Penetration Testing mailing list archives
Re: Re: Identification of non Cisco AP's
From: <mox11 () charter net>
Date: Wed, 27 Jul 2005 17:37:15 -0400
Here's a poor mans' fix Ping the broadcast address of your network. Most machines should reply. arp -an to determine MAC addresses or run PERL script (let me know if you need the code) The first 3 bits of the MAC will tell you the vendor http://standards.ieee.org/regauth/oui/index.shtml has most vendors available(OUI DB). I'd throw what you get into a database and filter everything but Cisco. Then run queries on the rest. There is a PERL script to automate some of this process if you like I'll post it. micro.
From: Ian Gorrie <iag () locked net> Date: 2005/07/27 Wed AM 03:39:41 EDT To: Jonathan Gauntt <jon0966 () yahoo com> CC: security-management () securityfocus com, pen-test () securityfocus com Subject: Re: Identification of non Cisco AP's On the wire detection is shoddy at best. Usually commercial scanners will only detect default configurations. that being said, most products that I've looked at (such as Lumeta IPSonar for instance) work by scanning for banners on webservers that are running on the APs. If you use a product that scans 80 and 443 for banners that match an APs, you might get somewhere. Not running an obvious banner, disabled, or not matching a signature? You'll be out of luck unless you are tricky and can somehow determine that it is a packet forwarding device. 802.11x on the network doesn't sound like such a bad idea now, does it? :) -i Jonathan Gauntt wrote:Hi, I have been tasked with the project of scanning and identifying all non Cisco wireless access points within the company?s network. We have about 800 /22 and /24 subnets, and because of the IP addressing scheme in place, might just be easier for me to scan the whole class A range of IP?s. I have access to Nessus and GFI Security Scanner. Since we over 8000 IP?s in place, does anyone have any advice on the best way to identify these non Cisco AP?s such as Linksys and Netgear, etc. I wouldn?t want to have a report produced that is two miles long unless absolutely necessary. Thanks, Jonathan
Current thread:
- Re: Identification of non Cisco AP's, (continued)
- Re: Identification of non Cisco AP's Peter Wood (Jul 27)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Identification of non Cisco AP's Chuck (Jul 27)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Identification of non Cisco AP's Ian Gorrie (Jul 27)
- Re: Identification of non Cisco AP's ben creitz (Jul 27)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Identification of non Cisco AP's hfortier (Jul 27)
- Re: Identification of non Cisco AP's Sherwood R. Probeck (Jul 28)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 29)
- Re: Re: Identification of non Cisco AP's mox11 (Jul 27)
- RE: Identification of non Cisco AP's Todd Towles (Jul 28)
- RE: Identification of non Cisco AP's Jonathan Gauntt (Jul 28)
- Re: Re: Re: Identification of non Cisco AP's seventil (Jul 28)
- Re: Identification of non Cisco AP's Peter Wood (Jul 27)