Re: Wireless blocking

["Alex S. Harasic" <alharasic () mi cl>]

There's a MAC database for Wireless Devices.

With this list, you should just query your router or 
switch,
if you find one, just block it, or unplug the cable if 
your switch
gives you info on what port it is connected to. There's a 
tool called IPloc that will show
you the port in which a certain MAC is connected to.

The MAC database is at

http://www.ffrf.net/fingerprint/view.php


Regards

Alex S. Harasic




On Fri, 7 Oct 2005 11:11:59 -0500
 "Gross Barry D." <bd.gross () hosp wisc edu> wrote:
> I agree with the wired guys.
>
> why walk all over the place trying to track down the 
> signal when you
> should be able to track down where the AP plugs into the 
> switch.  This
> will then lead you to the jack number which should lead 
> you to the
> physical location of the AP.
> If you don't have the mac address of the AP I would 
> first look for
> linksys macs on your switches.  You can also look for 
> ports that have
> multiple mac addresses on them since on the edge your 
> switches should
> have just one client attached to them ports with 
> multiple mac should be
> viewed as suspicious
>
>
> -Barry
>
> -----Original Message-----
> From: Alex S. Harasic [mailto:alharasic () mi cl] 
> Sent: Wednesday, October 05, 2005 11:50 AM
> To: Mark Owen; Daryl Davis
> Cc: security-basics () securityfocus com
> Subject: Re: Wireless blocking
>
>
> Like Mark said, I think the best way is to identify the 
> Wireless AP through wire.
>
> I guess the risk is that the Wireless AP is connected to 
> the network, therefore it's connected in a switch 
> somewhere. You can always see what port it's connected 
> to 
> quering the switch of a certain mac address. Wireless AP 
> have a generic MAC address so you can easily find it 
> with 
> something like:
>
> show ip arp | include 0040.96
>
> in your router, I now that 0040.96 works for cisco 
> aironet 
> AP.
>
> You can also check Kirby Kuehl presentation on this 
> matter 
> called "Detecting Rogue 802.11 Access Points within the 
> Enterprise".
>
> Regards
>
> Alex S. Harasic
>
>
>
> On Tue, 4 Oct 2005 19:57:24 -0400
>  Mark Owen <mr.markowen () gmail com> wrote:
> > On 10/4/05, Daryl Davis <daryl () ultbingo com> wrote:
> > > I believe I have an unauthorized wireless router on my
> > > network.  I have been
> > > unable to physically find it as of yet.
> > >
> > > Does anyone know how to find the hidden SSID and then
> > > Jam it?
> >
> > Did it receive an ip address via dhcp?
> > That might help you out in tracking at least which port
> > it is plugged
> > into (via mac address.)
> >
> > Best bet is to trace down cable and pull the plug.
> > Block mac address from dhcp.
> > Kick it off network by assigning another throw away
> > device same IP as
> > wireless (at least confuse it)
> >
> > All else, take $LUSER for a ride in a nice Cadillac down
> > a bumpy road
> > in the trunk.
> >
> > --
> > Mark Owen