Penetration Testing mailing list archives
RE: Identify rogue adsl modems routers in the network
From: "Sam Stern" <samstern () samstern net>
Date: Mon, 26 May 2008 22:04:32 -0400
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of kevin horvath Sent: Monday, May 26, 2008 3:41 PM To: t35tman () gmail com Cc: pen-test () securityfocus com Subject: Re: Identify rogue adsl modems routers in the network use a wardialer such as phonesweep. Sweep the phone numbers that are allocated to you and if you get a carier signal then you need to check it out. Good luck. Kevin On Mon, May 26, 2008 at 12:25 PM, t35tman <t35tman () gmail com> wrote:Hi all, Had a weired requirement recently. I was wondering if there is any way to detect an adsl modem/router connected to a phone line. The scenario being able to trace the adsl modem/router internally from within the corporate network or externally from the ISP network. The only option I see is to check with the ISP ... any suggestions ? Thanks and Regards
It's an interesting question I'll investigate (I have a number of adsl modems ...)
From the network side, I'd say to:
Step A: Least intensive, most likely to be definitive, more work as it's a special step in auditing - after gathering a set of ip's on your network (after a regular scan), dump the ip's to a file, (you only need the first 24 bits) and de-dupe and then finally resolve their mac address. Then resolve the mac address to manufacturers and look for Westell, Linksys, or other manufacturers that seem odd or unusual (e.g. 00:14:BF is Cisco-Linksys) ;> Step B: More network intensive, less likely to be definitive, less work as it leverages regular auditing After a network scan, check for systems that have one or more of: - udp and / or tcp (yes BOTH) port 67 (bootps) to find the rouge DHCP server the vast majority of adsl modems create. - udp and / or 1900 and filter out any hosts that have port 1025 (ms rpc end point), port 135 or port 445 (NetBIOS) to detect rouge upnp devices - tcp port 80 - adsl modems will usually have this port open (default) or closed (if the user disabled the internal web server) Start ruling out known systems and do more through os and non ip scans on the rest. Fwiw here is the output of a quick scan of my Linksys that has dhcp turned off (I'm running a scan with -p 1-65535 that will take some time to complete): Nmap -v -sU -sS $host PORT STATE SERVICE 80/tcp open http 443/tcp open https 53/udp open|filtered domain 69/udp open|filtered tftp 2048/udp open|filtered dls-monitor MAC Address: 00:14:BF: (Cisco-Linksys) HTH Sam S. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Find out now! Get Webinar Recording and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Identify rogue adsl modems routers in the network t35tman (May 26)
- Re: Identify rogue adsl modems routers in the network kevin horvath (May 26)
- Re: Identify rogue adsl modems routers in the network Steve Friedl (May 28)
- RE: Identify rogue adsl modems routers in the network Sam Stern (May 28)
- Re: Identify rogue adsl modems routers in the network Peter Van Epp (May 28)
- Re: Identify rogue adsl modems routers in the network Dave McCormick (May 28)
- Re: Identify rogue adsl modems routers in the network Michael Painter (May 28)
- Re: Identify rogue adsl modems routers in the network Mario Spinthiras (May 29)
- Re: Identify rogue adsl modems routers in the network kevin horvath (May 26)
- Re: Identify rogue adsl modems routers in the network Volker Tanger (May 28)
- Re: Identify rogue adsl modems routers in the network pinowudi (May 28)
- RE: Identify rogue adsl modems routers in the network Shenk, Jerry A (May 28)
- Re: Identify rogue adsl modems routers in the network Nikhil Wagholikar (May 28)
- RE: Identify rogue adsl modems routers in the network THORNTON Simon (May 30)