check ?

imagine a company network with a few hundred computers connected. is it possile to check if somewhere someone connected an AP to this network ??

many thanks

martin

Reply to
Martin!
Loading thread data ...

I don't know if this is applicable, but AirSnare might be worth a try.

formatting link
looks for new MAC addresses on the network. Methinks it will work through your VPN, but I'm not sure.

Reply to
Jeff Liebermann

You could periodically wander around running something like NetStumbler and see what it finds. (Although it won't show anything with the SSID Broadcast disabled, I believe Kismet under Linux or OS X will)

Reply to
chris

i was actually looking for some kind of network probe. not that i am to lazy to get out of my chair, but the network may contain several VPN's and thus some computers may be on the other side of the planet.

Reply to
Martin!

Depends on the skills of the antagonist.

The FIRST step is to see that the _published_ company policy says that adding such stuff is a no-no (see your legal advisor). Next, you make sure that everyone is aware of the policy (ideally, they sign a copy of the policy and return that to HR), and you have prominent sighs at all entries reminding people of this. Then do the walk-through, carrying an appropriate sniffer and a two handed broad sword. Putting severed heads on pikes at the entrance to the facility usually acts to reinforce the message, especially if an explanatory sign is attached ("I ran an unauthorized access point", along with the more common "I got caught surfing pr0n sites", "I clicked on a virus link" or "I forgot my password" - you get the idea.

Much harder to do (though still possible). Best solution is to have dedicated PCs set up as "Big Brother" monitors, sniffing traffic on the local wires (use the 'monitor port' on switches). The two tools you need are a hardware address monitor (such as 'arpwatch') to notice unknown systems. Monitor the hardware addresses against a list of known authorized systems, and look for the MAC addresses of wireless gear. The second tool is a passive fingerprinting tool (such as p0f) used in the masquerade detection mode (watch packets out of each host for consistency and indications of more than one real host behind a single MAC address).

Didn't this get discussed recently? Yeah, look in this newsgroup (alt.internet.wireless) for a thread "Using Ethernet scans to locate WLAN APs ?" back in late November 2004.

Old guy

Reply to
Moe Trin

it look interesting ! i will check it for sure thanks

Reply to
Martin!

ROAD TRIP!!!

What, your boss won't approve periodic travel to check for rogue WAPs?!?

:-)

-chris

Reply to
chris

Probably the zeroth question is "Do you have a canonical list of (MAC addresses of) authorized equipment, and do you keep it up to date?". If you don't know what's (supposed to be) on your network, you're never going to detect unauthorized equipment of any kind, much less rogue APs.

It might be better for everyone involved if you made it easy for people to request authorized, properly secured APs from the IT department. Then they wouldn't be tempted to go behind your back and set up rogue ones just to get their jobs done.

Sure, you can look for MAC addresses, compare them against a list of (supposed) AP vendors, and maybe detect some potential APs, but with every SOHO router on the planet supporting MAC address cloning, you really aren't going to get very far.

Reply to
William P. N. Smith

i like that ! you mind if i use you as a qualified reference to reinforce my request to travel scan the planet in 8888 days ?

lol :)

Reply to
Martin!

maybe i should advice my boss to hire less clever people.

i like that too, problem is that my boss has reserved the role of god for himself in this company and hired me to be one of his angels.

i'll check that !

i'll check that too !

if i could i would help you out here, but aging problems are not my expertise. sorry.

thanks!

Reply to
Martin!

I'm sure he'd be thrilled with that suggestion. No, what I was referring to is if you are dealing with the average computer user, it's going to be easier to find. An experienced guy will be masquerading the access point, and the hosts behind that will be using the same O/S as the masquerading box, turned on at the same time, and not being promiscuous (windoze boxes trying to share as one example), and may tweak the masquerading program such that packets from the hidden systems are using "normal" port numbers, rather than a block starting at 32800 or 60000 (some version of UNIX) or

30000 (not sure what O/S that was). This would muddy the signals that a fingerprinting tool would be looking at. Read the documentation that comes with your tool (as mentioned, I like p0f for this) for more insight. [putting severed heads on pikes as a warning]

Seems to me there was at least one angel charged with lopping heads, or casting into the firey furness or sumthin.

Damn. Ah, well... I'll just keep trying I suppose.

Old guy

Reply to
Moe Trin

That may actually be a good idea. I have a theory about excessive security being self defeating. This is only a theory and has not been tested adequately or proven.

I consider security to be an exercise in psychology. Being a keen observer of people, I find that my experiences with security have been the opposite of conventional wisdom and common sense. For example, I can leave an expensive computah in the back of my pickup truck, and nobody will steal it. I've done this several times without any problems. However, when I locked the cab and put a cheap junk cell phone on the seat, some wino will broke the window and stole the worthless phone. I can also leave my house unlocked for 25 years and not have anyone break in. Yet, when advised that this was a bad idea and I started locking the house, that's when someone broke in and stole some really stupid junk. My office wireless network has a really trivial WEP key that can be recovered by any WEP cracker program in a few seconds. It's not totally open because I had a herd of camper people use it for VoIP, but it's so easy, that it might as well be open. No attacks or abuse. However, the wireless network in the office next door is nailed down with a cryptic WEP key, and that's the one that the hackers seem to pound on.

In theory, hackers and crackers should concentrate on breaking into the easy wireless networks because the properly protected ones are too much trouble. Yet, the psychology seems to demonstrate that easy break-ins offer very little challenge, and that properly secured houses, cars, and wireless networks are the real challenge for aspiring criminals. Therefore, I suggest you disassemble all your security, remove all your encryption, run your network wide open, and nobody will bother you.

Reply to
Jeff Liebermann

Jeff, you're 30 days late.

Don't forget to put the chest of (unmarked) tens and twenties in the back of that pickup. ;-)

Can I have my leg back now?

[I'll agree that requiring a 16 character "password" that is not in any dictionary, has an even mix of upper/lower case letters, numbers and punctuation, and allowing it to be used for a week and then never used again is actually bad security, but the company and the stockholders really expect something better than "".]

Old guy

Reply to
Moe Trin

That reminds me. I gotta crank out some invoices tonight.

Nope. I'm quite serious. I'm also convinced that safety features cause more accidents because people tend to "feel safe" and therefore do stupid things. I won't go into physician induced maladies and repairmen that break things instead of fixing them. Lots of things don't work the way we expect. Good ideas, dragged to their extreme, become bad ideas.

Can you tell that to Wells Fargo Bank and Verizon Wireless that still use 4 digit numeric "PIN" numbers as passwords?

Non-memorable passwords are another invitation to having things work backwards. One company I deal with insisted that cryptic passwords should be issued to users as the ultimate improvement in security. Near as I can tell, that was all their overpriced security consultant ever accomplished. Anyway, within a week, every desk had yellow post-it notes with the passwords inscribed under the mouse pad or keyboard. Some didn't even bother to hide it and just stuck it on the monitor. That was immediately listed as a capital offense and new cryptic passwords were issued via email. My home made outgoing security sniffer caught the email with the plain text passwords, so I presented a printed copy to the security consultant. Meanwhile, many users had figured out how to change their own passwords to something they could remember. A day of grinding with a password cracker running a dictionary attack recovered about 1/3 of the new passwords. Secure passwords cause users to adopt insecure practices.

Anyways, as I was mumbling.... Security is a good thing to have. Too much security is an abomination.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.