Re: Finding clandestine routers on a network

From: ParrotRob (parrotrob_at_yahoo.com)
Date: 05/30/04


Date: Sat, 29 May 2004 18:04:51 -0400


"Chuck" <none@example.net> wrote in message
news:tk6db0d3c0e3lg7fkp56e0vdjo4plutj7j@4ax.com...
> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
>
> >Hi!
> >
> >Is there a way with a network port scanner (or other tools) to find
> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >did a search on Internet
> >to find if these equipments are using a special TCP port or
> >configuration without any success ....
> >
> >Regards!
> >
> >L. Cerantola
> >IT Security
> >Laval University
>
> I doubt that there's a definitive broadcast issued by a NAT router to
identify
> itself as such. But, using my imagination, I can come up with several
ways to
> start.
>
> If you scan your network, ip address by ip address, and resolve each ip
address
> to MAC address, you can look at each MAC address. MAC addresses are
unique, and
> a portion of each address is unique to a manufacturer. Another portion of
the
> MAC address, depending upon manufacturer, should identify product or
model.

True, but most "personal" type routers (Linksys, DLink, etc) that I come
across nowadays let you spoof the MAC address on the WAN interface.

>
> A product like Softperfect Network Scanner (free) from
> <http://www.softperfect.com/> will scan your network, and display all ip
> addresses in use, and network name used by each address. A NAT router
will show
> in the SNS display, but with no name (mine does anyway).
>
> Looking at the problem from another direction, if you search your network
for
> workstations using a default gateway that you don't know about, you will
have
> the ip address of the illegal router, PLUS the idiots using that illegal
router.

Except he won't even see the workstation(s) if it's/they're behind a NAT
router, though, unless the user is forwarding traffic to a host behind it or
has it set up in a DMZ.



Relevant Pages

  • Re: Setting up Airport Express
    ... It is usually referred to as a "MAC Address", ... on their network. ... always the hardware address assigned to the computer sending the packet. ... When your router receives a packet destined for a computer on your LAN, ...
    (uk.comp.sys.mac)
  • Re: Freebsd 5.1 <-> Win XP Networking problems
    ... Danny MacMillan wrote: ... >> from any ip number forming part of that network and from the netmask. ... > located external to my network it should send the packet to the router ... > (using the router's MAC address) instead of arp-ing for the MAC address ...
    (freebsd-questions)
  • Re: Ethernet network wiring ?s
    ... >>> the planned network is designed correctly and for my own education on ... Since you already have a router, ... Apple calls this protocol Bonjour. ... And because Mac 1 and Mac 2 have private network addresses, ...
    (comp.sys.mac.hardware.misc)
  • Re: Ethernet printer
    ... In Network Preferences, I’ve set ... It should therefore be connected to the LAN - at the router or network switch - wherever is physically convenient. ... Some routers do this automagically - but in others there is a "Bind IP address to MAC address" option that you can set up. ... The only purpose I can see in the Mac having two Ethernet interfaces is so you can run routing software on it, to allow traffic on one Ethernet port to be "routed" to the other port. ...
    (uk.comp.sys.mac)
  • Re: re-setting router--MORE QUESTIONS...SIGH
    ... Unless your connection device is also a router, ... A MAC address is the ... "permanent" address that is 'burned' into any network device when it is ... enable some kind of wireless security. ...
    (alt.sys.pc-clone.dell)