Re: Detecting WAP's
From: Mike Craik (bovine@btinternet.com)Date: 01/04/02
- Previous message: Raoul Armfield: "RE: restrict local users totally"
- In reply to: sim: "Detecting WAP's"
- Next in thread: Jay Abshier: "Re: Detecting WAP's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 04 Jan 2002 03:00:13 +0000 From: Mike Craik <bovine@btinternet.com> To: security-basics@securityfocus.com
sim wrote:
>
> My question is how does one proactively monitor for a WAP in a standard
> routed/switched environment. Is there any intelligent way to accomplish
> this? I would be interested in ideas/solutions for LAN's and WAN's. Is
> there something I can look for within each packet or perhaps specific
> types of traffic (broadcast?) create by the WAP?
Hi,
Assuming you have an appropriate 802.11b adapter you could try using
Netstumbler[1]. This is specifically designed to scan for Wireless
accesses points within your (not-so) immediate area. You may very well
be surprised by what you find in or around your organization.
Netstumbler will display the IP & MAC address (and therefore the vendor)
of any "Stumbled" access points, as well as some other interesting
things.
As this software will provide you with the MAC/IP address of an AP, you
should be able to isolate devices to a given switchport quite easily by
examining the ARP tables on your layer 2 switch(es). Certainly quicker
than walking from floor to floor :-).
Other "stumbling" solutions exist for *nix platforms, a quick search on
google.com for "wardriving" will no doubt reveal most of what you need.
A tool such as ARPwatch (*nix based) could be used to keep track of
MAC/IP pairings of devices on your network. It can also be configured to
alert when new devices are detected on the network. Useful if you run a
tight[2] ship, but otherwise may lead to some wild goose chases. The
first 3 bytes of a MAC address identify the vendor of the device
(ARPwatch will convert this to something meaningful AFAIK), so if you
spot a device made by vendor Y on your otherwise vendor Z network it
could possibly be considered "hostile" :-).
Cisco AP's use CDP to discover their local Cisco brethren, assuming
you're a Cisco based shop then this could be another method of looking
for rogue devices (assuming your fellow employees have expensive Cisco
tastes!). If your not using Cisco kit, then sniffing for CDP traffic
could be one way of looking for Cisco AP's. A bit of a shot in the dark
though.
Most/all AP's act as bridges, I'm not sure if there is any easy way of
looking for this type of device on a network. Perhaps looking for STP
broadcasts from unknown devices may be an option (probably a Cisco bias
towards this one again though)?
The majority of these devices are SNMP capable. A lot of vendors still
ship devices with SNMP enabled and use weak[3] ro/rw community strings
such as 'public', 'private' or 'secret'. You may already have network
management products that can be used to discover SNMP capable devices.
If not, then google.com will point you in the right direction. Walking
the system (.1.3.6.1.2.1.1) OID should provide a means of identifying a
device (if the software you use doesn't do this).
As an act of desperation, you my consider active TCP/IP stack
fingerprinting. Tools such as NMAP[4], Xprobe[5] and others can be used
to "guess" the operating system a remote host is running by examining
the characteristics of TCP/UDP/ICMP/IP packets. This would however
depend on the state of these tools fingerprint databases with regard to
AP's and it's probably not feasible/desirable on a medium/large network
in any case.
Hope this helps.
Cheers,
Mike.
[1] http://www.netstumbler.com.
[2] tight as in "My wiring closet is also my gun cabinet".
[3] utter wank[6] is a more preferred term here.
[4] http://www.insecure.org/nmap/index.html.
[5] http://www.sys-security.com/html/projects/X.html.
[6] http://www.dictionary.com/cgi-bin/dict.pl?term=wank
(For those who are not from the UK)
- Previous message: Raoul Armfield: "RE: restrict local users totally"
- In reply to: sim: "Detecting WAP's"
- Next in thread: Jay Abshier: "Re: Detecting WAP's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
