Using Ethernet scans to locate WLAN APs ?

Archived from groups: alt.internet.wireless (More info?)

I am working in a larger company, with quite a few branch offices, so
travelling around to scan for APs in not practical.

Is there any tools that can scan for APs using the ethernet ? I was
mostly thinking of scanning for MAC address-ranges that is known to be
used by WLAN equipment.

Other solutions:
Scan for HTTP servers - But will give many false positives, and if the
web interface is deactivated, or has been moved to another port it
will not work.

Looking for 192.168.x.y traffic would probably find WLAN bridges - but
would also give false positives.

Is there any - even half-good - solution that will work ?
21 answers Last reply
More about using ethernet scans locate wlan
  1. Archived from groups: alt.internet.wireless (More info?)

    pope@my.terminal.dk (Povl H. Pedersen) wrote:
    >Scan for HTTP servers - But will give many false positives, and if the
    >web interface is deactivated, or has been moved to another port it
    >will not work.

    Even this won't help if a router is used, as the WWWeb interface shows
    up on the LAN side, and you are looking at the WAN interface. In
    fact, with MAC address cloning feature in nearly every cheap router
    out there, even a fully locked down infrastructure won't work.

    Policies, procedures, maybe a bounty on unauthorized network devices?

    [Please note that if you're going to be restrictive, you also really
    need to be very responsive to employees need for communications. If I
    need a network widget to do my job and I'm looking at a 6-month
    process and a VP signature, I'm more likely to buy a $50 router and
    hide it in the ceiling. At my last full-time job the IT department
    was the biggest hurdle to getting any work done... Why not set up
    properly secured APs for your clients to use?]
  2. Archived from groups: alt.internet.wireless (More info?)

    On 22 Nov 2004 23:58:25 -0800, pope@my.terminal.dk (Povl H. Pedersen)
    wrote:

    >I am working in a larger company, with quite a few branch offices, so
    >travelling around to scan for APs in not practical.

    Are you using any network management tools (OpenView, OpenNMS,
    Unicenter TNG, Tivoli, etc). These will detect any new hardware on
    the LAN through either LAN discovery or through "probes".

    >Is there any tools that can scan for APs using the ethernet ? I was
    >mostly thinking of scanning for MAC address-ranges that is known to be
    >used by WLAN equipment.

    Let's separate scanning and sniffing. I can scribble a simple scanner
    script that uses arping (ping by MAC address) that scans through a
    block of MAC addresses known to be used by commodity wireless
    manufacturers. This has the potential of generating lots of useless
    traffic, false positives, and missing a few manufacturers that don't
    bother to register their MAC addresses with the IEEE. Let's just say
    I'm not a big fan of scanning.
    http://www.habets.pp.se/synscan/programs.php?prog=arping

    Sniffing is done with aprwatch (or winarpwatch), which detects new MAC
    addresses on the LAN.
    http://www.habets.pp.se/synscan/programs.php?prog=arping
    Most access points and wireless routers are noisy enough to belch
    broadcasts that can be picked up throughout a switched LAN. Using
    VLAN's may require sniffing at the switch through a monitor port.
    Lots of other complications but methinks this would be a good start.

    >Other solutions:
    >Scan for HTTP servers - But will give many false positives, and if the
    >web interface is deactivated, or has been moved to another port it
    >will not work.

    Scan by IP for web interfaces? If your LAN is running on 10.0.0.xxx
    but your wireless access point has a management web server running on
    192.168.1.1, you're not going to see the web server from the LAN. If
    they're clever and use a router, but plugging the router WAN port into
    your LAN, and network management from the WAN port is turned off (by
    default), then you will also not see the web server. The only way it
    can work is if the rogue access point or wireless router is
    intentionally installed in a rather clumsy manner.

    A rogue access point I missed was when a clever employee setup his
    desktop XP box with a USB wireless client. The client was setup for
    Ad-hoc (peer to peer) mode. XP was setup to bridge between the
    ethernet port and the USB wireless card. Instant wireless bridge to
    the network. He then could setup his laptop as Ad-hoc and connect.
    Incidentally, this was done because he only had one wired ethernet
    port in his office and IT came unglued when he dared to bring in a 4
    port switch, which was designated as some kind of dangerous
    unauthorized equipment. Anyway, I couldn't see the USB wireless cards
    MAC address on the network, and my wireless sniffing didn't detect the
    ad-hoc network. Netstumbler might have shown it, but we were using a
    wireless client and Ethereal, which didn't. Neither sniffing or
    scanning would have found this one.

    >Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    >would also give false positives.
    >
    >Is there any - even half-good - solution that will work ?

    Build a database of known devices on the LAN by MAC address. Use
    arpwatch to detect new devices. Be prepared to deal with false
    alarms. Use inventory control reports (Belarc Advisor) to dump
    hardware and software lists to check for unauthorized software and
    hardware.

    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 AE6KS 831-336-2558
  3. Archived from groups: alt.internet.wireless (More info?)

    Povl H. Pedersen wrote:

    > I am working in a larger company, with quite a few branch offices, so
    > travelling around to scan for APs in not practical.

    > Is there any tools that can scan for APs using the ethernet ? I was
    > mostly thinking of scanning for MAC address-ranges that is known to be
    > used by WLAN equipment.

    There may be some difficulties:

    1. You have to be in the local collision domain to scan the MAC addresses.
    2. Not all MAC address ranges for WLAN devices are published.

    > Other solutions:
    > Scan for HTTP servers - But will give many false positives, and if the
    > web interface is deactivated, or has been moved to another port it
    > will not work.

    So it won't help you to be sure...

    > Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    > would also give false positives.
    >
    > Is there any - even half-good - solution that will work ?

    There are some ways to prevent the use of unauthorized access points:

    1. Walk around and scan for them. (OK that may not be a good if the ways are
    too long)

    2. Use drones that cover the needed areas. You can buy some Linksys
    WRT54G(S) router and place them all over the area. After installing OpenWRT
    and the Kismet drone you can make them scan from a remote station.

    3. Use managed switches. The administrator has to authorize every device in
    the network than.

    A real threat are Bluetooth bases access points. With their frequency
    hopping they are very hard to find...

    Thomas
  4. Archived from groups: alt.internet.wireless (More info?)

    On 22 Nov 2004 23:58:25 -0800, Povl H. Pedersen spoketh

    >I am working in a larger company, with quite a few branch offices, so
    >travelling around to scan for APs in not practical.
    >
    >Is there any tools that can scan for APs using the ethernet ? I was
    >mostly thinking of scanning for MAC address-ranges that is known to be
    >used by WLAN equipment.
    >
    >Other solutions:
    >Scan for HTTP servers - But will give many false positives, and if the
    >web interface is deactivated, or has been moved to another port it
    >will not work.
    >
    >Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    >would also give false positives.
    >
    >Is there any - even half-good - solution that will work ?

    Well, might be able to get the MAC addresses of all the devices by doing
    a "broadcast" ping on the LAN segment you're looking to investigate.
    Your arp table should then list all the equipment in the office. Knowing
    which is what is going to be a whole other story. You might be able to
    get the manufacturer out of it, but there's still the question of what
    is a NIC, what is a switch and what is a WAP... I.E. Linksys uses
    00-0c-12 in the MAC addresses, and there's no way to tell which is
    what...

    The web-server scan would work better. The HTTP server on most cheap
    WAPs can't be disabled (it's the only means of configuration), so if you
    get a hit on port 80, it might be something that shouldn't be in the
    office... If you can collect the IP addresses of devices from certain
    manufacturers (i.e. Linksys, D-Link and Netgear), you can always
    port-scan these IP addresses to see what ports are open, and then
    investigate some of the more suspect ones further.

    It's unlikely that someone would use a wireless router in the office, as
    that would cause severe connectivity issues, but someone with the right
    knowledge could still use this method, and that would be difficult for
    you to spot.

