Penetration Testing mailing list archives
RE: Identification of non Cisco AP's
From: "Jonathan Gauntt" <jon0966 () yahoo com>
Date: Thu, 28 Jul 2005 00:43:25 -0500
Unfortunately our network is in 46 states so the easiest I think from this point on is to scan the network. I have nessus at home and will probably fire that up on a vpn connection soon after the SuperScan results. Our users are not extremely IT oriented so they have basically gone out from time to time and purchased a non Cisco AP and plugged into the local LAN grabbing an IP from DHCP. I was required to deploy the Cisco Wireless Lan Solution Engine last month and part of our HIPAA audit requires security measures. So far I found an open AP in one of the practices so it's looking good. Thank you, Jonathan -----Original Message----- From: Chuck [mailto:chuck.lists () gmail com] Sent: Wednesday, July 27, 2005 9:04 AM To: security-management () securityfocus com; pen-test () securityfocus com Subject: Re: Identification of non Cisco AP's I would guess that most of these access points would have ports 80 and/or 443 open for management. So you could get down to a short list by scanning for those ports (assuming your network doesn't have a whole bunch of other web servers). You could do this with nmap, if that takes too long, with scanrand. Nmap can use a file full of networks to scan with the -iL switch, so you don't have to scan the whole Class A. Then, when you have a list of systems with those ports open, you run a little banner grabber script to do a HEAD or GET on each server and you should be able to identify what they are from the Server: header. If this doesn't give enough info, just pull up the page in a browser. If they don't have a web interface available to your side of the network (which would be the case if they are a home router/firewall/ap type of device) you could try OS fingerprinting the network with nmap or xprobe, but that will take a while and these devices probably won't respond so that may not be easy. You may be able to identify these devices by the fact that they don't respond, but you would have to know the IP is in use from DHCP logs or traffic analysis. If there are large enough broadcast domains or if you have IDSs deployed or are using DHCP, you may be able to identify these devices by MAC addresses, but again, most of these devices can spoof their MAC. In short, it may be easier to wardrive/walk around your area if the network is in one physical location. Good luck. Chuck On 7/26/05, Jonathan Gauntt <jon0966 () yahoo com> wrote:
Hi, I have been tasked with the project of scanning and identifying all non Cisco wireless access points within the company's network. We have about 800 /22 and /24 subnets, and because of the IP addressing scheme in place, might just be easier for me to scan the whole class A
range
of IP's. I have access to Nessus and GFI Security Scanner. Since we over 8000 IP's in place, does anyone have any advice on the best way to identify these
non
Cisco AP's such as Linksys and Netgear, etc.
Current thread:
- Identification of non Cisco AP's Jonathan Gauntt (Jul 26)
- Re: Identification of non Cisco AP's Peter Wood (Jul 27)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Identification of non Cisco AP's Chuck (Jul 27)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Identification of non Cisco AP's Ian Gorrie (Jul 27)
- Re: Identification of non Cisco AP's ben creitz (Jul 27)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Identification of non Cisco AP's hfortier (Jul 27)
- Re: Identification of non Cisco AP's Sherwood R. Probeck (Jul 28)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 29)
- <Possible follow-ups>
- Re: Re: Identification of non Cisco AP's mox11 (Jul 27)
- RE: Identification of non Cisco AP's Todd Towles (Jul 28)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Re: Re: Identification of non Cisco AP's seventil (Jul 28)
- Re: Identification of non Cisco AP's Peter Wood (Jul 27)