    Nihil: aren't all ip addresses "owned" by IANA? customers just "rent" them?
    Not exactly. IANA manage and allocate the addresses but they don't own them (I recall the UN were trying to take over a little while back?)

    The blocks you refer to are reserved for special purposes, which makes it look odd to me, given where it shows up in traceroute?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Junior Member
    Join Date
    May 2005
    Posts
    11
    Originally posted here by zENGER
    Do you know who/what the AP really is? My gut feeling is honeypot.
    I was thinking the same thing....this is just an AP in the neighborhood i jus moved too and i dont have internet just yet .....i guess it couldnt hurt to do alil investigating on my own....Ill get to practice using a few network tools and theories that we all read about

  10. #10
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Erm, are you kidding me?Try a whois on 127.0.0.1. OMFG IANA owns my localhost!! lol, seriously they are RFC 1918, of course they are reserved. Does 192.168.x.x ring a bell? And of course the second hop is also a rfc1918 like the first, they are both internal networks. the 10.x.x.x (also rfc1918) is probably the wired network which gets NATed to the internet. On that wired network is a wireless AP, the wireless AP is gets its addy from 10.x.x.x DHCP and then runs its own DHCP on 192.168.x.x, this way the WLAN and LAN are separate. Its not a honeypot its some dude with a linksys AP plugged into his Linksys router.



    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides