Security Incidents mailing list archives
RE: Wireless router behaviour
From: "Welsh, Armand" <Armand.Welsh () SSCIMS com>
Date: Fri, 10 Sep 2004 13:17:12 -0700
The D-Link routers have a keep alive feature. If the keep alive feature is turned on, then it will periodically send ping packets out through it's WAN interface port. Additionally, if any devices are associated with the AP at the time the ping packets are being transmitted, because of the NATing of the AP, the ping packets would appear to be coming from the AP rather than from the real workstation. Remember, the DI-714P+ is a router, not just an AP, so in router mode, you won't be able to tell the difference between router originated, and WiFi originated packets; they will all appear to be router originated. Is it possible that someone planted it? Only if it is possible for unauthorized individuals to gain physical access to where it was. It seems more likely to me that an internal user installed the AP in an attempt to utilize wireless, and that someone wardriving hacked into the wireless connection. Hacking the AP is very easy after all... Replacing the D-Link's firmware with linux doesn't seem very practicle, this has been done on Linksys, but I have not seen it done on Dlink yet. Given the amount of Brain Power required to implement linux on a Dlink, and the small amount of brain power required to hack a wireless network, I would suspect the wireless network's WEP (if even turned on at all) was hacked. Once a system associates with an AP, the rest is easy. Armand Welsh -----Original Message----- From: Mike [mailto:mike () superiorholidayadventures ca] Sent: Friday, September 10, 2004 5:25 AM To: gillettdavid () fhda edu; incidents () securityfocus com Subject: RE: Wireless router behaviour If the attacker placed the router, s/he may have very well changed the OEM firmware to some custom (probably Linux) firmware. Have you tried pointing a web browser at the 714P's IP address? If you get something other than the default D-Link setup screen that would mean that the OEM firmware was replaced with something else. An NMap scan may also show what OS is running on it. Sincerely, Mike Fetherston
-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Thursday, September 09, 2004 12:22 PM To: incidents () securityfocus com Subject: Wireless router behaviour We recently suffered an intrusion attempt on our internal network. (Details aren't relevant to my question....) We traced the source back to an unauthorized wireless router (D-Link 714P+, if it matters) plugged into a live but unused network jack in a barely-accessible location. Before we had found the device, or ascertained its type, we were able to sniff the switch port it was on, and observed that it was pinging the network gateway about once per second. That doesn't sound like normal router behaviour to me. Has anyone else seen such a device do this? Is this something the intruder did to the router? (We have suspicion, but not actual certainty, that the router was placed by the same intruder as executed the network attacks. So the attacker may have had to first compromise the router to get access.) Dave Gillett
Current thread:
- RE: Wireless router behaviour Mike (Sep 10)
- <Possible follow-ups>
- RE: Wireless router behaviour Welsh, Armand (Sep 10)
- RE: Wireless router behaviour David Gillett (Sep 11)
- Re: Wireless router behaviour John Duksta (Sep 13)
- RE: Wireless router behaviour David Gillett (Sep 13)
- RE: Wireless router behaviour David Gillett (Sep 11)
- RE: Wireless router behaviour Christopher Adickes (Sep 11)