Re: Wired detection of rogue access points

[Adam Crosby <acrosby () jlab org>]

Vladimir Vuksan wrote:
> johnnywkm () gmail com wrote:
> > Can anyone point me to a wired LAN scanner/sniffer that detects
> > wireless access points connected to the LAN?
> >   
>
>
> I don't believe you can identify an AP just by sniffing. The problem is
> that AP acts as a L2 switch so there is not necessarily a signature.
>
> The only way I can think of doing something like that is polling your
> switches (through SNMP) for connected MAC addresses and running a
> wireless sniffer like Kismet and cross referencing mac addresses that
> Kismet sees vs. what you see on your wired switches. That has been on my
> to-do list and I have a project that does switch polling for MAC
> addresses I just haven't added the Kismet portion yet :-(.
>
> Vladimir

Depending on the AP, you might look for IAPP frames, L2 frames with
OUI's corresponding to known AP vendors (linksys, dlink, etc) that you
have no record of, checking the arp/cam tables of your switch ports for
multiple downstream MAC's on an 'access port', and a couple of other
heuristic methods (such as using vuln scanners to find management IPs,
for example) of spotting stuff.  None of them will really give you sure
fire knowledge of the presence of an AP though (and all can be
fooled/gotten around) - the only real way to do that is going to be
looking at the RF with a wireless sniffer like Kismet or something of
that nature.

--
Adam




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------