IDS mailing list archives

Re: Wired detection of rogue access points

From: "Chris Waters" <chris.waters () networkchemistry com>
Date: Tue, 20 Mar 2007 13:58:05 -0700

Hi,

Every network device has some fingerprint in the way that it interacts
with the network. This includes things like the open ports, the
responses to probes on those ports, the operating system it is
running, the broadcast protocols is uses (DHCP, UPnP, CDP, IAPP, etc),
its MAC address, etc.

This fingerprint information can be used to uniquely identify
virtually every type of network device, assuming of course that you
have a database of the fingerprints for all the devices that might
exist on the network.

This is exactly how RogueScanner (roguescanner.networkchemistry.net)
works. It probes devices to determine their fingerprints as well as
looking at the packets that they broadcast onto the network. By using
lots of techniques together it is possible to accurately find and
classify all sorts of devices, including wifi routers which may using
firewalling and MAC address cloning to hide themselves.

Regards,

Chris Waters
CTO, PhD
Network Chemistry, Inc
cwaters () networkchemistry com

On Mon, 2007-03-19 at 10:20 +0000, johnnywkm () gmail com wrote:

Hello there,

Can anyone point me to a wired LAN scanner/sniffer that detects wireless access points connected to the LAN?


Doesn't look possible to me. You can detect wireless stuff but not
from cable side. There is a endless ways to hide it but you cannot
hide radio waves so easily.

   Tõnu



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Wired detection of rogue access points, (continued)
- - - Re: Wired detection of rogue access points Tim Holman (Mar 21)
    - Re: Wired detection of rogue access points Hari Sekhon (Mar 21)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 22)
    - Re: Wired detection of rogue access points tim_holman (Mar 26)
    - RE: Wired detection of rogue access points Bourque Daniel (Mar 26)
    - RE: Wired detection of rogue access points Gabbard, Gregory (Mar 26)
    - RE: Wired detection of rogue access points Adam Graham (Mar 26)
    - Re: Wired detection of rogue access points tim_holman (Mar 27)
    - Message not available
    - Re: Wired detection of rogue access points Adam Crosby (Mar 27)
- Re: Wired detection of rogue access points krymson (Mar 19)
- Re: Wired detection of rogue access points Chris Waters (Mar 21)
  - Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
    - RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points krymson (Mar 26)
  - Re: Wired detection of rogue access points Chad Mano (Mar 26)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points jay.tomas (Mar 27)
- Re: Wired detection of rogue access points Adam Powers (Mar 29)
  - Re: Wired detection of rogue access points tim_holman (Mar 29)
  - RE: Wired detection of rogue access points Adam Graham (Mar 29)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 30)

(Thread continues...)