    If you got Active Directory deployed all around, and are using DHCP, you
    can always check your DHCP leases and see if there's any funky devices
    showing up there...

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  5. Archived from groups: alt.internet.wireless (More info?)

    Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >Build a database of known devices on the LAN by MAC address.

    Since most consumer grade routers have a MAC address cloning feature
    specifically to get around these kinds of restrictions, you may not
    catch a common workaround...
  6. Archived from groups: alt.internet.wireless (More info?)

    On Tue, 23 Nov 2004 21:38:45 -0500, William P.N. Smith wrote:

    >Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >>Build a database of known devices on the LAN by MAC address.

    >Since most consumer grade routers have a MAC address cloning feature
    >specifically to get around these kinds of restrictions, you may not
    >catch a common workaround...

    Wrong. The MAC cloning feature allows cloning the MAC address of only
    the WAN side port with that of the local "management" workstation.
    This is primarily to circumvent authentication by MAC address as
    practiced by some ISP's (i.e. Charter Cable). This cloned MAC address
    does NOT appear on the LAN side traffic (because MAC address do not
    propogate through routers). The MAC address of the LAN side switched
    ethernet ports remain unchanged. Anyway, cloning the LAN side MAC
    address with that of a workstation wouldn't work because we would end
    up with two identical MAC addresses on the same LAN segment. Bad
    idea.


    Checking...from the status page of my office DI-614+

    Device Information Firmware Version: 2.33 , 5 Jul 2004
    LAN
    MAC Address 00-40-05-CA-E0-42
    IP Address 192.168.111.33
    Subnet Mask 255.255.255.0
    DHCP Server Enabled

    WAN
    MAC Address 00-40-05-CA-E0-43
    Connection fixed IP
    IP Address 63.198.98.51
    Subnet Mask 255.255.255.248
    Default Gateway 63.198.98.49
    DNS 206.13.28.12 206.13.31.12

    Wireless
    MAC Address 00-40-05-C6-A0-E3
    SSID LearnByDestroying
    Channel 11
    WEP 64 bits

    In my case, the WAN side MAC address has NOT been cloned. I just did
    a quick test of the cloning feature. Only the WAN side MAC address
    changed.


    --
    # Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
    # 831.336.2558 voice http://www.LearnByDestroying.com
    # jeffl@comix.santa-cruz.ca.us
    # 831.421.6491 digital_pager jeffl@cruzio.com AE6KS
  7. Archived from groups: alt.internet.wireless (More info?)

    Povl H. Pedersen wrote:

    > I am working in a larger company, with quite a few branch offices, so
    > travelling around to scan for APs in not practical.
    >
    > Is there any tools that can scan for APs using the ethernet ? I was
    > mostly thinking of scanning for MAC address-ranges that is known to be
    > used by WLAN equipment.
    >
    > Other solutions:
    > Scan for HTTP servers - But will give many false positives, and if the
    > web interface is deactivated, or has been moved to another port it
    > will not work.
    >
    > Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    > would also give false positives.
    >
    > Is there any - even half-good - solution that will work ?
    Have you thought of using SNMP and a network management app? Although
    it is not a direct answer to the question, the results you get back for
    an AP are different to those you get back for a wired connection and
    so you should be able to tell the difference. You also get all the
    MACs back. A good (and free) network management app is OpenNMS.

    David
  8. Archived from groups: alt.internet.wireless (More info?)

    Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >William P.N. Smith wrote:
    >>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >>>Build a database of known devices on the LAN by MAC address.

    >>Since most consumer grade routers have a MAC address cloning feature
    >>specifically to get around these kinds of restrictions, you may not
    >>catch a common workaround...

    >Wrong. The MAC cloning feature allows cloning the MAC address of only
    >the WAN side port with that of the local "management" workstation.

