Penetration Testing mailing list archives
Re: Mapping wireless LANS from the wired side
From: anindya <anindya () goonda org>
Date: Mon, 20 Aug 2001 11:59:38 -0400 (EDT)
It seems most of the wireless APs I have encountered all do things differently. For example, SMC 2652W AP will respond to a UDP packet to address 255.255.255.255 port 800 -- like so (.3 is the scanning host, .128 is the SMC AP): 11:46:20.928530 192.168.1.3.800 > 255.255.255.255.800: udp 60 11:46:20.945761 192.168.1.128.800 > 255.255.255.255.800: udp 59 A lot of the Prism2-based APs seem to use this method. The lucent RG-1000, on the other hand, sends a UDP packet to port 192 of the network broadcast address (.4 the scanning host and .164 being the AP): 11:52:46.488720 192.168.1.4.2159 > 192.168.1.255.192: udp 116 (DF) 11:52:46.489443 192.168.1.164.192 > 192.168.1.4.2159: udp 116 (DF) You can use the CLIproxy software provided by Lucent to find Lucent APs on the local subnet: i.e. "show accesspoints". An additional note about the RG-1000 is that they are configurable through SNMP, and nmap will correctly fingerprint them (-O). You can always craft these packets (instead of using vendor's software0 and see if any device responds after you inject them into the network. Some other default SSIDs/login accounts can be found here: http://www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/ssid_defaults-1.0.5.txt thanks, --Anindya On Mon, 20 Aug 2001 Mike.Ruscher () CSE-CST GC CA wrote:
This issue may have been discussed earlier but my search failed to find anything definitive. When mapping a LAN topology, what are the general methods to use for discovering access points and wireless hosts from inside the wired network. This becomes important to detect rogue WLANS which are a potential threat to the enterprise as they might be behind firewalls etc. I would expect that the MAC addresses for APs would be unique to the various vendors., as would the wireless NICs on the WLAN hosts. Are there any scanning tools freely available that can do this kind of search? Mike Ruscher, ITS Specialist I2, CSE/CST mgruscher () cse-cst gc ca Phone: +1 613 991-8040 ED/C200 http://www.cse-cst.gc.ca ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Mapping wireless LANS from the wired side Mike . Ruscher (Aug 20)
- Re: Mapping wireless LANS from the wired side anindya (Aug 20)
- Re: Mapping wireless LANS from the wired side Ichinin (Aug 20)
- <Possible follow-ups>
- RE: Mapping wireless LANS from the wired side woody weaver (Aug 20)
- RE: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 20)
- Re: Mapping wireless LANS from the wired side freehold (Aug 20)
- RE: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 20)
- RE: Mapping wireless LANS from the wired side Joe Shaw (Aug 20)
- Re: Mapping wireless LANS from the wired side Ted Doty (Aug 20)
- Re: Mapping wireless LANS from the wired side dcdave (Aug 21)
- RE: Mapping wireless LANS from the wired side Joe Shaw (Aug 20)
- RE: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 23)
- FW: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 24)
- Re: Mapping wireless LANS from the wired side anindya (Aug 20)