I am working in a larger company, with quite a few branch offices, so travelling around to scan for APs in not practical.
Is there any tools that can scan for APs using the ethernet ? I was mostly thinking of scanning for MAC address-ranges that is known to be used by WLAN equipment.
Other solutions: Scan for HTTP servers - But will give many false positives, and if the web interface is deactivated, or has been moved to another port it will not work.
Looking for 192.168.x.y traffic would probably find WLAN bridges - but would also give false positives.
Is there any - even half-good - solution that will work ?
Even this won't help if a router is used, as the WWWeb interface shows up on the LAN side, and you are looking at the WAN interface. In fact, with MAC address cloning feature in nearly every cheap router out there, even a fully locked down infrastructure won't work.
Policies, procedures, maybe a bounty on unauthorized network devices?
[Please note that if you're going to be restrictive, you also really need to be very responsive to employees need for communications. If I need a network widget to do my job and I'm looking at a 6-month process and a VP signature, I'm more likely to buy a $50 router and hide it in the ceiling. At my last full-time job the IT department was the biggest hurdle to getting any work done... Why not set up properly secured APs for your clients to use?]
Are you using any network management tools (OpenView, OpenNMS, Unicenter TNG, Tivoli, etc). These will detect any new hardware on the LAN through either LAN discovery or through "probes".
Let's separate scanning and sniffing. I can scribble a simple scanner script that uses arping (ping by MAC address) that scans through a block of MAC addresses known to be used by commodity wireless manufacturers. This has the potential of generating lots of useless traffic, false positives, and missing a few manufacturers that don't bother to register their MAC addresses with the IEEE. Let's just say I'm not a big fan of scanning.
formatting link
Sniffing is done with aprwatch (or winarpwatch), which detects new MAC addresses on the LAN.
formatting link
access points and wireless routers are noisy enough to belch broadcasts that can be picked up throughout a switched LAN. Using VLAN's may require sniffing at the switch through a monitor port. Lots of other complications but methinks this would be a good start.
Scan by IP for web interfaces? If your LAN is running on 10.0.0.xxx but your wireless access point has a management web server running on
192.168.1.1, you're not going to see the web server from the LAN. If they're clever and use a router, but plugging the router WAN port into your LAN, and network management from the WAN port is turned off (by default), then you will also not see the web server. The only way it can work is if the rogue access point or wireless router is intentionally installed in a rather clumsy manner.
A rogue access point I missed was when a clever employee setup his desktop XP box with a USB wireless client. The client was setup for Ad-hoc (peer to peer) mode. XP was setup to bridge between the ethernet port and the USB wireless card. Instant wireless bridge to the network. He then could setup his laptop as Ad-hoc and connect. Incidentally, this was done because he only had one wired ethernet port in his office and IT came unglued when he dared to bring in a 4 port switch, which was designated as some kind of dangerous unauthorized equipment. Anyway, I couldn't see the USB wireless cards MAC address on the network, and my wireless sniffing didn't detect the ad-hoc network. Netstumbler might have shown it, but we were using a wireless client and Ethereal, which didn't. Neither sniffing or scanning would have found this one.
Build a database of known devices on the LAN by MAC address. Use arpwatch to detect new devices. Be prepared to deal with false alarms. Use inventory control reports (Belarc Advisor) to dump hardware and software lists to check for unauthorized software and hardware.
You have to be in the local collision domain to scan the MAC addresses.
Not all MAC address ranges for WLAN devices are published.
So it won't help you to be sure...
There are some ways to prevent the use of unauthorized access points:
Walk around and scan for them. (OK that may not be a good if the ways are too long)
Use drones that cover the needed areas. You can buy some Linksys WRT54G(S) router and place them all over the area. After installing OpenWRT and the Kismet drone you can make them scan from a remote station.
Use managed switches. The administrator has to authorize every device in the network than.
A real threat are Bluetooth bases access points. With their frequency hopping they are very hard to find...
On 22 Nov 2004 23:58:25 -0800, Povl H. Pedersen spoketh
Well, might be able to get the MAC addresses of all the devices by doing a "broadcast" ping on the LAN segment you're looking to investigate. Your arp table should then list all the equipment in the office. Knowing which is what is going to be a whole other story. You might be able to get the manufacturer out of it, but there's still the question of what is a NIC, what is a switch and what is a WAP... I.E. Linksys uses
00-0c-12 in the MAC addresses, and there's no way to tell which is what...
The web-server scan would work better. The HTTP server on most cheap WAPs can't be disabled (it's the only means of configuration), so if you get a hit on port 80, it might be something that shouldn't be in the office... If you can collect the IP addresses of devices from certain manufacturers (i.e. Linksys, D-Link and Netgear), you can always port-scan these IP addresses to see what ports are open, and then investigate some of the more suspect ones further.