    Yeah, that's what I'm saying. If your LAN infrastructure watches for
    "unauthorized" MAC addresses, I'll unplug my workstation, plug in a
    router, clone the workstation's MAC address into the router, and plug
    in my devices behind the router.
  9. Archived from groups: alt.internet.wireless (More info?)

    In article <cc6cf183.0411222358.ad2f38@posting.google.com>, Povl H. Pedersen
    wrote:

    >I am working in a larger company, with quite a few branch offices, so
    >travelling around to scan for APs in not practical.

    As long as ALL of the users know it is forbidden to have an AP, the
    sight of someone walking around the office with a laptop with WiFi
    sniffer and a fighting axe generally gets their attention - the more
    so if the axe has blood stains on the edge. Check with your legal
    department, and see if it's OK with them.

    >Is there any tools that can scan for APs using the ethernet ? I was
    >mostly thinking of scanning for MAC address-ranges that is known to be
    >used by WLAN equipment.

    http://standards.ieee.org/regauth/oui/oui.txt

    Not very practical, but possible. If you're on a switched network, putting
    the sniffer ON the switch works best. If it's a managed switch, looking
    at the ARP cache on the switch might provide clues.

    >Other solutions:
    >Scan for HTTP servers - But will give many false positives, and if the
    >web interface is deactivated, or has been moved to another port it
    >will not work.

    [compton ~]$ whatis p0f nmap
    p0f (1) - identify remote systems passively
    nmap (1) - Network exploration tool and security scanner
    [compton ~]$

    http://lcamtuf.coredump.cx/p0f.shtml
    http://www.insecure.org/nmap

    Both tools are meant for a Unix environment, but both have windoze versions
    if you are stuck on that platform. If you try to run nmap and don't notify
    the (network) powers-that-be on the targeted network, you WILL cause some
    brown stuff to hit the fan. It can be _VERY_ obvious, and might cause
    firewall reactions.

    >Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    >would also give false positives.

    Depends on how clever the users are. Masquerading (NAT) can make it a bit
    harder - though far from impossible to positively identify. Looking at MSS,
    _source_ port numbers, window sizes, initial sequence numbers, TCP/IP flags
    will very often spot the mickey. There are a number of documents that
    describe how. Start with the p0f site. Or, do a google search for Xprobe
    from ofir@sys-security.com (Ofir Arkin) and friends. The problem has existed
    before, and has been solved many times.

    Old guy
  10. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 24 Nov 2004 09:14:59 +0000, David Goodenough wrote:

    > Povl H. Pedersen wrote:
    >
    >> I am working in a larger company, with quite a few branch offices, so
    >> travelling around to scan for APs in not practical.
    >>
    >> Is there any tools that can scan for APs using the ethernet ? I was
    >> mostly thinking of scanning for MAC address-ranges that is known to be
    >> used by WLAN equipment.

    If you have the patience (or software) to sort through MAC addresses
    looking for wireless vendor IDs that could work.

    We found one using "show cdp neighbors", but that only works if you're
    running Cisco switches and your employees attach a Cisco AP.
  11. Archived from groups: alt.internet.wireless (More info?)

    In article <m80aq0pcsnadoec06s1oa6rghuoijacd5p@4ax.com>, William P.N. Smith
    wrote:

    >If your LAN infrastructure watches for "unauthorized" MAC addresses,
    >I'll unplug my workstation, plug in a router, clone the workstation's
    >MAC address into the router, and plug in my devices behind the router.

    That's pretty easy to spot. The passive fingerprinting tool I'm using
    even has options of force other checks.

    -M Deploy masquerade detection algorithm. The algorithm looks
    over recent (cached) hits and looks for indications of mul-
    tiple systems being behind a single gateway. This is useful
    on routers and such to detect policy violations.

    -T nn Set masquerade detection threshold at this value; only mean-
    ingful with -M.

    Networking was not invented yesterday, and these kind of things have been
    tried over, and over, and...

    Old guy
  12. Archived from groups: alt.internet.wireless (More info?)

