Re: Finding clandestine routers on a network

From: ParrotRob (
Date: 05/30/04

Date: Sat, 29 May 2004 18:04:51 -0400

"Chuck" <> wrote in message
> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
> >Hi!
> >
> >Is there a way with a network port scanner (or other tools) to find
> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >did a search on Internet
> >to find if these equipments are using a special TCP port or
> >configuration without any success ....
> >
> >Regards!
> >
> >L. Cerantola
> >IT Security
> >Laval University
> I doubt that there's a definitive broadcast issued by a NAT router to
> itself as such. But, using my imagination, I can come up with several
ways to
> start.
> If you scan your network, ip address by ip address, and resolve each ip
> to MAC address, you can look at each MAC address. MAC addresses are
unique, and
> a portion of each address is unique to a manufacturer. Another portion of
> MAC address, depending upon manufacturer, should identify product or

True, but most "personal" type routers (Linksys, DLink, etc) that I come
across nowadays let you spoof the MAC address on the WAN interface.

> A product like Softperfect Network Scanner (free) from
> <> will scan your network, and display all ip
> addresses in use, and network name used by each address. A NAT router
will show
> in the SNS display, but with no name (mine does anyway).
> Looking at the problem from another direction, if you search your network
> workstations using a default gateway that you don't know about, you will
> the ip address of the illegal router, PLUS the idiots using that illegal

Except he won't even see the workstation(s) if it's/they're behind a NAT
router, though, unless the user is forwarding traffic to a host behind it or
has it set up in a DMZ.