RE: Wireless router behaviour

["David Gillett" <gillettdavid () fhda edu>]

  The port which was connected to the wired network was one of the
LAN switch ports, and not the WAN port.  So although we saw pings
and proxy ARP replies from the router, it seems unlikely that these
were NATted on behalf of some associated client.  The client whose
footprints led us to the router was, as you'd expect in such a 
configuration, using an address from our DHCP pool and neither the
router's nor some other private address.

  The folks who have legitimate physical access originally disclaimed
knowledge, and pointed to recent thefts as evidence that unauthorized
physical access might be involved.  They seem to have since decided
that it was theirs after all, but network statistics suggest that the
keep-alive pings began about 3am, which suggests to us that they're
less the innocent victims than their trying to claim.

Dave Gillett


> -----Original Message-----
> From: Welsh, Armand [mailto:Armand.Welsh () sscims com]
> Sent: Friday, September 10, 2004 1:17 PM
> To: Mike; gillettdavid () fhda edu; incidents () securityfocus com
> Subject: RE: Wireless router behaviour
>
>
> The D-Link routers have a keep alive feature.  If the keep 
> alive feature
> is turned on, then it will periodically send ping packets out through
> it's WAN interface port.  Additionally, if any devices are associated
> with the AP at the time the ping packets are being 
> transmitted, because
> of the NATing of the AP, the ping packets would appear to be 
> coming from
> the AP rather than from the real workstation.  Remember, the 
> DI-714P+ is
> a router, not just an AP, so in router mode, you won't be able to tell
> the difference between router originated, and WiFi originated packets;
> they will all appear to be router originated.
>
> Is it possible that someone planted it?  Only if it is possible for
> unauthorized individuals to gain physical access to where it was.  It
> seems more likely to me that an internal user installed the AP in an
> attempt to utilize wireless, and that someone wardriving 
> hacked into the
> wireless connection.  Hacking the AP is very easy after all...
>
> Replacing the D-Link's firmware with linux doesn't seem very 
> practicle,
> this has been done on Linksys, but I have not seen it done on 
> Dlink yet.
> Given the amount of Brain Power required to implement linux 
> on a Dlink,
> and the small amount of brain power required to hack a 
> wireless network,
> I would suspect the wireless network's WEP (if even turned on at all)
> was hacked.  Once a system associates with an AP, the rest is easy. 
>
> Armand Welsh
>
>
> -----Original Message-----
> From: Mike [mailto:mike () superiorholidayadventures ca] 
> Sent: Friday, September 10, 2004 5:25 AM
> To: gillettdavid () fhda edu; incidents () securityfocus com
> Subject: RE: Wireless router behaviour
>
> If the attacker placed the router, s/he may have very well changed the
> OEM firmware to some custom (probably Linux) firmware.  Have you tried
> pointing a web browser at the 714P's IP address?  If you get something
> other than the default D-Link setup screen that would mean 
> that the OEM
> firmware was replaced with something else.  An NMap scan may also show
> what OS is running on it.
>
> Sincerely,
>
> Mike Fetherston
>
> > -----Original Message-----
> > From: David Gillett [mailto:gillettdavid () fhda edu]
> > Sent: Thursday, September 09, 2004 12:22 PM
> > To: incidents () securityfocus com
> > Subject: Wireless router behaviour
> >
> >   We recently suffered an intrusion attempt on our
> > internal network.  (Details aren't relevant to my
> > question....)
> >
> >   We traced the source back to an unauthorized wireless
> > router (D-Link 714P+, if it matters) plugged into a
> > live but unused network jack in a barely-accessible
> > location.
> >   Before we had found the device, or ascertained its
> > type, we were able to sniff the switch port it was on,
> > and observed that it was pinging the network gateway
> > about once per second.
> >
> >   That doesn't sound like normal router behaviour to me.
> > Has anyone else seen such a device do this?  Is this
> > something the intruder did to the router?  (We have
> > suspicion, but not actual certainty, that the router
> > was placed by the same intruder as executed the network
> > attacks.  So the attacker may have had to first compromise
> > the router to get access.)
> >
> > Dave Gillett

<<attachment: winmail.dat>>