Penetration Testing mailing list archives
RE: Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side.
From: "Woody Weaver" <woody.weaver () callisma com>
Date: Tue, 11 Jun 2002 19:39:36 -0400
On Tuesday, June 11, 2002 4:07 PM, Pierre Vandevenne [mailto:pierre () datarescue com] wrote: PV> Hello Woody, Greets, Pierre, WW> commercial access point. These are typically on appliance devices, and can't WW> change their MAC. PV> Ahem. Have you ever physically opened these devices ? [...] No, but that isn't the point I was trying to make. Jeffrey.Isherwood () rl af mil, who started this thread, classified three threat agents: Malicious Those that do NOT want to be found or secured Well intentioned Those that don't understand the need to be secured Clueless You can find these and secure them? I submit that if we are talking about someone who opens up their AP to fiddle with its guts, it clearly falls into the first category. As I think I observed, if you are dealing with this threat model, then basically you are screwed. If I were that guy, I wouldn't be fiddling with the guts of an AP, I'd build a linux box, put its inbound IP stack on a ringback, and while you might see it at layer 2 -- but you would see the mac address of one of the same kind of cards you have on the net, assuming I didn't want to just crash an existing box and then take over its mac -- you aren't going to get anything useful out of a port scan or Sneaky TCP options or funky ICMP or any of that junk. As for those in the other two categories, hopefully with tools you can address these. I'm speaking to you know over two wireless links: a linksys WPC11 card to a linksys WAP11 in the basement, and a BreezeCOM - BreezeACCESS 2.4 (thank you, Frederick Wireless -- very robust, efficient, and friendly last-mile provider in north central Maryland) from my house to downtown. You could find the BreezeCOM pretty easily: the unit has an SNMP agent that talks to the world. I probably don't have the latest nmap-os-fingerprints, but it doesn't recognize it. (xprobe thinks its FINAL:[ Windows Based. Open/Net/FreeBSD/DG-UX/HP-UX 10.x etc ]. giggle.) Anyway, it would gladly give up enterprises.710.10.2.1.1, so that isn't really an issue. Piece of cake. Guess this comes under the "clueless" category. The linksys is going to be a bit more of a trick to identify. Its got a web server and a tftp server, sure, but I took the defaults. My home network is 192.168.0/24. The defaults put the wired side at 192.168.1/24. So unless I get a strange urge to monitor the AP, its invisible at layer 3. But traffic is flowing... and the only way, from the wired side, I know of to detect this is to find one of the bridged hosts: ? (192.168.0.2) at 00:06:25:A6:35:F5 [ether] on eth0 go to the tables at http://standards.ieee.org/regauth/oui/oui.txt and you get 00-06-25 (hex) The Linksys Group, Inc. 000625 (base 16) The Linksys Group, Inc. 17401 Armstrong Ave. Irvine CA 92614 UNITED STATES Doing the usual host identification would tell you that this is a user class machine, so either you've purchased some linksys 10/100 cards, or there is an issue. (Maybe the fact that Linksys has 00-04-5A as well means you could distinguish the wired from the wireless, dunno.) From there, I guess you trace it via the switch port the MAC address is on, and then trace cabling. Guess this one comes under the "well intentioned" category. And its a hard problem, particularly if you are dealing with a lot of remote units. Its the old "unknown unmanaged hub" problem. (Sidebar: Loran's old Kinetics box would provide you with the existence of the unmanaged hubs. Perhaps other network management devices would as well. That might be a useful tool for a site survey.) KEY POINT: THIS WAS A DEFAULT INSTALLATION. No magic AP hardening. The box is stealthy from the wired side just because I didn't bother to change the defaults. But if I put this into a "real world" context, I've done surveys from the wired side several times. Always, if the enterprise has more than 5,000 responding IPs or so, you will find wireless hosts; and generally they fall into the latter two categories, so layer 2 approaches will find them. Well, this is getting rather long, but Jeffrey, good luck with your paper. --woody ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 10)
- Re: Tools for Detecting Wireless APs - from the wire side. Larry Youngquist (Jun 10)
- <Possible follow-ups>
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Woody Weaver (Jun 12)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Bennett Todd (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Jon (Jun 12)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 13)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Andrews, Ryan (Jun 14)