Re: Wired detection of rogue access points

Vladimir Vuksan wrote:
johnnywkm@xxxxxxxxx wrote:
Can anyone point me to a wired LAN scanner/sniffer that detects
wireless access points connected to the LAN?



I don't believe you can identify an AP just by sniffing. The problem is
that AP acts as a L2 switch so there is not necessarily a signature.

The only way I can think of doing something like that is polling your
switches (through SNMP) for connected MAC addresses and running a
wireless sniffer like Kismet and cross referencing mac addresses that
Kismet sees vs. what you see on your wired switches. That has been on my
to-do list and I have a project that does switch polling for MAC
addresses I just haven't added the Kismet portion yet :-(.

Vladimir


Depending on the AP, you might look for IAPP frames, L2 frames with
OUI's corresponding to known AP vendors (linksys, dlink, etc) that you
have no record of, checking the arp/cam tables of your switch ports for
multiple downstream MAC's on an 'access port', and a couple of other
heuristic methods (such as using vuln scanners to find management IPs,
for example) of spotting stuff. None of them will really give you sure
fire knowledge of the presence of an AP though (and all can be
fooled/gotten around) - the only real way to do that is going to be
looking at the RF with a wireless sniffer like Kismet or something of
that nature.

--
Adam




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Relevant Pages