Re: Finding clandestine routers on a network

From: QL=2EC=2E?= (fifo11000_at_moncanoe.com)
Date: 05/31/04 

Date: Mon, 31 May 2004 14:15:16 GMT

Hi!

My concern is that people are installing these kind of devices on our netwprk to
permit more than one computer by network access (e.g. many computers sharing a
single wired (RJ45) or Wireless access point).

Regards!

Chuck wrote:

> On Sat, 29 May 2004 18:04:51 -0400, "ParrotRob" <parrotrob@yahoo.com> wrote:
>
> >"Chuck" <none@example.net> wrote in message
> >news:tk6db0d3c0e3lg7fkp56e0vdjo4plutj7j@4ax.com...
> >> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
> >>
> >> >Hi!
> >> >
> >> >Is there a way with a network port scanner (or other tools) to find
> >> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >> >did a search on Internet
> >> >to find if these equipments are using a special TCP port or
> >> >configuration without any success ....
> >> >
> >> >Regards!
> >> >
> >> >L. Cerantola
> >> >IT Security
> >> >Laval University
> >>
> >> I doubt that there's a definitive broadcast issued by a NAT router to
> >identify
> >> itself as such. But, using my imagination, I can come up with several
> >ways to
> >> start.
> >>
> >> If you scan your network, ip address by ip address, and resolve each ip
> >address
> >> to MAC address, you can look at each MAC address. MAC addresses are
> >unique, and
> >> a portion of each address is unique to a manufacturer. Another portion of
> >the
> >> MAC address, depending upon manufacturer, should identify product or
> >model.
> >
> >True, but most "personal" type routers (Linksys, DLink, etc) that I come
> >across nowadays let you spoof the MAC address on the WAN interface.
> >
> >>
> >> A product like Softperfect Network Scanner (free) from
> >> <http://www.softperfect.com/> will scan your network, and display all ip
> >> addresses in use, and network name used by each address. A NAT router
> >will show
> >> in the SNS display, but with no name (mine does anyway).
> >>
> >> Looking at the problem from another direction, if you search your network
> >for
> >> workstations using a default gateway that you don't know about, you will
> >have
> >> the ip address of the illegal router, PLUS the idiots using that illegal
> >router.
> >
> >Except he won't even see the workstation(s) if it's/they're behind a NAT
> >router, though, unless the user is forwarding traffic to a host behind it or
> >has it set up in a DMZ.
>
> OK, you're talking about something I wasn't even considering - a bunch of
> workstations setting up their own subnet, and hiding under a NAT router. I
> guess we should ask the OP what he's worrying about.
>
> I was thinking somebody secretly setting up a NAT router as a gateway to the
> internet, and connecting it to their LAN, with workstations bypassing the
> official proxy server / firewall. You're talking about something totally
> different.
>
> You're right - a MAC address spoof will hide the router if you're searching by
> MAC address parsing. And if the miscreants know what they're doing, they can
> block ICMP probes (pings) from the WAN port on the router. So no detecting by a
> netscan either. :(
>
> LC, can you describe your concern in a bit more detail please?
>
> Cheers,
> Chuck
> Paranoia comes from experience - and is not necessarily a bad thing.

Relevant Pages

  • Re: WatchGuard FireBox III?
    ... >> clone the original computer's NIC MAC that was provisioned with the ... >> ISP into the router. ... an OUI (Organizationally Unique ... Identifier) which indicates the manufacturer of the network adapter, ...
    (comp.security.firewalls)
  • Re: If you were stuck on a desert island and had only ten fonts...
    ... Dad's Mac can't get on the net. ... It's not their BB connection as Mums ... Rebooting the router often worked. ... Dad's iMac uses one of those Belkin ...
    (uk.comp.sys.mac)
  • Re: Could someone get this guy a quarter?
    ... Or a slightly more clever forgery by Spinny? ... Scots IP to post forged YOO posts. ... IP's are assigned by the router then a new IP could be asigned. ... You can find the MAC on anyone if you know the IP. ...
    (talk.origins)
  • Re: WEP and MAC Filter
    ... <set up the MAC filter; ... Could it be because the DHCP server is enabled, and the incoming wireless ... adaptors were on get dynamic IP when I try to connect them to the router? ... cabled to the 1-4 LAN ports, and the wireless PCs would be channeled ...
    (alt.internet.wireless)
  • Re: Major wireless broadband connection problem. Help!
    ... This ISP ... system doesn't seem to have a router. ... each make come with a built in semi-unchangable MAC address? ... If the system can be made to accept the MAC address of the AirPort ...
    (comp.sys.mac.system)