Penetration Testing mailing list archives

RE: Identify rogue adsl modems routers in the network

From: "THORNTON Simon" <Simon.THORNTON () swift com>
Date: Fri, 30 May 2008 13:56:50 +0200

Hi,

One way you can detect an ADSL modem in PPPoE mode is to use the PPPoE
discovery protocol (PPPoED), any DSL router in the broadcast domain will
respond.

The PADI query frame is as follows:

0000  ff ff ff ff ff ff mm mm  mm mm mm mm 88 63 11 09   .......P
.....c..
0010  00 00 00 0c 01 01 00 00  01 03 00 04 ii ii ii ii   ........
........

Where:
        mm mm mm mm mm mm  is mac address of your machine
        ii ii ii ii        is a uniq identifier (99 30 00 00 on mine)


Any DSL modem will respond with PADO (PPPoE Active Discovery Offer):

0000  mm mm mm mm mm mm ss ss  ss ss ss ss 88 63 11 07   .P......
;.g..c..
0010  00 00 00 2d 01 01 00 00  01 03 00 04 ii ii ii ii   ...-....
........
0020  01 02 00 19 zz zz zz zz  zz zz zz zz zz zz zz zz   ....Provider
DSL 
0030  zz zz zz zz zz zz zz zz  zz zz zz zz zz 01 01 00   node
name........
0040  00 

Where:
        ss ss ss ss ss ss  is mac address of the DSL modem
        mm mm mm mm mm mm  is mac address of your machine
        ii ii ii ii        is the uniq identifier from the PADI (99 30
00 00 on mine)
      zz zz .....        is the provider name of the DSL node (variable)

You can use whatever packet creator/injector (nemesis) to inject the
PADI frame and then sniff the line to see who responds.

If you don't want to roll your own packets then use the PPPoE package
that comes with your distro, doesn't matter what account details you
set. Start the sniffer and then start do an adsl-start or similar, this
will generate PADI frames which you can then sniff for the PADO replies.

The only usage issue I've seen relates to whether your switches forward
broadcast traffic. If not then this will only detect modems on the local
segment, have to repeat this on each segment/vlan. 

For details of the PADI/PADO format look at RFC 2516 or search on
wikipedia.


TTFN,


Simon


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of t35tman
Sent: Monday, May 26, 2008 18:25
To: pen-test () securityfocus com
Subject: Identify rogue adsl modems routers in the network

Hi all,

Had a weired requirement recently.
I was wondering if there is any way to detect an adsl modem/router 
connected to a phone line.

The scenario being able to trace the adsl modem/router internally from 
within the corporate network or externally from the ISP network.

The only option I see is to check with the ISP ... any suggestions ?

Thanks and Regards



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes
in Securing Web Applications
Find out now! Get Webinar Recording and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

Current thread:

Re: Identify rogue adsl modems routers in the network, (continued)
- - Re: Identify rogue adsl modems routers in the network Steve Friedl (May 28)
  - RE: Identify rogue adsl modems routers in the network Sam Stern (May 28)
  - Re: Identify rogue adsl modems routers in the network Peter Van Epp (May 28)
  - Re: Identify rogue adsl modems routers in the network Dave McCormick (May 28)
    - Re: Identify rogue adsl modems routers in the network Michael Painter (May 28)
    - Re: Identify rogue adsl modems routers in the network Mario Spinthiras (May 29)
- Re: Identify rogue adsl modems routers in the network Volker Tanger (May 28)
- Re: Identify rogue adsl modems routers in the network pinowudi (May 28)
- RE: Identify rogue adsl modems routers in the network Shenk, Jerry A (May 28)
- Re: Identify rogue adsl modems routers in the network Nikhil Wagholikar (May 28)
- RE: Identify rogue adsl modems routers in the network THORNTON Simon (May 30)