    On Wed, 24 Nov 2004 16:48:52 -0500, William P.N. Smith wrote:

    >Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >>William P.N. Smith wrote:
    >>>Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >>>>Build a database of known devices on the LAN by MAC address.
    >
    >>>Since most consumer grade routers have a MAC address cloning feature
    >>>specifically to get around these kinds of restrictions, you may not
    >>>catch a common workaround...
    >
    >>Wrong. The MAC cloning feature allows cloning the MAC address of only
    >>the WAN side port with that of the local "management" workstation.

    >Yeah, that's what I'm saying. If your LAN infrastructure watches for
    >"unauthorized" MAC addresses, I'll unplug my workstation, plug in a
    >router, clone the workstation's MAC address into the router, and plug
    >in my devices behind the router.

    Please re-read my posting. It doesn't work that way.

    1. When one "clones" the MAC address in the routers configuration,
    it's the WAN side MAC address that gets tweaked, not the LAN side.
    The LAN side, which is what thou art sniffing, is very different than
    the WAN side MAC address, and still has the original MAC address.
    Note my dump of the DI-614+ status page which clearly shows that the
    MAC addresses of the WAN and LAN sides of the router are different.

    2. If it worked the way you describe (LAN side MAC address changes by
    cloning the workstation MAC address), then you would end up with an
    unworkable situation, where both the workstation and the router would
    have identical MAC addresses, and therefore could not be distinguished
    buy any known protocol.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 AE6KS 831-336-2558
  13. Archived from groups: alt.internet.wireless (More info?)

    Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >1. When one "clones" the MAC address in the routers configuration,
    >it's the WAN side MAC address that gets tweaked

    I suspect we're in violent agreement.

    My scenario was to plug the WAN port of the router into the corporate
    LAN, clone the authorized MAC address from the workstation into the
    WAN MAC address on the router, and plug in my own devices to the LAN
    ports on the router.

    From the corporate LAN, you can't tell by {scanning, watching,
    capturing} MAC addresses that I've got my own private LAN hiding
    behind the one true authorized MAC address, though you may be able to
    do traffic analysis to guess that there's something going on.

    [OTOH, if I'm doing that, your IT department hasn't satisfied an IT
    need, and if your IT department is clever enough to do traffic
    analysis, why can't they satisfy my IT need? 8*]
  14. Archived from groups: alt.internet.wireless (More info?)

    On Fri, 26 Nov 2004 09:24:06 -0500, William P.N. Smith wrote:

    >Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >>1. When one "clones" the MAC address in the routers configuration,
    >>it's the WAN side MAC address that gets tweaked

    >I suspect we're in violent agreement.

    I just hate it what happens (when I agree with someone).

    >My scenario was to plug the WAN port of the router into the corporate
    >LAN, clone the authorized MAC address from the workstation into the
    >WAN MAC address on the router, and plug in my own devices to the LAN
    >ports on the router.

    OK. I concede. Y'er right. If you do it that way, cloning the MAC
    address of the workstation will only show the MAC address of the
    workstation. However, there will be plenty of packets spewing from
    behind this router that have the MAC addresses of other devices that
    are attached. If one only uses the existing authorized corporate
    workstation via wireless, then such an arrangement is undetectable.
    However, hang additional devices on the LAN side, and they can usually
    be detected.

    Many years ago, one of the cable companies was trying to extort extra
    revenue from users that hid multiple computers behind an NAT firewall.
    Their forward thinking Terms of Servitude insisted on one machine per
    cable modem and prohibited private networks. So, they turned over the
    job to a telemarketting pool, who used some analysis tools to look at
    sequence numbers and traffic patterns to determine how many machines
    were hidden behind NAT. It turned out to be trivally easy and fairly
    accurate. I don't have access to the tools, but I know the people
    that wrote them. It's exactly the same problem as sniffing (or log
    grovelling) the LAN for extra machines hiddent behind wireless.

