Security Basics mailing list archives
Re: Wireless blocking
From: "Alex S. Harasic" <alharasic () mi cl>
Date: Fri, 07 Oct 2005 12:54:39 -0400
There's a MAC database for Wireless Devices.With this list, you should just query your router or switch, if you find one, just block it, or unplug the cable if your switch gives you info on what port it is connected to. There's a tool called IPloc that will show
you the port in which a certain MAC is connected to. The MAC database is at http://www.ffrf.net/fingerprint/view.php Regards Alex S. Harasic On Fri, 7 Oct 2005 11:11:59 -0500 "Gross Barry D." <bd.gross () hosp wisc edu> wrote:
I agree with the wired guys.why walk all over the place trying to track down the signal when you should be able to track down where the AP plugs into the switch. This will then lead you to the jack number which should lead you to thephysical location of the AP.If you don't have the mac address of the AP I would first look for linksys macs on your switches. You can also look for ports that have multiple mac addresses on them since on the edge your switches should have just one client attached to them ports with multiple mac should beviewed as suspicious -Barry -----Original Message-----From: Alex S. Harasic [mailto:alharasic () mi cl] Sent: Wednesday, October 05, 2005 11:50 AMTo: Mark Owen; Daryl Davis Cc: security-basics () securityfocus com Subject: Re: Wireless blockingLike Mark said, I think the best way is to identify the Wireless AP through wire.I guess the risk is that the Wireless AP is connected to the network, therefore it's connected in a switch somewhere. You can always see what port it's connected to quering the switch of a certain mac address. Wireless AP have a generic MAC address so you can easily find it with something like:show ip arp | include 0040.96in your router, I now that 0040.96 works for cisco aironet AP.You can also check Kirby Kuehl presentation on this matter called "Detecting Rogue 802.11 Access Points within the Enterprise".Regards Alex S. Harasic On Tue, 4 Oct 2005 19:57:24 -0400 Mark Owen <mr.markowen () gmail com> wrote:On 10/4/05, Daryl Davis <daryl () ultbingo com> wrote:I believe I have an unauthorized wireless router on my network. I have been unable to physically find it as of yet. Does anyone know how to find the hidden SSID and then Jam it?Did it receive an ip address via dhcp? That might help you out in tracking at least which port it is plugged into (via mac address.) Best bet is to trace down cable and pull the plug. Block mac address from dhcp. Kick it off network by assigning another throw away device same IP as wireless (at least confuse it) All else, take $LUSER for a ride in a nice Cadillac down a bumpy road in the trunk. -- Mark Owen
Current thread:
- RE: Wireless blocking, (continued)
- RE: Wireless blocking Charles Hammett (Oct 05)
- RE: Wireless blocking Bryan McAninch (Oct 05)
- Re: Wireless blocking lists (Oct 05)
- RE: Wireless blocking Joshua Berry (Oct 06)
- FW: Wireless blocking Charles Hammett (Oct 06)
- RE: Wireless blocking Beauford, Jason (Oct 06)
- Re: Wireless blocking Steve.Cummings (Oct 06)
- RE: Wireless blocking Steve McLaughlin (Oct 11)
- RE: Wireless blocking Dean De Beer (Oct 11)
- RE: Wireless blocking Gross Barry D. (Oct 11)
- Re: Wireless blocking Alex S. Harasic (Oct 11)
- Re: Wireless blocking Dragos Ruiu (Oct 12)
- Wireless Blocking Daryl Davis (Oct 14)
- RE: Wireless Blocking Alex S. Harasic (Oct 17)
- Wireless blocking Daryl Davis (Oct 24)