Security Basics mailing list archives

RE: Wireless blocking

From: "Gross Barry D." <bd.gross () hosp wisc edu>
Date: Fri, 7 Oct 2005 11:11:59 -0500

I agree with the wired guys.

why walk all over the place trying to track down the signal when you
should be able to track down where the AP plugs into the switch.  This
will then lead you to the jack number which should lead you to the
physical location of the AP.
If you don't have the mac address of the AP I would first look for
linksys macs on your switches.  You can also look for ports that have
multiple mac addresses on them since on the edge your switches should
have just one client attached to them ports with multiple mac should be
viewed as suspicious


-Barry

-----Original Message-----
From: Alex S. Harasic [mailto:alharasic () mi cl] 
Sent: Wednesday, October 05, 2005 11:50 AM
To: Mark Owen; Daryl Davis
Cc: security-basics () securityfocus com
Subject: Re: Wireless blocking


Like Mark said, I think the best way is to identify the 
Wireless AP through wire.

I guess the risk is that the Wireless AP is connected to 
the network, therefore it's connected in a switch 
somewhere. You can always see what port it's connected to 
quering the switch of a certain mac address. Wireless AP 
have a generic MAC address so you can easily find it with 
something like:

show ip arp | include 0040.96

in your router, I now that 0040.96 works for cisco aironet 
AP.

You can also check Kirby Kuehl presentation on this matter 
called "Detecting Rogue 802.11 Access Points within the 
Enterprise".

Regards

Alex S. Harasic



On Tue, 4 Oct 2005 19:57:24 -0400
  Mark Owen <mr.markowen () gmail com> wrote:

On 10/4/05, Daryl Davis <daryl () ultbingo com> wrote:

I believe I have an unauthorized wireless router on my
network.  I have been
unable to physically find it as of yet.

Does anyone know how to find the hidden SSID and then
Jam it?


Did it receive an ip address via dhcp?
That might help you out in tracking at least which port
it is plugged
into (via mac address.)

Best bet is to trace down cable and pull the plug.
Block mac address from dhcp.
Kick it off network by assigning another throw away
device same IP as
wireless (at least confuse it)

All else, take $LUSER for a ride in a nice Cadillac down
a bumpy road
in the trunk.

--
Mark Owen

Current thread:

RE: Wireless blocking, (continued)
- RE: Wireless blocking Patton Roub (Oct 05)
- RE: Wireless blocking Charles Hammett (Oct 05)
- RE: Wireless blocking Bryan McAninch (Oct 05)
- Re: Wireless blocking lists (Oct 05)
- RE: Wireless blocking Joshua Berry (Oct 06)
- FW: Wireless blocking Charles Hammett (Oct 06)
- RE: Wireless blocking Beauford, Jason (Oct 06)
- Re: Wireless blocking Steve.Cummings (Oct 06)
- RE: Wireless blocking Steve McLaughlin (Oct 11)
  - RE: Wireless blocking Dean De Beer (Oct 11)
- RE: Wireless blocking Gross Barry D. (Oct 11)
  - Re: Wireless blocking Alex S. Harasic (Oct 11)
  - Re: Wireless blocking Dragos Ruiu (Oct 12)
- Wireless Blocking Daryl Davis (Oct 14)
  - RE: Wireless Blocking Alex S. Harasic (Oct 17)
- Wireless blocking Daryl Davis (Oct 24)