Bugtraq mailing list archives
Re: Tool for Identifying Rogue Linksys Routers
From: Volker Tanger <vtlists () wyae de>
Date: Sat, 27 Aug 2005 10:26:30 +0200
Hi Group! On Fri, 26 Aug 2005 09:32:31 -0500 Graham Wilson <graham () mknod org> wrote:
Is there a scanning tool out there that can determine if there are unauthorized Linksys (type) routers in a specific VLAN?
I assume you have not port-locked your switches? Many managed Layer-2 switches can do that. Only allow 1-2 IP addresses per port and auto-shutdown those exceeding this limit. This way you have an automatic, continuously running monitoring (and self-punishment) of people connecting rogue switches/routers. Plus you know where (on which plug) to search for the system. Won't detect NAT-masquerading routers that have their external interface connected to LAN, though. A purely passive approach would be to use ARPWATCH and filter out all known MAC address headers. Easy if you have a homogenous network (e.g. all PCs are Dell), a PITB of you are a wild mishmash (open pool at university or LAN party). You even can run this from a CRON job. And if you're really, really thorough you could inventarize all your PCs (semi-automatically) and have an alert for each new MAC address that pop up. For a scan you could run arpwatch and then ping all hosts using nmap (assuming that your network is 192.168.1.*/24 in this example): # nmap -sP 192.168.1.0/24 Depending on your network architecture you might want to slow that down with # nmap -T polite -sP 192.168.1.0/24 Arpwatch will do the job of collecting all ARP addresses for you. Bye Volker -- Volker Tanger http://www.wyae.de/volker.tanger/ -------------------------------------------------- vtlists () wyae de PGP Fingerprint 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
Current thread:
- Tool for Identifying Rogue Linksys Routers Martin Mkrtchian (Aug 25)
- Re: Tool for Identifying Rogue Linksys Routers Mike Frantzen (Aug 26)
- Re: Tool for Identifying Rogue Linksys Routers Joshua Wright (Aug 26)
- Re: Tool for Identifying Rogue Linksys Routers Graham Wilson (Aug 26)
- Re: Tool for Identifying Rogue Linksys Routers Volker Tanger (Aug 27)
- Re: Tool for Identifying Rogue Linksys Routers Mike Kershaw (Aug 27)
- Re: Tool for Identifying Rogue Linksys Routers Dave Hull (Aug 26)
- Re: Tool for Identifying Rogue Linksys Routers Tony Rall (Aug 27)
- <Possible follow-ups>
- RE: Tool for Identifying Rogue Linksys Routers Thomas Guyot-Sionnest (Aug 26)
- RE: Tool for Identifying Rogue Linksys Routers Matt Mercer (Aug 26)
- Re: Tool for Identifying Rogue Linksys Routers Paul Halliday (Aug 27)