    Drivel: I have some weird stories about the history of "counting
    eyeballs" as it was called in the movie industry, where the equivalent
    of service providers were historically charging by the number of
    people watching. I personally participated in a useless exercise to
    restrict the number of viewers and views of early VCR's.

    >From the corporate LAN, you can't tell by {scanning, watching,
    >capturing} MAC addresses that I've got my own private LAN hiding
    >behind the one true authorized MAC address, though you may be able to
    >do traffic analysis to guess that there's something going on.

    Well the usual method is signature analysis (Nessus and Nmap):
    http://www.tenablesecurity.com/white_papers/wap-id-nessus.pdf

    There was quite a bit of discussion on detecting computers behind NAT
    firewalls in various mailing lists in about 1999. I'll do some
    digging and see if I can find some specifics. I'm not too good on the
    protocols and will probably screw something up if I core dump from
    memory.

    >[OTOH, if I'm doing that, your IT department hasn't satisfied an IT
    >need, and if your IT department is clever enough to do traffic
    >analysis, why can't they satisfy my IT need? 8*]

    I don't know any IT department that has the time to look at log files
    in depth or do proactive monitoring. They hire "security experts" to
    do it for them. It's kinda like home termite exterminators. Every
    time there's evidence of a problem, they call in the exterminators,
    clean up the mess, repair the damage, and leave. A short time later,
    it's back, so they call the exterminators again.

    Incidentally, I've only been involved in about 5 "sweeps" for rogue
    access points and wireless routers on corporate LAN's. In *ALL* 5
    cases, the biggest offenders were found around mohogany row, where IT
    doth tread lightly. I was hired by IT because I was essentially
    fire-proof and have no fear of (or respect for) the corporate
    hierarchy. However, only 1 of these 5 companies have asked me to
    return or do other work, so I suspect my non-diplomatic style of
    playing "security expert" is not a viable continuing business model.

    Incidentally, one clown decided to use my method of getting what he
    wanted from IT. If the problem is invisible, make it obvious. If the
    problem isn't a crisis, create one. He installed a 300ft roll of CAT5
    in his office on a plastic garden hose spool. Whenever he went into
    the cube farm (office partition forest), he would drag the length of
    wire behind his laptop. Needless to say, IT eventually delivered a
    properly secured access point immediately after everyone, exept this
    clown, complained about tripping over the cable and management
    complained about the disruption it was causing.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 AE6KS 831-336-2558
  15. Archived from groups: alt.internet.wireless (More info?)

    "Povl H. Pedersen" <pope@my.terminal.dk> wrote in message
    news:cc6cf183.0411222358.ad2f38@posting.google.com...
    | I am working in a larger company, with quite a few branch offices, so
    | traveling around to scan for APs in not practical.
    |
    | Is there any tools that can scan for APs using the ethernet ? I was
    | mostly thinking of scanning for MAC address-ranges that is known to be
    | used by WLAN equipment.
    |
    | Other solutions:
    | Scan for HTTP servers - But will give many false positives, and if the
    | web interface is deactivated, or has been moved to another port it
    | will not work.
    |
    | Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    | would also give false positives.
    |
    | Is there any - even half-good - solution that will work ?

    Your company checks that the doors are locked every night and the cash
    drawers are secure why not the same for your network. Have on site scans
    planed periodically with unannounced clandestine spot checks. Assuming you
    have a written policy on such devices gate any employee that violates the
    rules.

    There are ways to set up automated site scans but these are usually only
    half way effective.
  16. Archived from groups: alt.internet.wireless (More info?)

    Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message news:<3jteq0d7gaoboboriqgigrhn68ir05ph80@4ax.com>...

    >
    > OK. I concede. Y'er right. If you do it that way, cloning the MAC
    > address of the workstation will only show the MAC address of the
    > workstation. However, there will be plenty of packets spewing from
    > behind this router that have the MAC addresses of other devices that
    > are attached. If one only uses the existing authorized corporate
    > workstation via wireless, then such an arrangement is undetectable.
    > However, hang additional devices on the LAN side, and they can usually
    > be detected.
    >

    Not exactly.

