Over the past month or so, my monitoring of the air with AirMagnet has detected an SSID of SST-PR-1 being broadcast by ad-hoc stations that are Aironet cards. When I try to physically track it down, I never get enough signal strength to locate the stations. The number has grown from 1 station to currently 4 stations broadcasting that SSID. I spoke with an engineer from another company at a seminar a couple of weeks ago and discovered that he has been seeing the exact same thing. Is this some sort of default setting in newer cards brought up in ad-hoc mode? There is a need to locate these users due to possible security vulnerabilities. Thanks for any suggestions.
The default SSID in all Cisco Aironet Products is tsunami and the default mode for client cards in infrastructer
You can check this yourself create a new profile and simply press the default button on every tab of the profile configuration.
I'm very familiar with the default settings of "tsunami"(on the access points) and client adapters being in infrastructure mode. Client adapters actually have no default SSID when the ACU is installed. My question relates only to the SSID of SST-PR-1 and why this has been seen on my campus and also has been seen at other companies......always in ad-hoc mode and with Aironet cards. While at an AirMagnet seminar in Texas, the remote engineer performing a live demo located in California also had this SSID showing up. Highly unlikely that this is a random SSID that is just showing up not only at different companies, but also in different states. Hopefully someone can shed some light on what this might be.
I have searched all of the cases ever raised on Aironet and all of the software and hardware functional specs for you There no mention of "SST-PR-1"
Do you see this SSID if you use netstumbler or even windows XP ???
The reason I ask this is in both cases this has been observed it was using airmagnet, maybe there is a instance where the program will show this SSID for instance maybe if it see's an AP with broadcast SSID off ???
It's not an AP that's broadcasting this SSID, rather client stations in ad-hoc mode. All of my AP's have broadcast SSID disabled. Netstumbler won't help in that regard. The signal is only brief in nature when it is detected, so my XP isn't helping either. The MAC addresses of the stations are also not in my database for either AP's or client adapters, so I know it's not a device allowed on our network.
This is very interesting.
Do you have one of the offending MAC addresses there ? could you please post it up here
Given it is so brief still makes me wonder if it is there or maybe a reporting problem on the AirMagnet ??? Too hard to tell either way.
I think the best way forward to track this down is to get a WLAN sniffer like Airopeek or NAI sniffer pro and try to capture these offending NIC cards.
Here's two of them:
AirMagnet is our licensed wireless sniffer. When monitoring the air on a daily basis, these Aironet stations are not always present. There are some days when they don't appear and when they do appear, it's at random times of the day during regular business hours. By saying this, it doesn't seem there is an issue with false reporting by AirMagnet. I am still awaiting word back from their support group regarding this as well.
Both of those MAC addresses are LMC cards and were sold as part of a bulk pack, so there is a good chance that they are intergrated into another device such as a bar code scanner etc Typically when they are intergrated into such devices they do not use Cisco software and as such the default SSID maybe anything that the system intergrator wants to use.
Looking on the AirMagnet site it appears in the laptop version they may also use the LMC card so it might be worth asking them also
I hope this helps in what sort of device you are looking for to track these cards down
Also getting some different batches of MAC addresses:
Very strange stuff here. Seems as though every day brings totally new MAC's and I can't verify that one is ever repeated more than once. As for being bought for other devices, there's no other devices besides laptops on campus using wireless. Still no word from AirMagnet as well.
The word from AirMagnet is that they are validating this as a true SSID, not an anomaly in their software. They suggest that it might be from airplanes or military vehicles since the signals are only brief in nature. I tend to disagree, however I am very close to a major airport.
I was able to search an online database of roughly 260,000 known SSID's and this one came up 43 times in various locations across the U.S. An interesting thing here is that 2 were valid MAC's(Aironet, 3COM) and the rest were invalid MAC's. All the MAC's I see are Aironet.
So far I've seen about 30 different MAC's on my campus with this SSID, all while monitoring right from my desk. The likelihood of this being random users all with Aironet cards with the same SSID is very low. Something somewhere is generating this mysterious SSID.
I have spoken with the local AirMagnet sales team about this issue.
How long do these signal stay ? Do you have time to use the find tool to get a better lock on these devices ?
There is a new distributed version that is about to be released this maybe very helpful in this problem as you can deploy your probes around your campus and then monitor from a central location This will mean that you can monitor 24hrs a day and using this you should be able to build up a better picture of where these devices are and their movements. You can filtre out just on the SSID and watch for all detections of this over multiple locations throughout the day.
If you are close to an airport then I would supect that these devices are infact in a bar code scanner or similar device and this is the default SSID for these devices, (which ever manufacture of the bar code scanner they are) and you are seeing the logistics guys driving near the boundry of your campus with these devices turned on.
The other thing to be careful of is if you are using the handheld version and you just turn the pocket PC off without shutting down the application first this application will be in suspend mode and you will have old data showing in your traces, along with the new data.
If you would like to take this issue offline let me know and I will send you an email with my contact details
The signals are only seen from 10-90 seconds tops. Does not allow for any sort of physical survey. I always make a point to start a fresh capture daily as I am aware of the application not actually shutting down. Please send me your contact info and we'll go from there. Thanks for the response.
That would make a perfect explaination to the transient nature of this signal
I would guess that have a handheld scanner for parts they take out of stock or PDA type device for bookings etc