IDS mailing list archives
Re: Wired detection of rogue access points
From: Adam Crosby <acrosby () jlab org>
Date: Tue, 20 Mar 2007 13:54:21 -0400
Vladimir Vuksan wrote:
johnnywkm () gmail com wrote:Can anyone point me to a wired LAN scanner/sniffer that detects wireless access points connected to the LAN?I don't believe you can identify an AP just by sniffing. The problem is that AP acts as a L2 switch so there is not necessarily a signature. The only way I can think of doing something like that is polling your switches (through SNMP) for connected MAC addresses and running a wireless sniffer like Kismet and cross referencing mac addresses that Kismet sees vs. what you see on your wired switches. That has been on my to-do list and I have a project that does switch polling for MAC addresses I just haven't added the Kismet portion yet :-(. Vladimir
Depending on the AP, you might look for IAPP frames, L2 frames with OUI's corresponding to known AP vendors (linksys, dlink, etc) that you have no record of, checking the arp/cam tables of your switch ports for multiple downstream MAC's on an 'access port', and a couple of other heuristic methods (such as using vuln scanners to find management IPs, for example) of spotting stuff. None of them will really give you sure fire knowledge of the presence of an AP though (and all can be fooled/gotten around) - the only real way to do that is going to be looking at the RF with a wireless sniffer like Kismet or something of that nature. -- Adam ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Wired detection of rogue access points johnnywkm (Mar 19)
- Re: Wired detection of rogue access points Ron Gula (Mar 19)
- RE: Wired detection of rogue access points Waters, Chris (Mar 19)
- Re: Wired detection of rogue access points Michał Melewski (Mar 19)
- RE: Wired detection of rogue access points Adam Graham (Mar 20)
- Re: Wired detection of rogue access points Vladimir Vuksan (Mar 19)
- Re: Wired detection of rogue access points Adam Crosby (Mar 20)
- Re: Wired detection of rogue access points Johnny Wong (Mar 20)
- Re: Wired detection of rogue access points Benjamin Hofstetter (Mar 21)
- Re: Wired detection of rogue access points tim_holman (Mar 20)
- Re: Wired detection of rogue access points Tõnu Samuel (Mar 20)
- Message not available
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Tim Holman (Mar 21)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
- Re: Wired detection of rogue access points Eric Hacker (Mar 22)
- Re: Wired detection of rogue access points tim_holman (Mar 26)
- RE: Wired detection of rogue access points Bourque Daniel (Mar 26)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 21)