Re: Finding clandestine routers on a network
From: Chuck (none_at_example.net)
Date: 05/30/04
- Previous message: cquirke (MVP Win9x): "Re: How secure is your Windows Computer?"
- In reply to: ParrotRob: "Re: Finding clandestine routers on a network"
- Next in thread: QL=2EC=2E?=: "Re: Finding clandestine routers on a network"
- Reply: QL=2EC=2E?=: "Re: Finding clandestine routers on a network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 30 May 2004 09:43:21 -0500
On Sat, 29 May 2004 18:04:51 -0400, "ParrotRob" <parrotrob@yahoo.com> wrote:
>"Chuck" <none@example.net> wrote in message
>news:tk6db0d3c0e3lg7fkp56e0vdjo4plutj7j@4ax.com...
>> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
>>
>> >Hi!
>> >
>> >Is there a way with a network port scanner (or other tools) to find
>> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
>> >did a search on Internet
>> >to find if these equipments are using a special TCP port or
>> >configuration without any success ....
>> >
>> >Regards!
>> >
>> >L. Cerantola
>> >IT Security
>> >Laval University
>>
>> I doubt that there's a definitive broadcast issued by a NAT router to
>identify
>> itself as such. But, using my imagination, I can come up with several
>ways to
>> start.
>>
>> If you scan your network, ip address by ip address, and resolve each ip
>address
>> to MAC address, you can look at each MAC address. MAC addresses are
>unique, and
>> a portion of each address is unique to a manufacturer. Another portion of
>the
>> MAC address, depending upon manufacturer, should identify product or
>model.
>
>True, but most "personal" type routers (Linksys, DLink, etc) that I come
>across nowadays let you spoof the MAC address on the WAN interface.
>
>>
>> A product like Softperfect Network Scanner (free) from
>> <http://www.softperfect.com/> will scan your network, and display all ip
>> addresses in use, and network name used by each address. A NAT router
>will show
>> in the SNS display, but with no name (mine does anyway).
>>
>> Looking at the problem from another direction, if you search your network
>for
>> workstations using a default gateway that you don't know about, you will
>have
>> the ip address of the illegal router, PLUS the idiots using that illegal
>router.
>
>Except he won't even see the workstation(s) if it's/they're behind a NAT
>router, though, unless the user is forwarding traffic to a host behind it or
>has it set up in a DMZ.
OK, you're talking about something I wasn't even considering - a bunch of
workstations setting up their own subnet, and hiding under a NAT router. I
guess we should ask the OP what he's worrying about.
I was thinking somebody secretly setting up a NAT router as a gateway to the
internet, and connecting it to their LAN, with workstations bypassing the
official proxy server / firewall. You're talking about something totally
different.
You're right - a MAC address spoof will hide the router if you're searching by
MAC address parsing. And if the miscreants know what they're doing, they can
block ICMP probes (pings) from the WAN port on the router. So no detecting by a
netscan either. :(
LC, can you describe your concern in a bit more detail please?
Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
- Previous message: cquirke (MVP Win9x): "Re: How secure is your Windows Computer?"
- In reply to: ParrotRob: "Re: Finding clandestine routers on a network"
- Next in thread: QL=2EC=2E?=: "Re: Finding clandestine routers on a network"
- Reply: QL=2EC=2E?=: "Re: Finding clandestine routers on a network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
