Hey everyone yesterday I was at a grocery store and I noticed suspicious WiFi networks and Bluetooth networks. I am quite tech savvy so I decided to investigate thinking it was probably just some skid. But when I opened Wireshark I saw the mac addressees for Cisco Merkari (A relatively advanced DPI program) , along with multiple other enterprise grade tools such as Fortinet and VMware. I have collected pcaps for both my Bluetooth and WiFi interfaces with Wireshark(available upon request). Does anyone have any idea could this be a government contractor? Or could it just be spoofed cause its relatively easy to spooph Mac addresses.
Meraki devices are super common - tonnes of small businesses use it for the management of their networks and WAP’s.
But why would they be broadcasting as spectrum if there cisco?
Cisco makes the devices and the network management software Meraki. If you have service from Spectrum, you could probably run the service through to those devices, and then to keep track of what they are for an administrator probably altered the ESSID’s via Meraki to reflect it and this is why they are named as such.
It is a bit strange there is that many if they are serving some service from Spectrum, but this warrants further investigation to the immediate physical area. Does the grocery store or a nearby business have a lot of TV’s or some such? It’s hard to say what the devices actually are for, but my best guess as to where I might see something like this is a place like a sports bar where there are many multiple TV’s with their own boxes so that they can show multiple sports broadcasts simultaneously.
Its just a winco in a fairly small town If y’all want to look at the pcap files and say what y’all think I’ll leave it here. https://drive.proton.me/urls/61XAHD9X38#DP8mRr1K0vQu
Is there a spectrum store there?
The sage and askey are charter routers
Its the parking lot of the Winco in Roseburg Oregon. I am not aware of any spectrum store considering that is one of my interests I probably would have noticed it there were also BT devices name stuff like vm-307 so why would a enterprise use a VM for WiFi and bluetooth
The nearby apartment complex may have an agreement
Sagemcom produces white label networking equipment for Spectrum. I used to work in the industry and Spectrum was a customer, so I worked with Sagemcom directly.
This looks like a business setting up new networking equipment. Either as a complement to the existing network (extending) or replacing what’s there.
It’s likely just the network within the store. Meraki (which I’m assuming is what you meant by Merkari, since AFAIK that isn’t a name for any Cisco gear) is more than just DPI, it’s a full SDN platform that Cisco purchased around 10 years ago. It’s pretty common in branch networks like stores or networks maintained by an MSP. Without doing any digging I’d guess the Bluetooth devices are handheld barcode scanners used within the store, or perhaps scales/printers used in various departments.
Would a enterprise grade environment use VMware for routing wouldn’t they want to use actual hardware for better hardware acceleration on there network. And what would be the purpose for having the Bluetooth devices advertised if they can control the name of said devices it could be but some of the networks are in a way corrupted. Could it just be data corruption caused by interference
Yeah, VMWare is an enterprise platform, so I’d be pretty surprised if they weren’t using it. It’s a grocery store so I can’t imagine they have huge throughput needs in the first place, but even then VNWare networking appliances are super common. We use them where I work to support thousands of users in office environments. As for the Bluetooth, again just guessing but they either don’t support broadcast being turned off, or more likely they MSP/central IT just didn’t disable it because they didn’t care/don’t know how. I think you’re vastly overestimating how much effort went into the network setup for a grocery store.
Definitely a good point and I could be over thinking it. Personally I’m a Hobbyist who is not yet complete with the education to enter the industry, So you definitely know more than me . Do Cisco routers ever randomize there bssid, cause looking at the pcap files the Mac addresses of completely different vendors even competetitiors like ubiquity are all using spectrum network handles could this be a clusterfuck of different routers or just a Cisco cluster randomizing there bssid?
I see that you’re investigating this on parrot. It has a lot of tools, so be careful to not to do anything ilegal by accident. Some places have really strict laws about that.
Will do the reason I happened to have parrot is I was fixing a family members WordPress site considering they haven’t updated there site in 601 days. I checked the PHPmyAdmin portal and it is a nightmare. I am currently working on making a test VM(libvirt) with a custom .tst top-level domain (for test environments) based on fedora server 41 with customized selinux policy and attempting to create a immutable style filesystem probably f2fs eventually( kinda like chromeos, with a/b partitions , I might use particle os) in the future I want to add DM verity and find a provider that accepts custom secure boot certificates. I can assure you by my knowledge everything any tool on parrot has been used on localhost or authorized domains with consent of the owner. I’m currently using parrot to learn how to securely setup a server. I’ve recently taken lots of inspiration from the grapheneOS project especially with there hardening by zeroing kernel and user space memory, and hardware mte. This is just so I can be the best I possibly can at defensive security while I’m interested In offensive security I prefer to study defensive security.
Just be careful to not to do anything to computers you don’t control or have permission to access. An underage person here port scanned a bank, which then got pretty expensive. (12 000€)
As far as I understand, a/b partitions are pretty common for immutable systems, like Android & immutable Linux distributions. Why did you choose f2fs instead of something like ext4 or zfs? It’s Flash Friendly FileSystem, right, or does it mean something else too?
Neither https://www.spectrum.net/
I’m fully aware spectrum is a actual company but due to the spammy nature of these networks. I’m not sure these are legitimately spectrum.Especially with the Bluetooth packets and Cisco Merkari Mac addresses.
I don’t see anything spammy nor suspicious. To provide wifi you need network equipment and some of the equipment offered on spectrum’s website are cisco network equipment. Seems more like a misconfiguration than malicious intent.
Lmao tech savv
Don’t quit your day job :p
Could it be store/vendor data tracking of customers?
Does the store have dynamic pricing with digital price tags? That kind of set up takes a lot of APs.
