Unknown Interfaces in Monitor Mode

This isn’t really a parrot specific problem but I need advice from someone better with computers than me and I’m kind of creeped out by this.

When I put my interface in monitor mode with airmon-ng (can be internal or external card) I let it run for a bit and at the top it will list access points. But at the bottom where it lists devices it will always list random mac addresses (up to 6) associated with nearby routers I’ve never connected to with the power or signal reading -1 (meaning it’s the interface itself) It does it quicker if I pick a specific access point and channel to monitor.

I’ve switched out motherboards (it’s done it with 2) wifi cards, keyboards, disabled ports in bios etc. I have a computer with Ubuntu that doesn’t do this. I tried kali and it still does it. The rate is usually 1e- 0 but has been different. What could this be and what would be the purpose? It does it in different places but one place I use it at the person was the victim of an evil twin attack but they got a new router.

Don’t worry about it, being associated isn’t the same as authenticated.

2 Likes

You sure? Have you seen it before? And what causes it? I’m paranoid but if I told you everything I would sound crazy. But local police could have had access to two of the motherboards and I feel like it was some task force type of thing that had me under surveillance earlier this year. But I used my parrot hard drive in a computer that I kind of trust and it still did it. And that one has a core 2 duo with an older bios so I doubt it would be any new spying technology or anything. People say only a router has your mac address but I still wonder if government agencies couldn’t track you like that. And I didn’t know if it was possible to get information off of my computer by somehow changing my mac address to one the same as a device connected to someone elses router.

It’s still just weird though because I don’t see how I only have one wifi card but it’s listing it with 6 different mac addresses and associated with a nearby router. I can deauthenticate one and then stop it and it stops for a while. You’ve made me feel a little better though. Is there anything else I can do to check things out a little more? Thanks.

And I don’t get any weird RF signals from any of the ones I’m talking about.

I’m going to change the addresses and names of routers and interfaces but I’m just going to give you an example of what it’s doing when I put it monitor mode:

CH 6 ][ Elapsed: 48 s ][ 2018-06-24 16:04

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH E9

(B2:09:B1:FD:57:02) -85 100 507 1333 0 10 195 WPA2 CCMP PSK A

BSSID STATION PWR Rate Lost Frames Probe

(B2:09:B1:FD:57:02) ( 76:b2:1b:06:09:0f) (-1) (1e- 0) (0) (1)
(B2:09:B1:FD:57:02) (42:4f:c3:ca:20:af) (-1) (1e- 0) (0) (2)
(B2:09:B1:FD:57:02) (c6:c3:1a:38:8c:93) (-1) (0e- 0) (0) (4)
(B2:09:B1:FD:57:02) ( 26:89:3C:A2:13:75) (-88) (1e- 1) (68) (1243)

(And in this case 26:89:3C:A2:13:75 went from -1 to 88 right before I stopped it. Sorry about this if it’s normal but I appreciate the help. I would just like some kind of explanation as to what it’s doing)

Ok I tried this today with an Ubuntu hard drive in one of the computers I suspected had a bad motherboard and didn’t get any of this but when I started scanning B2:09:B1:FD:57:02 specifically nothing came up. It was blank. Parrot, Kali and Blackarch all give me these -1 clients and I never remembered it doing it before all of that happened and I went back and watched youtube videos of people using aircrack and it didn’t do it with theirs either. I verify all of these downloads. Is it possible something weird is going on with the motherboards and Ubuntu is uneffected or did something change in these operating systems since (January) that causes them to do this?

I will explain further later.

Associating with a device happens before authentication. So, like through Network Manager, if you connect to any network, before it prompts you for authentication, you’re associated with it. It doesn’t mean you’re on the network.

Many of the wireless tools will bring the interface down, randomize the MAC and bring it back up, before doing whatever that particular tool does (not all of them but many of them), so you’re likely to see a bunch of random stuff if you’re playing with the 802.11 tools.

You may not be the only person using tools, depending on your location (apartment complex? college?)

Hi, I am trying multiple times to connect my wifi router to my system but an “Unknown Interfaces in Monitor Mode” issue is generating I don’t know why this issue I am getting. Once, my one of a friend didn’t reset Linksys Router then he contacts with Linksys Customer Support and easily reset his router.

Please create a separate issue thread with a link to this in the related problems section rather than hijack it.

I would encourage you to learn more about anonymity if and MAC address tracing and communications in order to calm your nerves. If the equipment is suspect then don’t use it (been used in a crime that you know of) otherwise I would argue parrot is the safest OS there is right now because of its intrinsic anonymity. Use this as an opportunity to change how you operate on even basic security levels and most will see a positive carry over into their non parrot life (is there really such a thing? Lol) also I know my awus 1900 tends to show the huge fluctuations with signal strength when using airodump-ng

Also this reads very very heavily of an admission of pentesting networks you do not have permission to test, I would be more worried about that than anything…