Spooky and PS_POLL incident

Just placed a new Spooky at my apartment on the balcony.
Btw, every time a blue internal led blinks – it means Spooky has parsed a packet.

And guess what next?

spoku

Just got a notification after couple of hours running of a PS_POLL traveling from unknown to unknown.

Zrzut ekranu 2016-08-04 o 20.22.17

A PS_POLL frame indicates (in shortcut) that some device went sleep and checks at some point wether there is any packet queued on the AP to be received.

To assist stations with power saving, Access Points (APs) are designed to buffer frames for a station when that station is in power save mode and to transmit them later to the station when the AP knows the station will listen. When a station is in power save mode, it turns off its transmitter and receiver to preserve energy. It takes less power for a station to turn its receiver on to listen to frames than to turn it its transmitter on to transmit frames. For this reason, it’s more power-efficient for an AP to inform a station if it has buffered frames present on the AP than to have the station poll the AP querying if frames are present.

…if its sees that the AP has buffered frames for it, it must send a Power Save Poll (PS-Poll) control frame to retrieve each buffered frame on the AP

So far so good, but i don’t recognize source and destination here.
First let’s find out if there is any packet flying over WiFi with these MAC addresses.

root@kali:~# airodump-ng wlan0mon

Comes back with
Zrzut ekranu 2016-08-04 o 20.47.07

It doesn’t ring a bell, this is not my AP, Spooky is monitoring for A4:2B:8C:18:59:BA.
So it looks like a station (18:E2:C2:21:BE:68) is sending PS_POLL to AP(DC:53:7C:99:E8:97) and has my BSSID(A4:2B:8C:18:59:BA)..

Let’s find out if i can sniff 18:E2 in the air…

Zrzut ekranu 2016-08-04 o 21.08.40

And this station is certainly associated with the strange AP.

Zrzut ekranu 2016-08-04 o 21.09.10

A quick MAC Vendor check returns
Zrzut ekranu 2016-08-04 o 21.09.58

So most probably this is a phone.
Still i don’t understand why is it trying to push PS_POLL to my BSSID ?

Let’s mark this as “Investigation in progress”.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s