Penetration Testing mailing list archives
RE: MORE: Tools for Detecting Wireless APs - from the wire side.
From: "Weaver, Woody" <woody.weaver () callisma com>
Date: Mon, 10 Jun 2002 14:49:02 -0700
I find it amazing -- the question CLEARLY states "from the wire side", yet you keep getting site survey answers. If you can show me how a wardrive will tell me about the unknown APs at a satellite office in Cleveland when I'm in corporate headquarters in Irvine, particularly when I've got to survey 50 remote offices, some international, I'd be very interested... The TCP fingerprinting approach is helpful (I'd use nmap + xprobe, actually) but is frustrating because of false positives and negatives, in addition to requiring probing from each security domain (you *do* have internal firewalls segregating key assets, right?). You are much *less* likely to suffer false negatives from MAC OUI investigation, and may well find some interesting other devices as well. Using both approaches requires little overhead. I've got some perl scripts that feeds all that info to a MySQL store, handy for queries... --woody -----Original Message----- From: Isherwood Jeff C Contr AFRL/IFOSS [mailto:Jeffrey.Isherwood () rl af mil] Sent: Monday, June 10, 2002 1:55 PM To: 'Pierre Vandevenne' Cc: 'Pen-Test' Subject: RE: MORE: Tools for Detecting Wireless APs - from the wire side. I mis-typed myself. I called Netstumbler a "wrong answer" not because it is bad, or doesn't do the job, just NOT the job I'm looking for. Mainly, I'm trying to figure out a companion for wardriving with a Stumbler. Anyone who relies on only one method of scanning, is leaving themselves open to potential gaps in the scanner's ability to cover. A NETWORK - WIRED scan, detect method to compliment the wardriving Stumbler is helpful as a corroborative tool to help get a "second opinion" of sorts... The two prevailing methods seem to be using the ARP cached MAC addresses to ID potential APs, and NMAP'd fingerprints of nodes compared to a list of AP Fingerprints... -----Original Message----- From: Pierre Vandevenne [mailto:pierre () datarescue com] Sent: Monday, June 10, 2002 1:42 PM To: Isherwood Jeff C Contr AFRL/IFOSS Cc: 'Pen-Test' Subject: Re: MORE: Tools for Detecting Wireless APs - from the wire side. Hello Isherwood, IJCCAI> MOST received wrong answer ?? IJCCAI> Netstumbler: Wardrive your own campus before they do. IJCCAI> This is not always a practical, or failsafe method. You IJCCAI> might miss an area, or your campus might be too big to IJCCAI> realistically do this (imagine a corporation or Edu that is IJCCAI> spread out over a mile or more, and your manpower is limited?) I don't think it is a "wrong" method. As a matter of fact, each time I have tried it in a favourable environment, it has found many more APs than other methods combined. If there is one thing that you can't hide it is the radio traffic. It's true that SNMP can, in some cases, be disabled. But MAC addresses can be changed as well. Large campuses are the easiest to scan. Get a high gain antenna and a golf cart and explore the area boustrophedonically. The most difficult places to scan are actually medium sized organizations in a "downton-like" environment, where you pick up a lot of stuff that doesn't belong to you or where APs will remain hidden because of the faraday cages properties of some areas. Interestingly, leaving aside the issue of regulations and power of emission, it is often much easier to stumble in the US than in Europe because of the wooden structure of many US buildings. -- Best regards, Pierre mailto:pierre () datarescue com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 10)
- Re: Tools for Detecting Wireless APs - from the wire side. Larry Youngquist (Jun 10)
- <Possible follow-ups>
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Woody Weaver (Jun 12)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Bennett Todd (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Jon (Jun 12)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 13)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Andrews, Ryan (Jun 14)