It's unlikely that someone would use a wireless router in the office, as that would cause severe connectivity issues, but someone with the right knowledge could still use this method, and that would be difficult for you to spot.
If you got Active Directory deployed all around, and are using DHCP, you can always check your DHCP leases and see if there's any funky devices showing up there...
Since most consumer grade routers have a MAC address cloning feature specifically to get around these kinds of restrictions, you may not catch a common workaround...
Wrong. The MAC cloning feature allows cloning the MAC address of only the WAN side port with that of the local "management" workstation. This is primarily to circumvent authentication by MAC address as practiced by some ISP's (i.e. Charter Cable). This cloned MAC address does NOT appear on the LAN side traffic (because MAC address do not propogate through routers). The MAC address of the LAN side switched ethernet ports remain unchanged. Anyway, cloning the LAN side MAC address with that of a workstation wouldn't work because we would end up with two identical MAC addresses on the same LAN segment. Bad idea.
Checking...from the status page of my office DI-614+
Device Information Firmware Version: 2.33 , 5 Jul 2004 LAN MAC Address 00-40-05-CA-E0-42 IP Address 192.168.111.33 Subnet Mask 255.255.255.0 DHCP Server Enabled WAN MAC Address 00-40-05-CA-E0-43 Connection fixed IP IP Address 63.198.98.51 Subnet Mask 255.255.255.248 Default Gateway 63.198.98.49 DNS 206.13.28.12 206.13.31.12 Wireless MAC Address 00-40-05-C6-A0-E3 SSID LearnByDestroying Channel 11 WEP 64 bits
In my case, the WAN side MAC address has NOT been cloned. I just did a quick test of the cloning feature. Only the WAN side MAC address changed.
Have you thought of using SNMP and a network management app? Although it is not a direct answer to the question, the results you get back for an AP are different to those you get back for a wired connection and so you should be able to tell the difference. You also get all the MACs back. A good (and free) network management app is OpenNMS.
Yeah, that's what I'm saying. If your LAN infrastructure watches for "unauthorized" MAC addresses, I'll unplug my workstation, plug in a router, clone the workstation's MAC address into the router, and plug in my devices behind the router.
Please re-read my posting. It doesn't work that way.
When one "clones" the MAC address in the routers configuration, it's the WAN side MAC address that gets tweaked, not the LAN side. The LAN side, which is what thou art sniffing, is very different than the WAN side MAC address, and still has the original MAC address. Note my dump of the DI-614+ status page which clearly shows that the MAC addresses of the WAN and LAN sides of the router are different.
If it worked the way you describe (LAN side MAC address changes by cloning the workstation MAC address), then you would end up with an unworkable situation, where both the workstation and the router would have identical MAC addresses, and therefore could not be distinguished buy any known protocol.
My scenario was to plug the WAN port of the router into the corporate LAN, clone the authorized MAC address from the workstation into the WAN MAC address on the router, and plug in my own devices to the LAN ports on the router.
From the corporate LAN, you can't tell by {scanning, watching, capturing} MAC addresses that I've got my own private LAN hiding behind the one true authorized MAC address, though you may be able to do traffic analysis to guess that there's something going on.
[OTOH, if I'm doing that, your IT department hasn't satisfied an IT need, and if your IT department is clever enough to do traffic analysis, why can't they satisfy my IT need? 8*]
I just hate it what happens (when I agree with someone).
OK. I concede. Y'er right. If you do it that way, cloning the MAC address of the workstation will only show the MAC address of the workstation. However, there will be plenty of packets spewing from behind this router that have the MAC addresses of other devices that are attached. If one only uses the existing authorized corporate workstation via wireless, then such an arrangement is undetectable. However, hang additional devices on the LAN side, and they can usually be detected.
Many years ago, one of the cable companies was trying to extort extra revenue from users that hid multiple computers behind an NAT firewall. Their forward thinking Terms of Servitude insisted on one machine per cable modem and prohibited private networks. So, they turned over the job to a telemarketting pool, who used some analysis tools to look at sequence numbers and traffic patterns to determine how many machines were hidden behind NAT. It turned out to be trivally easy and fairly accurate. I don't have access to the tools, but I know the people that wrote them. It's exactly the same problem as sniffing (or log grovelling) the LAN for extra machines hiddent behind wireless.
Drivel: I have some weird stories about the history of "counting eyeballs" as it was called in the movie industry, where the equivalent of service providers were historically charging by the number of people watching. I personally participated in a useless exercise to restrict the number of viewers and views of early VCR's.
Well the usual method is signature analysis (Nessus and Nmap):
formatting link
There was quite a bit of discussion on detecting computers behind NAT firewalls in various mailing lists in about 1999. I'll do some digging and see if I can find some specifics. I'm not too good on the protocols and will probably screw something up if I core dump from memory.
I don't know any IT department that has the time to look at log files in depth or do proactive monitoring. They hire "security experts" to do it for them. It's kinda like home termite exterminators. Every time there's evidence of a problem, they call in the exterminators, clean up the mess, repair the damage, and leave. A short time later, it's back, so they call the exterminators again.
Incidentally, I've only been involved in about 5 "sweeps" for rogue access points and wireless routers on corporate LAN's. In *ALL* 5 cases, the biggest offenders were found around mohogany row, where IT doth tread lightly. I was hired by IT because I was essentially fire-proof and have no fear of (or respect for) the corporate hierarchy. However, only 1 of these 5 companies have asked me to return or do other work, so I suspect my non-diplomatic style of playing "security expert" is not a viable continuing business model.
Incidentally, one clown decided to use my method of getting what he wanted from IT. If the problem is invisible, make it obvious. If the problem isn't a crisis, create one. He installed a 300ft roll of CAT5 in his office on a plastic garden hose spool. Whenever he went into the cube farm (office partition forest), he would drag the length of wire behind his laptop. Needless to say, IT eventually delivered a properly secured access point immediately after everyone, exept this clown, complained about tripping over the cable and management complained about the disruption it was causing.
Your company checks that the doors are locked every night and the cash drawers are secure why not the same for your network. Have on site scans planed periodically with unannounced clandestine spot checks. Assuming you have a written policy on such devices gate any employee that violates the rules.
There are ways to set up automated site scans but these are usually only half way effective.
While a router is a router and a bridge is a bridge, a collision domain is a collision domain...
We are talking layer two here, not layer three. Unless a device is actually a layer two switch (and a low end router is not a layer two switch it is a layer three switch) it will use the same MAC address for all traffic passing thru it.
That is exactly why it is impossible for your cable company to know for sure you have cloned the address of your PC, when you are sharing your connection with multiple systems on the local LAN.
if you have some good ethernet switches then you can catch APs, but not routers.
Set the switch to only allow a single MAC addess per port, but set it to allow any address.
Now if they attach an AP, it works in the LAN, the AP MAC address is bound to the port (since the AP will generate some traffic)- but no-one who connects to the AP gets their traffic onto the network, since that needs the extra MAC address to also get bound to the same switch port.
set up the network to use authentication - 802.1x? Then each device gets logged into a central authentication system and you have an audit trail - but you will need to have enough info on what shouldbe there to catch the unauthorised stuff. The big drawback here is all those devices that dont understand 802.1x....
Absolutely correct. The source MAC address for everything coming from the router has the MAC address of the routers WAN port in the header. Notice I said the ethernet header. I think (as in I'm not quite sure) that some layer 3 packets contain various MAC addresses in the payload, not the header. I was thinking specifically of ARP requests (broadcasts) that end up going through the router. I just read RFC826 and my head hurts. These certainly have MAC addresses in the payload, but I'm no longer so sure that they will go through the router. Time to do some sniffing on my LAN and check my guesswork (and sanity). I may be totally wrong (not unusual).
My foggy brain also recalled the way one vendor (Comcast) was counting computers behind NAT firewalls.
formatting link
formatting link
formatting link
'm not familiar with Sflow so please don't ask me how it works. However, at first glance, it appears to be useful for detecting machines behind NAT firewalls by tracking TCP ID numbers and measuring variations in packet arrival times. Also, to the best of my limited knowledge, Comcast is NOT the cable company that was counting users.
It turns out that such passive methods were not commonly used by the cable broadband telemarketting pools of 6 years ago. They had a much simpler scheme. Their main web site had some Java applet or Active-X control that when run, would send them your local IP address. Javascript and CGI will detect the WAN IP address. They also used MAC address authentication. So every time someone connected to their web site, they had a table of registered MAC address, WAN IP, and LAN IP. No sniffing or log grovelling required. This is quite sufficient to build table of computers behind an NAT firewall per customer.
I recall (but can't find the articles) demonstrating some of the screwups, such as when vendors delivered routers where client IP's started at 192.168.1.100. People were soon accused of having 100 machines behind their NAT firewall.
Anyway, the same technique can be used to "trap" users of hidden routers on corporate LAN's. Hit the corporate main web page, web mail, whatever, and Java or Active-X sends the local IP address or something. It's a fairly good assumption that corporate users will use their hidden machines for corporate business, and will regularly hit a particular page. However, I don't know any corporation that's admitted to doing this.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.