RE: Identify rogue adsl modems routers in the network



Hi,

One way you can detect an ADSL modem in PPPoE mode is to use the PPPoE
discovery protocol (PPPoED), any DSL router in the broadcast domain will
respond.

The PADI query frame is as follows:

0000 ff ff ff ff ff ff mm mm mm mm mm mm 88 63 11 09 .......P
.....c..
0010 00 00 00 0c 01 01 00 00 01 03 00 04 ii ii ii ii ........
........

Where:
mm mm mm mm mm mm is mac address of your machine
ii ii ii ii is a uniq identifier (99 30 00 00 on mine)


Any DSL modem will respond with PADO (PPPoE Active Discovery Offer):

0000 mm mm mm mm mm mm ss ss ss ss ss ss 88 63 11 07 .P......
;.g..c..
0010 00 00 00 2d 01 01 00 00 01 03 00 04 ii ii ii ii ...-....
........
0020 01 02 00 19 zz zz zz zz zz zz zz zz zz zz zz zz ....Provider
DSL
0030 zz zz zz zz zz zz zz zz zz zz zz zz zz 01 01 00 node
name........
0040 00

Where:
ss ss ss ss ss ss is mac address of the DSL modem
mm mm mm mm mm mm is mac address of your machine
ii ii ii ii is the uniq identifier from the PADI (99 30
00 00 on mine)
zz zz ..... is the provider name of the DSL node (variable)

You can use whatever packet creator/injector (nemesis) to inject the
PADI frame and then sniff the line to see who responds.

If you don't want to roll your own packets then use the PPPoE package
that comes with your distro, doesn't matter what account details you
set. Start the sniffer and then start do an adsl-start or similar, this
will generate PADI frames which you can then sniff for the PADO replies.

The only usage issue I've seen relates to whether your switches forward
broadcast traffic. If not then this will only detect modems on the local
segment, have to repeat this on each segment/vlan.

For details of the PADI/PADO format look at RFC 2516 or search on
wikipedia.


TTFN,


Simon


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of t35tman
Sent: Monday, May 26, 2008 18:25
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Identify rogue adsl modems routers in the network

Hi all,

Had a weired requirement recently.
I was wondering if there is any way to detect an adsl modem/router
connected to a phone line.

The scenario being able to trace the adsl modem/router internally from
within the corporate network or externally from the ISP network.

The only option I see is to check with the ISP ... any suggestions ?

Thanks and Regards



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



Relevant Pages

  • Re: Can a bad Etherlink card effect browser ability to access the net?
    ... How might I log into my DSL box and verify the ... I'm a little curious about the two ADSL modem devices. ... For example, in this thread, they mention PPPOE coming from the ... The router had PPPOE ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: sending message to PC that is offline
    ... this is a characteristic of PPPoE. ... not all DSL connections use PPPoE or PPPoA; ... the user isn't actively using the Internet connection). ... hardware (such as a conventional dial-in modem and phone line). ...
    (microsoft.public.win32.programmer.tapi)
  • Re: Connecting a user to AOL (anything I should know?!)
    ... about this, Windows and DSL modems.. ... Things where you get Windows to do it.. ... DSL modem and PPPoE. ... So to connect using a DSL or cable modem.. ...
    (uk.comp.homebuilt)
  • Re: Can a bad Etherlink card effect browser ability to access the net?
    ... I am biting the bullet and putting another extension close to my DSL modem. ... I'm a little curious about the two ADSL modem devices. ... For example, in this thread, they mention PPPOE coming from the ... The router had PPPOE ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: Verizon DSL
    ... >> connection is ethernet to the DSL modem that came in his install kit. ... No authentication or any pppoe. ...
    (Fedora)