Results 1 to 7 of 7

Thread: Kismet Status Alert "Suspicious client %s - probing ..." Clarification

  1. #1
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    5

    Thumbs down Kismet Status Alert "Suspicious client %s - probing ..." Clarification

    Hello!

    I have been running Kismet and have been noticing an ongoing number of status alerts with the following message:
    "Suspicious client %s - probing networks but never participating.",

    Is this message indicative that there is another machine(s) running kismet or some other wifi exploit software? The MAC address seems to be changing frequently, so I can’t tell if it is one machine spoofing or multiple machines?
    I am hoping to get some clarification on what this alert means and am curious if there is some sort of ongoing hack attempt/wifi monitoring in the area.

    Thanks~!

  2. #2
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    http://kismetwireless.net/documentation.shtml

    It's explained here:
    15. Alerts and Intrusion Detection

  3. #3
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    5

    Default

    thank you for the link level-

    Any idea why the MACs would be different? Is this alert usually a false positive or indicative of multiple scanners? thanks~!

  4. #4
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    It's probably a wireless card in ad-hoc mode, probing.

  5. #5
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    5

    Default

    So this would obviously be a security risk to a WLAN; any suggestions on protocol on how to deal with this type of probing???

    Thanks~!

  6. #6
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    I didn't mean to infer it was probing your WLAN. It's just the way ad-hoc works, it's harmless. Probing, in this instance, refers to sending probe request and probe response frames.

  7. #7
    Just burned his ISO
    Join Date
    Mar 2008
    Posts
    5

    Default

    It seems innocuous enough, but I would like to know the location of the probes. I could see in a corporate lan setting this could be a rouge access point/workstation; as I don't think most network cards run in ad-hoc mode normally? I guess I will have to run gpsdrive or something similiar to get the plotting, may be a subject for a later post.

    Thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •