Penetration Testing mailing list archives

Re: Mapping wireless LANS from the wired side

From: anindya <anindya () goonda org>
Date: Mon, 20 Aug 2001 11:59:38 -0400 (EDT)

It seems most of the wireless APs I have encountered all
do things differently. For example, SMC 2652W AP will respond
to a UDP packet to address 255.255.255.255 port 800 --
like so (.3 is the scanning host, .128 is the SMC AP):

11:46:20.928530 192.168.1.3.800 > 255.255.255.255.800:  udp 60
11:46:20.945761 192.168.1.128.800 > 255.255.255.255.800:  udp 59

A lot of the Prism2-based APs seem to use this method.

The lucent RG-1000, on the other hand, sends a UDP packet
to port 192 of the network broadcast address (.4
the scanning host and .164 being the AP):

11:52:46.488720 192.168.1.4.2159 > 192.168.1.255.192:  udp 116 (DF)
11:52:46.489443 192.168.1.164.192 > 192.168.1.4.2159:  udp 116 (DF)

You can use the CLIproxy software provided by Lucent to find
Lucent APs on the local subnet: i.e. "show accesspoints".
An additional note about the RG-1000 is that they are
configurable through SNMP, and nmap will correctly
fingerprint them (-O).

You can always craft these packets (instead of using
vendor's software0 and see if any device
responds after you inject them into the network.

Some other default SSIDs/login accounts can be found here:

http://www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/ssid_defaults-1.0.5.txt

thanks,
--Anindya

On Mon, 20 Aug 2001 Mike.Ruscher () CSE-CST GC CA wrote:

This issue may have been discussed earlier but my search failed to find
anything definitive.

When mapping a LAN topology, what are the general methods to use for
discovering access points and  wireless hosts from inside the wired network.
This becomes important to detect rogue WLANS which are a potential threat to
the enterprise as they might be behind firewalls etc.

I would expect that the MAC addresses for APs would be unique to the various
vendors., as would the wireless NICs on the WLAN hosts. Are there any
scanning tools freely available that can do this kind of search?

Mike Ruscher, ITS Specialist I2, CSE/CST
mgruscher () cse-cst gc ca
Phone: +1 613 991-8040
ED/C200
http://www.cse-cst.gc.ca

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Mapping wireless LANS from the wired side Mike . Ruscher (Aug 20)
- Re: Mapping wireless LANS from the wired side anindya (Aug 20)
  - Re: Mapping wireless LANS from the wired side Ichinin (Aug 20)
- <Possible follow-ups>
- RE: Mapping wireless LANS from the wired side woody weaver (Aug 20)
- RE: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 20)
  - Re: Mapping wireless LANS from the wired side freehold (Aug 20)
- RE: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 20)
  - RE: Mapping wireless LANS from the wired side Joe Shaw (Aug 20)
    - Re: Mapping wireless LANS from the wired side Ted Doty (Aug 20)
  - Re: Mapping wireless LANS from the wired side dcdave (Aug 21)
- RE: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 23)
- FW: Mapping wireless LANS from the wired side Mike . Ruscher (Aug 24)