    While a router is a router and a bridge is a bridge, a collision
    domain is a collision domain...

    We are talking layer two here, not layer three. Unless a device is
    actually a layer two switch (and a low end router is not a layer two
    switch it is a layer three switch) it will use the same MAC address
    for all traffic passing thru it.

    That is exactly why it is impossible for your cable company to know
    for sure you have cloned the address of your PC, when you are sharing
    your connection with multiple systems on the local LAN.
  17. Archived from groups: alt.internet.wireless (More info?)

    Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    >William P.N. Smith wrote:
    >>My scenario was to plug the WAN port of the router into the corporate
    >>LAN, clone the authorized MAC address from the workstation into the
    >>WAN MAC address on the router, and plug in my own devices to the LAN
    >>ports on the router.
    >
    >OK. I concede. Y'er right. If you do it that way, cloning the MAC
    >address of the workstation will only show the MAC address of the
    >workstation. However, there will be plenty of packets spewing from
    >behind this router that have the MAC addresses of other devices that
    >are attached.

    Ah, I didn't understand that the MAC addresses of the devices behind a
    NAT router showed up on the WAN port. I need to do some more
    research, thanks!
  18. Archived from groups: alt.internet.wireless (More info?)

    "Povl H. Pedersen" <pope@my.terminal.dk> wrote in message
    news:cc6cf183.0411222358.ad2f38@posting.google.com...
    > I am working in a larger company, with quite a few branch offices, so
    > travelling around to scan for APs in not practical.
    >
    > Is there any tools that can scan for APs using the ethernet ? I was
    > mostly thinking of scanning for MAC address-ranges that is known to be
    > used by WLAN equipment.
    >
    > Other solutions:
    > Scan for HTTP servers - But will give many false positives, and if the
    > web interface is deactivated, or has been moved to another port it
    > will not work.
    >
    > Looking for 192.168.x.y traffic would probably find WLAN bridges - but
    > would also give false positives.
    >
    > Is there any - even half-good - solution that will work ?

    1. if you have some good ethernet switches then you can catch APs, but not
    routers.

    Set the switch to only allow a single MAC addess per port, but set it to
    allow any address.

    Now if they attach an AP, it works in the LAN, the AP MAC address is bound
    to the port (since the AP will generate some traffic)- but no-one who
    connects to the AP gets their traffic onto the network, since that needs the
    extra MAC address to also get bound to the same switch port.

    2. set up the network to use authentication - 802.1x? Then each device gets
    logged into a central authentication system and you have an audit trail -
    but you will need to have enough info on what shouldbe there to catch the
    unauthorised stuff. The big drawback here is all those devices that dont
    understand 802.1x....
    --
    Regards

    Stephen Hope - return address needs fewer xxs
  19. Archived from groups: alt.internet.wireless (More info?)

    On 26 Nov 2004 17:31:18 -0800, osiris@deltaville.net (Michael Erskine)
    wrote:

    >Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote in message news:<3jteq0d7gaoboboriqgigrhn68ir05ph80@4ax.com>...
    >
    >>
    >> OK. I concede. Y'er right. If you do it that way, cloning the MAC
    >> address of the workstation will only show the MAC address of the
    >> workstation. However, there will be plenty of packets spewing from
    >> behind this router that have the MAC addresses of other devices that
    >> are attached. If one only uses the existing authorized corporate
    >> workstation via wireless, then such an arrangement is undetectable.
    >> However, hang additional devices on the LAN side, and they can usually
    >> be detected.

    >Not exactly.
    >
    >While a router is a router and a bridge is a bridge, a collision
    >domain is a collision domain...
    >
    >We are talking layer two here, not layer three. Unless a device is
    >actually a layer two switch (and a low end router is not a layer two
    >switch it is a layer three switch) it will use the same MAC address
    >for all traffic passing thru it.
    >
    >That is exactly why it is impossible for your cable company to know
    >for sure you have cloned the address of your PC, when you are sharing
    >your connection with multiple systems on the local LAN.

