Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Identify rogue adsl modems routers in the network

From: "Sam Stern" <samstern () samstern net>
Date: Mon, 26 May 2008 22:04:32 -0400



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of kevin horvath
Sent: Monday, May 26, 2008 3:41 PM
To: t35tman () gmail com
Cc: pen-test () securityfocus com
Subject: Re: Identify rogue adsl modems routers in the network

use a wardialer such as phonesweep.  Sweep the phone numbers that are
allocated to you and if you get a carier signal then you need to check
it out.  Good luck.

Kevin

On Mon, May 26, 2008 at 12:25 PM, t35tman <t35tman () gmail com> wrote:

Hi all,

Had a weired requirement recently.
I was wondering if there is any way to detect an adsl modem/router connected
to a phone line.

The scenario being able to trace the adsl modem/router internally from
within the corporate network or externally from the ISP network.

The only option I see is to check with the ISP ... any suggestions ?

Thanks and Regards




It's an interesting question I'll investigate (I have a number of adsl modems ...)


From the network side, I'd say to:


Step A: Least intensive, most likely to be definitive, more work as it's a special step in auditing

- after gathering a set of ip's on your network (after a regular scan), dump the ip's to a file, (you only need the 
first 24 bits) and de-dupe and then finally resolve their mac address. Then resolve the mac address to manufacturers 
and look for Westell, Linksys, or other manufacturers that seem odd or unusual (e.g. 00:14:BF is Cisco-Linksys) ;>

Step B: More network intensive, less likely to be definitive, less work as it leverages regular auditing

After a network scan, check for systems that have one or more of: 
- udp and / or tcp (yes BOTH) port 67 (bootps) to find the rouge DHCP server the vast majority of adsl modems create.
- udp and / or 1900 and filter out any hosts that have port 1025 (ms rpc end point), port 135 or port 445 (NetBIOS) to 
detect rouge upnp devices
- tcp port 80 - adsl modems will usually have this port open (default) or closed (if the user disabled the internal web 
server)

Start ruling out known systems and do more through os and non ip scans on the rest.

Fwiw here is the output of a quick scan of my Linksys that has dhcp turned off  (I'm running a scan with -p 1-65535 
that will take some time to complete):

Nmap -v -sU -sS $host
PORT     STATE         SERVICE
80/tcp   open          http
443/tcp  open          https
53/udp   open|filtered domain
69/udp   open|filtered tftp
2048/udp open|filtered dls-monitor
MAC Address: 00:14:BF: (Cisco-Linksys) 

HTH

Sam S.



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: