Sign in with
Sign up | Sign in
Your question

Using Ethernet scans to locate WLAN APs ?

Last response: in Wireless Networking
Share
Anonymous
November 23, 2004 2:58:25 AM

Archived from groups: alt.internet.wireless (More info?)

I am working in a larger company, with quite a few branch offices, so
travelling around to scan for APs in not practical.

Is there any tools that can scan for APs using the ethernet ? I was
mostly thinking of scanning for MAC address-ranges that is known to be
used by WLAN equipment.

Other solutions:
Scan for HTTP servers - But will give many false positives, and if the
web interface is deactivated, or has been moved to another port it
will not work.

Looking for 192.168.x.y traffic would probably find WLAN bridges - but
would also give false positives.

Is there any - even half-good - solution that will work ?
Anonymous
November 23, 2004 10:47:06 AM

Archived from groups: alt.internet.wireless (More info?)

pope@my.terminal.dk (Povl H. Pedersen) wrote:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.

Even this won't help if a router is used, as the WWWeb interface shows
up on the LAN side, and you are looking at the WAN interface. In
fact, with MAC address cloning feature in nearly every cheap router
out there, even a fully locked down infrastructure won't work.

Policies, procedures, maybe a bounty on unauthorized network devices?

[Please note that if you're going to be restrictive, you also really
need to be very responsive to employees need for communications. If I
need a network widget to do my job and I'm looking at a 6-month
process and a VP signature, I'm more likely to buy a $50 router and
hide it in the ceiling. At my last full-time job the IT department
was the biggest hurdle to getting any work done... Why not set up
properly secured APs for your clients to use?]
Anonymous
November 23, 2004 1:04:54 PM

Archived from groups: alt.internet.wireless (More info?)

On 22 Nov 2004 23:58:25 -0800, pope@my.terminal.dk (Povl H. Pedersen)
wrote:

>I am working in a larger company, with quite a few branch offices, so
>travelling around to scan for APs in not practical.

Are you using any network management tools (OpenView, OpenNMS,
Unicenter TNG, Tivoli, etc). These will detect any new hardware on
the LAN through either LAN discovery or through "probes".

>Is there any tools that can scan for APs using the ethernet ? I was
>mostly thinking of scanning for MAC address-ranges that is known to be
>used by WLAN equipment.

Let's separate scanning and sniffing. I can scribble a simple scanner
script that uses arping (ping by MAC address) that scans through a
block of MAC addresses known to be used by commodity wireless
manufacturers. This has the potential of generating lots of useless
traffic, false positives, and missing a few manufacturers that don't
bother to register their MAC addresses with the IEEE. Let's just say
I'm not a big fan of scanning.
http://www.habets.pp.se/synscan/programs.php?prog=arpin...

Sniffing is done with aprwatch (or winarpwatch), which detects new MAC
addresses on the LAN.
http://www.habets.pp.se/synscan/programs.php?prog=arpin...
Most access points and wireless routers are noisy enough to belch
broadcasts that can be picked up throughout a switched LAN. Using
VLAN's may require sniffing at the switch through a monitor port.
Lots of other complications but methinks this would be a good start.

>Other solutions:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.

Scan by IP for web interfaces? If your LAN is running on 10.0.0.xxx
but your wireless access point has a management web server running on
192.168.1.1, you're not going to see the web server from the LAN. If
they're clever and use a router, but plugging the router WAN port into
your LAN, and network management from the WAN port is turned off (by
default), then you will also not see the web server. The only way it
can work is if the rogue access point or wireless router is
intentionally installed in a rather clumsy manner.

A rogue access point I missed was when a clever employee setup his
desktop XP box with a USB wireless client. The client was setup for
Ad-hoc (peer to peer) mode. XP was setup to bridge between the
ethernet port and the USB wireless card. Instant wireless bridge to
the network. He then could setup his laptop as Ad-hoc and connect.
Incidentally, this was done because he only had one wired ethernet
port in his office and IT came unglued when he dared to bring in a 4
port switch, which was designated as some kind of dangerous
unauthorized equipment. Anyway, I couldn't see the USB wireless cards
MAC address on the network, and my wireless sniffing didn't detect the
ad-hoc network. Netstumbler might have shown it, but we were using a
wireless client and Ethereal, which didn't. Neither sniffing or
scanning would have found this one.

>Looking for 192.168.x.y traffic would probably find WLAN bridges - but
>would also give false positives.
>
>Is there any - even half-good - solution that will work ?

Build a database of known devices on the LAN by MAC address. Use
arpwatch to detect new devices. Be prepared to deal with false
alarms. Use inventory control reports (Belarc Advisor) to dump
hardware and software lists to check for unauthorized software and
hardware.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Related resources
Anonymous
November 23, 2004 1:25:07 PM

Archived from groups: alt.internet.wireless (More info?)

Povl H. Pedersen wrote:

> I am working in a larger company, with quite a few branch offices, so
> travelling around to scan for APs in not practical.

> Is there any tools that can scan for APs using the ethernet ? I was
> mostly thinking of scanning for MAC address-ranges that is known to be
> used by WLAN equipment.

There may be some difficulties:

1. You have to be in the local collision domain to scan the MAC addresses.
2. Not all MAC address ranges for WLAN devices are published.

> Other solutions:
> Scan for HTTP servers - But will give many false positives, and if the
> web interface is deactivated, or has been moved to another port it
> will not work.

So it won't help you to be sure...

> Looking for 192.168.x.y traffic would probably find WLAN bridges - but
> would also give false positives.
>
> Is there any - even half-good - solution that will work ?

There are some ways to prevent the use of unauthorized access points:

1. Walk around and scan for them. (OK that may not be a good if the ways are
too long)

2. Use drones that cover the needed areas. You can buy some Linksys
WRT54G(S) router and place them all over the area. After installing OpenWRT
and the Kismet drone you can make them scan from a remote station.

3. Use managed switches. The administrator has to authorize every device in
the network than.

A real threat are Bluetooth bases access points. With their frequency
hopping they are very hard to find...

Thomas
Anonymous
November 23, 2004 2:58:43 PM

Archived from groups: alt.internet.wireless (More info?)

On 22 Nov 2004 23:58:25 -0800, Povl H. Pedersen spoketh

>I am working in a larger company, with quite a few branch offices, so
>travelling around to scan for APs in not practical.
>
>Is there any tools that can scan for APs using the ethernet ? I was
>mostly thinking of scanning for MAC address-ranges that is known to be
>used by WLAN equipment.
>
>Other solutions:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.
>
>Looking for 192.168.x.y traffic would probably find WLAN bridges - but
>would also give false positives.
>
>Is there any - even half-good - solution that will work ?

Well, might be able to get the MAC addresses of all the devices by doing
a "broadcast" ping on the LAN segment you're looking to investigate.
Your arp table should then list all the equipment in the office. Knowing
which is what is going to be a whole other story. You might be able to
get the manufacturer out of it, but there's still the question of what
is a NIC, what is a switch and what is a WAP... I.E. Linksys uses
00-0c-12 in the MAC addresses, and there's no way to tell which is
what...

The web-server scan would work better. The HTTP server on most cheap
WAPs can't be disabled (it's the only means of configuration), so if you
get a hit on port 80, it might be something that shouldn't be in the
office... If you can collect the IP addresses of devices from certain
manufacturers (i.e. Linksys, D-Link and Netgear), you can always
port-scan these IP addresses to see what ports are open, and then
investigate some of the more suspect ones further.

It's unlikely that someone would use a wireless router in the office, as
that would cause severe connectivity issues, but someone with the right
knowledge could still use this method, and that would be difficult for
you to spot.

If you got Active Directory deployed all around, and are using DHCP, you
can always check your DHCP leases and see if there's any funky devices
showing up there...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)
Anonymous
November 24, 2004 12:38:45 AM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>Build a database of known devices on the LAN by MAC address.

Since most consumer grade routers have a MAC address cloning feature
specifically to get around these kinds of restrictions, you may not
catch a common workaround...
Anonymous
November 24, 2004 7:31:02 AM

Archived from groups: alt.internet.wireless (More info?)

On Tue, 23 Nov 2004 21:38:45 -0500, William P.N. Smith wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>Build a database of known devices on the LAN by MAC address.

>Since most consumer grade routers have a MAC address cloning feature
>specifically to get around these kinds of restrictions, you may not
>catch a common workaround...

Wrong. The MAC cloning feature allows cloning the MAC address of only
the WAN side port with that of the local "management" workstation.
This is primarily to circumvent authentication by MAC address as
practiced by some ISP's (i.e. Charter Cable). This cloned MAC address
does NOT appear on the LAN side traffic (because MAC address do not
propogate through routers). The MAC address of the LAN side switched
ethernet ports remain unchanged. Anyway, cloning the LAN side MAC
address with that of a workstation wouldn't work because we would end
up with two identical MAC addresses on the same LAN segment. Bad
idea.


Checking...from the status page of my office DI-614+

Device Information Firmware Version: 2.33 , 5 Jul 2004
LAN
MAC Address 00-40-05-CA-E0-42
IP Address 192.168.111.33
Subnet Mask 255.255.255.0
DHCP Server Enabled

WAN
MAC Address 00-40-05-CA-E0-43
Connection fixed IP
IP Address 63.198.98.51
Subnet Mask 255.255.255.248
Default Gateway 63.198.98.49
DNS 206.13.28.12 206.13.31.12

Wireless
MAC Address 00-40-05-C6-A0-E3
SSID LearnByDestroying
Channel 11
WEP 64 bits

In my case, the WAN side MAC address has NOT been cloned. I just did
a quick test of the cloning feature. Only the WAN side MAC address
changed.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# jeffl@comix.santa-cruz.ca.us
# 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
Anonymous
November 24, 2004 12:14:59 PM

Archived from groups: alt.internet.wireless (More info?)

Povl H. Pedersen wrote:

> I am working in a larger company, with quite a few branch offices, so
> travelling around to scan for APs in not practical.
>
> Is there any tools that can scan for APs using the ethernet ? I was
> mostly thinking of scanning for MAC address-ranges that is known to be
> used by WLAN equipment.
>
> Other solutions:
> Scan for HTTP servers - But will give many false positives, and if the
> web interface is deactivated, or has been moved to another port it
> will not work.
>
> Looking for 192.168.x.y traffic would probably find WLAN bridges - but
> would also give false positives.
>
> Is there any - even half-good - solution that will work ?
Have you thought of using SNMP and a network management app? Although
it is not a direct answer to the question, the results you get back for
an AP are different to those you get back for a wired connection and
so you should be able to tell the difference. You also get all the
MACs back. A good (and free) network management app is OpenNMS.

David
Anonymous
November 24, 2004 7:48:52 PM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>William P.N. Smith wrote:
>>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>>Build a database of known devices on the LAN by MAC address.

>>Since most consumer grade routers have a MAC address cloning feature
>>specifically to get around these kinds of restrictions, you may not
>>catch a common workaround...

>Wrong. The MAC cloning feature allows cloning the MAC address of only
>the WAN side port with that of the local "management" workstation.

Yeah, that's what I'm saying. If your LAN infrastructure watches for
"unauthorized" MAC addresses, I'll unplug my workstation, plug in a
router, clone the workstation's MAC address into the router, and plug
in my devices behind the router.
Anonymous
November 24, 2004 11:20:13 PM

Archived from groups: alt.internet.wireless (More info?)

In article <cc6cf183.0411222358.ad2f38@posting.google.com>, Povl H. Pedersen
wrote:

>I am working in a larger company, with quite a few branch offices, so
>travelling around to scan for APs in not practical.

As long as ALL of the users know it is forbidden to have an AP, the
sight of someone walking around the office with a laptop with WiFi
sniffer and a fighting axe generally gets their attention - the more
so if the axe has blood stains on the edge. Check with your legal
department, and see if it's OK with them.

>Is there any tools that can scan for APs using the ethernet ? I was
>mostly thinking of scanning for MAC address-ranges that is known to be
>used by WLAN equipment.

http://standards.ieee.org/regauth/oui/oui.txt

Not very practical, but possible. If you're on a switched network, putting
the sniffer ON the switch works best. If it's a managed switch, looking
at the ARP cache on the switch might provide clues.

>Other solutions:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.

[compton ~]$ whatis p0f nmap
p0f (1) - identify remote systems passively
nmap (1) - Network exploration tool and security scanner
[compton ~]$

http://lcamtuf.coredump.cx/p0f.shtml
http://www.insecure.org/nmap

Both tools are meant for a Unix environment, but both have windoze versions
if you are stuck on that platform. If you try to run nmap and don't notify
the (network) powers-that-be on the targeted network, you WILL cause some
brown stuff to hit the fan. It can be _VERY_ obvious, and might cause
firewall reactions.

>Looking for 192.168.x.y traffic would probably find WLAN bridges - but
>would also give false positives.

Depends on how clever the users are. Masquerading (NAT) can make it a bit
harder - though far from impossible to positively identify. Looking at MSS,
_source_ port numbers, window sizes, initial sequence numbers, TCP/IP flags
will very often spot the mickey. There are a number of documents that
describe how. Start with the p0f site. Or, do a google search for Xprobe
from ofir@sys-security.com (Ofir Arkin) and friends. The problem has existed
before, and has been solved many times.

Old guy
Anonymous
November 25, 2004 4:25:16 PM

Archived from groups: alt.internet.wireless (More info?)

On Wed, 24 Nov 2004 09:14:59 +0000, David Goodenough wrote:

> Povl H. Pedersen wrote:
>
>> I am working in a larger company, with quite a few branch offices, so
>> travelling around to scan for APs in not practical.
>>
>> Is there any tools that can scan for APs using the ethernet ? I was
>> mostly thinking of scanning for MAC address-ranges that is known to be
>> used by WLAN equipment.

If you have the patience (or software) to sort through MAC addresses
looking for wireless vendor IDs that could work.

We found one using "show cdp neighbors", but that only works if you're
running Cisco switches and your employees attach a Cisco AP.
Anonymous
November 25, 2004 9:53:25 PM

Archived from groups: alt.internet.wireless (More info?)

In article <m80aq0pcsnadoec06s1oa6rghuoijacd5p@4ax.com>, William P.N. Smith
wrote:

>If your LAN infrastructure watches for "unauthorized" MAC addresses,
>I'll unplug my workstation, plug in a router, clone the workstation's
>MAC address into the router, and plug in my devices behind the router.

That's pretty easy to spot. The passive fingerprinting tool I'm using
even has options of force other checks.

-M Deploy masquerade detection algorithm. The algorithm looks
over recent (cached) hits and looks for indications of mul-
tiple systems being behind a single gateway. This is useful
on routers and such to detect policy violations.

-T nn Set masquerade detection threshold at this value; only mean-
ingful with -M.

Networking was not invented yesterday, and these kind of things have been
tried over, and over, and...

Old guy
Anonymous
November 26, 2004 2:47:04 AM

Archived from groups: alt.internet.wireless (More info?)

On Wed, 24 Nov 2004 16:48:52 -0500, William P.N. Smith wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>William P.N. Smith wrote:
>>>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>>>Build a database of known devices on the LAN by MAC address.
>
>>>Since most consumer grade routers have a MAC address cloning feature
>>>specifically to get around these kinds of restrictions, you may not
>>>catch a common workaround...
>
>>Wrong. The MAC cloning feature allows cloning the MAC address of only
>>the WAN side port with that of the local "management" workstation.

>Yeah, that's what I'm saying. If your LAN infrastructure watches for
>"unauthorized" MAC addresses, I'll unplug my workstation, plug in a
>router, clone the workstation's MAC address into the router, and plug
>in my devices behind the router.

Please re-read my posting. It doesn't work that way.

1. When one "clones" the MAC address in the routers configuration,
it's the WAN side MAC address that gets tweaked, not the LAN side.
The LAN side, which is what thou art sniffing, is very different than
the WAN side MAC address, and still has the original MAC address.
Note my dump of the DI-614+ status page which clearly shows that the
MAC addresses of the WAN and LAN sides of the router are different.

2. If it worked the way you describe (LAN side MAC address changes by
cloning the workstation MAC address), then you would end up with an
unworkable situation, where both the workstation and the router would
have identical MAC addresses, and therefore could not be distinguished
buy any known protocol.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
November 26, 2004 12:24:06 PM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>1. When one "clones" the MAC address in the routers configuration,
>it's the WAN side MAC address that gets tweaked

I suspect we're in violent agreement.

My scenario was to plug the WAN port of the router into the corporate
LAN, clone the authorized MAC address from the workstation into the
WAN MAC address on the router, and plug in my own devices to the LAN
ports on the router.

From the corporate LAN, you can't tell by {scanning, watching,
capturing} MAC addresses that I've got my own private LAN hiding
behind the one true authorized MAC address, though you may be able to
do traffic analysis to guess that there's something going on.

[OTOH, if I'm doing that, your IT department hasn't satisfied an IT
need, and if your IT department is clever enough to do traffic
analysis, why can't they satisfy my IT need? 8*]
Anonymous
November 26, 2004 2:33:12 PM

Archived from groups: alt.internet.wireless (More info?)

On Fri, 26 Nov 2004 09:24:06 -0500, William P.N. Smith wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>>1. When one "clones" the MAC address in the routers configuration,
>>it's the WAN side MAC address that gets tweaked

>I suspect we're in violent agreement.

I just hate it what happens (when I agree with someone).

>My scenario was to plug the WAN port of the router into the corporate
>LAN, clone the authorized MAC address from the workstation into the
>WAN MAC address on the router, and plug in my own devices to the LAN
>ports on the router.

OK. I concede. Y'er right. If you do it that way, cloning the MAC
address of the workstation will only show the MAC address of the
workstation. However, there will be plenty of packets spewing from
behind this router that have the MAC addresses of other devices that
are attached. If one only uses the existing authorized corporate
workstation via wireless, then such an arrangement is undetectable.
However, hang additional devices on the LAN side, and they can usually
be detected.

Many years ago, one of the cable companies was trying to extort extra
revenue from users that hid multiple computers behind an NAT firewall.
Their forward thinking Terms of Servitude insisted on one machine per
cable modem and prohibited private networks. So, they turned over the
job to a telemarketting pool, who used some analysis tools to look at
sequence numbers and traffic patterns to determine how many machines
were hidden behind NAT. It turned out to be trivally easy and fairly
accurate. I don't have access to the tools, but I know the people
that wrote them. It's exactly the same problem as sniffing (or log
grovelling) the LAN for extra machines hiddent behind wireless.

Drivel: I have some weird stories about the history of "counting
eyeballs" as it was called in the movie industry, where the equivalent
of service providers were historically charging by the number of
people watching. I personally participated in a useless exercise to
restrict the number of viewers and views of early VCR's.

>From the corporate LAN, you can't tell by {scanning, watching,
>capturing} MAC addresses that I've got my own private LAN hiding
>behind the one true authorized MAC address, though you may be able to
>do traffic analysis to guess that there's something going on.

Well the usual method is signature analysis (Nessus and Nmap):
http://www.tenablesecurity.com/white_papers/wap-id-ness...

There was quite a bit of discussion on detecting computers behind NAT
firewalls in various mailing lists in about 1999. I'll do some
digging and see if I can find some specifics. I'm not too good on the
protocols and will probably screw something up if I core dump from
memory.

>[OTOH, if I'm doing that, your IT department hasn't satisfied an IT
>need, and if your IT department is clever enough to do traffic
>analysis, why can't they satisfy my IT need? 8*]

I don't know any IT department that has the time to look at log files
in depth or do proactive monitoring. They hire "security experts" to
do it for them. It's kinda like home termite exterminators. Every
time there's evidence of a problem, they call in the exterminators,
clean up the mess, repair the damage, and leave. A short time later,
it's back, so they call the exterminators again.

Incidentally, I've only been involved in about 5 "sweeps" for rogue
access points and wireless routers on corporate LAN's. In *ALL* 5
cases, the biggest offenders were found around mohogany row, where IT
doth tread lightly. I was hired by IT because I was essentially
fire-proof and have no fear of (or respect for) the corporate
hierarchy. However, only 1 of these 5 companies have asked me to
return or do other work, so I suspect my non-diplomatic style of
playing "security expert" is not a viable continuing business model.

Incidentally, one clown decided to use my method of getting what he
wanted from IT. If the problem is invisible, make it obvious. If the
problem isn't a crisis, create one. He installed a 300ft roll of CAT5
in his office on a plastic garden hose spool. Whenever he went into
the cube farm (office partition forest), he would drag the length of
wire behind his laptop. Needless to say, IT eventually delivered a
properly secured access point immediately after everyone, exept this
clown, complained about tripping over the cable and management
complained about the disruption it was causing.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
November 26, 2004 4:03:38 PM

Archived from groups: alt.internet.wireless (More info?)

"Povl H. Pedersen" <pope@my.terminal.dk> wrote in message
news:cc6cf183.0411222358.ad2f38@posting.google.com...
| I am working in a larger company, with quite a few branch offices, so
| traveling around to scan for APs in not practical.
|
| Is there any tools that can scan for APs using the ethernet ? I was
| mostly thinking of scanning for MAC address-ranges that is known to be
| used by WLAN equipment.
|
| Other solutions:
| Scan for HTTP servers - But will give many false positives, and if the
| web interface is deactivated, or has been moved to another port it
| will not work.
|
| Looking for 192.168.x.y traffic would probably find WLAN bridges - but
| would also give false positives.
|
| Is there any - even half-good - solution that will work ?

Your company checks that the doors are locked every night and the cash
drawers are secure why not the same for your network. Have on site scans
planed periodically with unannounced clandestine spot checks. Assuming you
have a written policy on such devices gate any employee that violates the
rules.

There are ways to set up automated site scans but these are usually only
half way effective.
Anonymous
November 26, 2004 8:31:18 PM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message news:<3jteq0d7gaoboboriqgigrhn68ir05ph80@4ax.com>...

>
> OK. I concede. Y'er right. If you do it that way, cloning the MAC
> address of the workstation will only show the MAC address of the
> workstation. However, there will be plenty of packets spewing from
> behind this router that have the MAC addresses of other devices that
> are attached. If one only uses the existing authorized corporate
> workstation via wireless, then such an arrangement is undetectable.
> However, hang additional devices on the LAN side, and they can usually
> be detected.
>

Not exactly.

While a router is a router and a bridge is a bridge, a collision
domain is a collision domain...

We are talking layer two here, not layer three. Unless a device is
actually a layer two switch (and a low end router is not a layer two
switch it is a layer three switch) it will use the same MAC address
for all traffic passing thru it.

That is exactly why it is impossible for your cable company to know
for sure you have cloned the address of your PC, when you are sharing
your connection with multiple systems on the local LAN.
Anonymous
November 26, 2004 9:23:54 PM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>William P.N. Smith wrote:
>>My scenario was to plug the WAN port of the router into the corporate
>>LAN, clone the authorized MAC address from the workstation into the
>>WAN MAC address on the router, and plug in my own devices to the LAN
>>ports on the router.
>
>OK. I concede. Y'er right. If you do it that way, cloning the MAC
>address of the workstation will only show the MAC address of the
>workstation. However, there will be plenty of packets spewing from
>behind this router that have the MAC addresses of other devices that
>are attached.

Ah, I didn't understand that the MAC addresses of the devices behind a
NAT router showed up on the WAN port. I need to do some more
research, thanks!
November 26, 2004 9:57:11 PM

Archived from groups: alt.internet.wireless (More info?)

"Povl H. Pedersen" <pope@my.terminal.dk> wrote in message
news:cc6cf183.0411222358.ad2f38@posting.google.com...
> I am working in a larger company, with quite a few branch offices, so
> travelling around to scan for APs in not practical.
>
> Is there any tools that can scan for APs using the ethernet ? I was
> mostly thinking of scanning for MAC address-ranges that is known to be
> used by WLAN equipment.
>
> Other solutions:
> Scan for HTTP servers - But will give many false positives, and if the
> web interface is deactivated, or has been moved to another port it
> will not work.
>
> Looking for 192.168.x.y traffic would probably find WLAN bridges - but
> would also give false positives.
>
> Is there any - even half-good - solution that will work ?

1. if you have some good ethernet switches then you can catch APs, but not
routers.

Set the switch to only allow a single MAC addess per port, but set it to
allow any address.

Now if they attach an AP, it works in the LAN, the AP MAC address is bound
to the port (since the AP will generate some traffic)- but no-one who
connects to the AP gets their traffic onto the network, since that needs the
extra MAC address to also get bound to the same switch port.

2. set up the network to use authentication - 802.1x? Then each device gets
logged into a central authentication system and you have an audit trail -
but you will need to have enough info on what shouldbe there to catch the
unauthorised stuff. The big drawback here is all those devices that dont
understand 802.1x....
--
Regards

Stephen Hope - return address needs fewer xxs
Anonymous
November 27, 2004 1:01:28 PM

Archived from groups: alt.internet.wireless (More info?)

On 26 Nov 2004 17:31:18 -0800, osiris@deltaville.net (Michael Erskine)
wrote:

>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message news:<3jteq0d7gaoboboriqgigrhn68ir05ph80@4ax.com>...
>
>>
>> OK. I concede. Y'er right. If you do it that way, cloning the MAC
>> address of the workstation will only show the MAC address of the
>> workstation. However, there will be plenty of packets spewing from
>> behind this router that have the MAC addresses of other devices that
>> are attached. If one only uses the existing authorized corporate
>> workstation via wireless, then such an arrangement is undetectable.
>> However, hang additional devices on the LAN side, and they can usually
>> be detected.

>Not exactly.
>
>While a router is a router and a bridge is a bridge, a collision
>domain is a collision domain...
>
>We are talking layer two here, not layer three. Unless a device is
>actually a layer two switch (and a low end router is not a layer two
>switch it is a layer three switch) it will use the same MAC address
>for all traffic passing thru it.
>
>That is exactly why it is impossible for your cable company to know
>for sure you have cloned the address of your PC, when you are sharing
>your connection with multiple systems on the local LAN.

Absolutely correct. The source MAC address for everything coming from
the router has the MAC address of the routers WAN port in the header.
Notice I said the ethernet header. I think (as in I'm not quite sure)
that some layer 3 packets contain various MAC addresses in the
payload, not the header. I was thinking specifically of ARP requests
(broadcasts) that end up going through the router. I just read RFC826
and my head hurts. These certainly have MAC addresses in the payload,
but I'm no longer so sure that they will go through the router. Time
to do some sniffing on my LAN and check my guesswork (and sanity). I
may be totally wrong (not unusual).

My foggy brain also recalled the way one vendor (Comcast) was counting
computers behind NAT firewalls.
http://www.research.att.com/~smb/papers/fnat.pdf
http://www.sflow.org/detectNAT/
http://www.dslreports.com/shownews/27754
I'm not familiar with Sflow so please don't ask me how it works.
However, at first glance, it appears to be useful for detecting
machines behind NAT firewalls by tracking TCP ID numbers and measuring
variations in packet arrival times. Also, to the best of my limited
knowledge, Comcast is NOT the cable company that was counting users.

It turns out that such passive methods were not commonly used by the
cable broadband telemarketting pools of 6 years ago. They had a much
simpler scheme. Their main web site had some Java applet or Active-X
control that when run, would send them your local IP address.
Javascript and CGI will detect the WAN IP address. They also used MAC
address authentication. So every time someone connected to their web
site, they had a table of registered MAC address, WAN IP, and LAN IP.
No sniffing or log grovelling required. This is quite sufficient to
build table of computers behind an NAT firewall per customer.

I recall (but can't find the articles) demonstrating some of the
screwups, such as when vendors delivered routers where client IP's
started at 192.168.1.100. People were soon accused of having 100
machines behind their NAT firewall.

Anyway, the same technique can be used to "trap" users of hidden
routers on corporate LAN's. Hit the corporate main web page, web
mail, whatever, and Java or Active-X sends the local IP address or
something. It's a fairly good assumption that corporate users will
use their hidden machines for corporate business, and will regularly
hit a particular page. However, I don't know any corporation that's
admitted to doing this.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
Anonymous
November 27, 2004 10:08:08 PM

Archived from groups: alt.internet.wireless (More info?)

In article <e59f93b2.0411261731.4d2c25d9@posting.google.com>,
Michael Erskine wrote:

>That is exactly why it is impossible for your cable company to know
>for sure you have cloned the address of your PC, when you are sharing
>your connection with multiple systems on the local LAN.

To say for sure - no, they have to come into your house and trace the
wires. To say beyond a reasonable doubt - piece of cake, and I am
surprised you think otherwise. Maybe you ought to dig up Fyodor's paper
on Remote OS detection via TCP/IP Stack FingerPrinting. It's a bit old,
and you can do a lot more passively now. Or look at the XProbe stuff
from Ofir Arkin. Remember, there is a lot more information in those
TCP, UDP, and IP headers that can be checked.

<Sat Nov 27 17:58:15 2004> 152.2.210.80:20 - Linux 2.4 in cluster ->
162.42.86.65:14364 (distance 21, link: ethernet/modem)

or can't you imagine how the tool identified that the remote host
is a cluster - while not even talking to a DNS server, never mind
being in a collision domain?.

Old guy
Anonymous
November 28, 2004 8:01:36 PM

Archived from groups: alt.internet.wireless (More info?)

Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
> http://www.sflow.org/detectNAT/

>I'm not familiar with Sflow so please don't ask me how it works.

Seems like it looks at TTL values, and notices that they are one less
than they "ought" to be, hence they passed thru a router...
!