    Absolutely correct. The source MAC address for everything coming from
    the router has the MAC address of the routers WAN port in the header.
    Notice I said the ethernet header. I think (as in I'm not quite sure)
    that some layer 3 packets contain various MAC addresses in the
    payload, not the header. I was thinking specifically of ARP requests
    (broadcasts) that end up going through the router. I just read RFC826
    and my head hurts. These certainly have MAC addresses in the payload,
    but I'm no longer so sure that they will go through the router. Time
    to do some sniffing on my LAN and check my guesswork (and sanity). I
    may be totally wrong (not unusual).

    My foggy brain also recalled the way one vendor (Comcast) was counting
    computers behind NAT firewalls.
    http://www.research.att.com/~smb/papers/fnat.pdf
    http://www.sflow.org/detectNAT/
    http://www.dslreports.com/shownews/27754
    I'm not familiar with Sflow so please don't ask me how it works.
    However, at first glance, it appears to be useful for detecting
    machines behind NAT firewalls by tracking TCP ID numbers and measuring
    variations in packet arrival times. Also, to the best of my limited
    knowledge, Comcast is NOT the cable company that was counting users.

    It turns out that such passive methods were not commonly used by the
    cable broadband telemarketting pools of 6 years ago. They had a much
    simpler scheme. Their main web site had some Java applet or Active-X
    control that when run, would send them your local IP address.
    Javascript and CGI will detect the WAN IP address. They also used MAC
    address authentication. So every time someone connected to their web
    site, they had a table of registered MAC address, WAN IP, and LAN IP.
    No sniffing or log grovelling required. This is quite sufficient to
    build table of computers behind an NAT firewall per customer.

    I recall (but can't find the articles) demonstrating some of the
    screwups, such as when vendors delivered routers where client IP's
    started at 192.168.1.100. People were soon accused of having 100
    machines behind their NAT firewall.

    Anyway, the same technique can be used to "trap" users of hidden
    routers on corporate LAN's. Hit the corporate main web page, web
    mail, whatever, and Java or Active-X sends the local IP address or
    something. It's a fairly good assumption that corporate users will
    use their hidden machines for corporate business, and will regularly
    hit a particular page. However, I don't know any corporation that's
    admitted to doing this.


    --
    Jeff Liebermann jeffl@comix.santa-cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 AE6KS 831-336-2558
  20. Archived from groups: alt.internet.wireless (More info?)

    In article <e59f93b2.0411261731.4d2c25d9@posting.google.com>,
    Michael Erskine wrote:

    >That is exactly why it is impossible for your cable company to know
    >for sure you have cloned the address of your PC, when you are sharing
    >your connection with multiple systems on the local LAN.

    To say for sure - no, they have to come into your house and trace the
    wires. To say beyond a reasonable doubt - piece of cake, and I am
    surprised you think otherwise. Maybe you ought to dig up Fyodor's paper
    on Remote OS detection via TCP/IP Stack FingerPrinting. It's a bit old,
    and you can do a lot more passively now. Or look at the XProbe stuff
    from Ofir Arkin. Remember, there is a lot more information in those
    TCP, UDP, and IP headers that can be checked.

    <Sat Nov 27 17:58:15 2004> 152.2.210.80:20 - Linux 2.4 in cluster ->
    162.42.86.65:14364 (distance 21, link: ethernet/modem)

    or can't you imagine how the tool identified that the remote host
    is a cluster - while not even talking to a DNS server, never mind
    being in a collision domain?.

    Old guy
  21. Archived from groups: alt.internet.wireless (More info?)

    Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
    > http://www.sflow.org/detectNAT/

    >I'm not familiar with Sflow so please don't ask me how it works.

    Seems like it looks at TTL values, and notices that they are one less
    than they "ought" to be, hence they passed thru a router...
Ask a new question

Read More

Ethernet Card WLAN Wireless Networking