Penetration Testing mailing list archives
RE: MORE: Tools for Detecting Wireless APs - from the wire side.
From: "Jon" <vandivee () midsouth rr com>
Date: Tue, 11 Jun 2002 23:18:16 -0500
Come come.... The cheap appliances can well indeed change their MAC... I can clone my 3Com NIC, publish it to the wire and run my AP virtually undetected. (I forgot this or else I would have included it when I proposed the MAC OUI polling from the switch, course most "users" won't know this) The only way I can see to secure your LAN from having rouge APs attached is something I have only heard of and never seen. EAP based authentication for port security.... And with that.... I can honestly say I have NO IDEA how to do it right now..... If anyone has a whitepaper for implementation EAP for port security, please post it or send it to me... Thanks, Jon -----Original Message----- From: Weaver, Woody [mailto:woody.weaver () callisma com] Sent: Monday, June 10, 2002 9:12 PM To: R. DuFresne; Isherwood Jeff C Contr AFRL/IFOSS Cc: 'Pen-Test' Subject: RE: MORE: Tools for Detecting Wireless APs - from the wire side. On Monday, June 10, 2002 3:45 PM, R. DuFresne wrote: [..]
MAC addresses can not only be spoofed and changed, but, looking at just 3Com, one gets an idea of the large number of MACs one has to keep
track
of.
Ron, I'm not sure of your point here. If we are assuming a non-compliant employee (user or administrator) then they have probably deployed a commercial access point. These are typically on appliance devices, and can't change their MAC. (Remember, the point is to find the AP, not find who is connecting on the wireless side.) Keeping track of MAC OUIs is not difficult, since http://standards.ieee.org/regauth/oui/oui.txt takes care of that for you. Essentially, the task comes down to looking at each MAC, and asking "what is this device?" This is a useful exercise, irrespective of the problem of wireless access. Once the APs have been identified, the next step is to determine the consequences of the AP -- which is where the rest of the content in your note applies. In an environment with a black hat, things are much more difficult. The AP is likely to be part of a general purpose operating system, where nmap et alia will be useless. A really stealthy box won't respond to a port scan, but can pass traffic. The advantage of the ARP cache (or better CAM tables) approach is that the box *has* to populate a cache at layer 2 to communicate. It might be spoofed, or fraudulent, but *something* has to show up. This is the same problem as a stray modem or T1 -- how do you find a modem if its on a ringback? --woody ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 10)
- Re: Tools for Detecting Wireless APs - from the wire side. Larry Youngquist (Jun 10)
- <Possible follow-ups>
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Woody Weaver (Jun 12)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Bennett Todd (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Jon (Jun 12)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 13)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Andrews, Ryan (Jun 14)