Re: Finding clandestine routers on a network

From: ParrotRob (parrotrob_at_yahoo.com)
Date: 05/30/04


Date: Sat, 29 May 2004 18:04:51 -0400


"Chuck" <none@example.net> wrote in message
news:tk6db0d3c0e3lg7fkp56e0vdjo4plutj7j@4ax.com...
> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
>
> >Hi!
> >
> >Is there a way with a network port scanner (or other tools) to find
> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >did a search on Internet
> >to find if these equipments are using a special TCP port or
> >configuration without any success ....
> >
> >Regards!
> >
> >L. Cerantola
> >IT Security
> >Laval University
>
> I doubt that there's a definitive broadcast issued by a NAT router to
identify
> itself as such. But, using my imagination, I can come up with several
ways to
> start.
>
> If you scan your network, ip address by ip address, and resolve each ip
address
> to MAC address, you can look at each MAC address. MAC addresses are
unique, and
> a portion of each address is unique to a manufacturer. Another portion of
the
> MAC address, depending upon manufacturer, should identify product or
model.

True, but most "personal" type routers (Linksys, DLink, etc) that I come
across nowadays let you spoof the MAC address on the WAN interface.

>
> A product like Softperfect Network Scanner (free) from
> <http://www.softperfect.com/> will scan your network, and display all ip
> addresses in use, and network name used by each address. A NAT router
will show
> in the SNS display, but with no name (mine does anyway).
>
> Looking at the problem from another direction, if you search your network
for
> workstations using a default gateway that you don't know about, you will
have
> the ip address of the illegal router, PLUS the idiots using that illegal
router.

Except he won't even see the workstation(s) if it's/they're behind a NAT
router, though, unless the user is forwarding traffic to a host behind it or
has it set up in a DMZ.