Re: Re: Wireless

[Adam Shostack <adam () homeport org>]

On Fri, Aug 09, 2002 at 04:10:30PM -0500, Dennis.Archambault () stpaul com wrote:
| 
| Paul,
| I have struggled with these question for a while now.  Have looked at the
| NetStumbler/Kismit side of the solution. But still find that solution set
| somewhat limited when it comes to a national or international network.  I
| started toying with the 'wired' side looking at the WAP MAC addresses.

I think you can probably detect that a client is on the far side of a
WAP by seeing different TCP minutae with a network sniffer.

The TCP rtt will be slightly higher if the packet has to go over an
extra ethernet decoding and then over the air at 10 mb.

You might see that a machine is using two ranges of source ports; one
for its own connections, the other for the nat'd connections.

etc.

So, you should be able to "see" that an accidental or unauthorized WAP
is on the net, even if its behind Windows connection sharing or
somesuch.  (I haven't tested this, it's something I was thinking of
playing with, but don't have the large test network to play on right
now...)


Adam

| Most of the WAP manufacturers out there are using their own MAC (OUI)
| ranges.  I think there are link 15-20 OUI's right now that pick up the
| majority of the WAP products, I started with a list from a thread on BAWUG.
| So the plan is write a simple script that will go out to all the routers
| and grep the OUI list against the router ARP table, alert on any hits.
| Still have to do a little leg work in weeding out the false positives, but
| if you run something like the 3-4 times a day you should pick up at least
| some of the rogue AP's


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards