Re: Finding clandestine routers on a network
From: ParrotRob (parrotrob_at_yahoo.com)
Date: Sat, 29 May 2004 18:04:51 -0400
"Chuck" <firstname.lastname@example.org> wrote in message
> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
> >Is there a way with a network port scanner (or other tools) to find
> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >did a search on Internet
> >to find if these equipments are using a special TCP port or
> >configuration without any success ....
> >L. Cerantola
> >IT Security
> >Laval University
> I doubt that there's a definitive broadcast issued by a NAT router to
> itself as such. But, using my imagination, I can come up with several
> If you scan your network, ip address by ip address, and resolve each ip
> to MAC address, you can look at each MAC address. MAC addresses are
> a portion of each address is unique to a manufacturer. Another portion of
> MAC address, depending upon manufacturer, should identify product or
True, but most "personal" type routers (Linksys, DLink, etc) that I come
across nowadays let you spoof the MAC address on the WAN interface.
> A product like Softperfect Network Scanner (free) from
> <http://www.softperfect.com/> will scan your network, and display all ip
> addresses in use, and network name used by each address. A NAT router
> in the SNS display, but with no name (mine does anyway).
> Looking at the problem from another direction, if you search your network
> workstations using a default gateway that you don't know about, you will
> the ip address of the illegal router, PLUS the idiots using that illegal
Except he won't even see the workstation(s) if it's/they're behind a NAT
router, though, unless the user is forwarding traffic to a host behind it or
has it set up in a DMZ.