RE: MORE: Tools for Detecting Wireless APs - from the wire side.

From: ed d (ragdelaed@hotmail.com)
Date: Wed Jun 12 2002 - 16:26:09 EDT


1. we arent worried about the client behind the ap, just the ap. kill the ap
and you remove the clients behind it.

2. per the cisco block of mac addreses and disparate devices, if you have
any rogue cisco devices, ap or not, wouldnt you want to know about it? and
isnt most cisco equipment static? most routers and switches arent dhcp,
right?

3. if you disagree with the premise of using mac addresses, then how else do
you differentiate devices on a wire without signatures? what do you propose?

4. and if you take into account an earlier post about spoofing the mac
address, i think that would be the first modification i would make on a
rogue ap. i would probably find an old 3com nic, unused, and use that mac
address. what do you do then?

>From: "John Adams" <jadams@inktomi.com>
>To: ed d <ragdelaed@hotmail.com>
>CC: Jeffrey.Isherwood@rl.af.mil, <pen-test@securityfocus.com>
>Subject: RE: MORE: Tools for Detecting Wireless APs - from the wire side.
>Date: Tue, 11 Jun 2002 16:18:00 -0700 (PDT)
>
>On Tue, 11 Jun 2002, ed d wrote:
>
> > depending on how the clients in your network get their ip addresses, you
> > might be able to search through your dhcp logs and pull all of the ap
>mac
> > addresses.
> >
> > this discounts rogue aps with statics, but if i was to drop a rogue ap
>into
> > a network, i would probably turn on dhcp, then let it go.
>
>Ahh, but this is useless if the AP DHCPs an address and then NATs everyone
>on wireless.
>
> > a good site for mac address/vendor coorelation is:
> > http://standards.ieee.org/regauth/oui/oui.txt
>
>I disagree with the entire "find them by Vendor MAC prefix to find APs"
>approach. Many vendors are assigned blocks of MAC prefixes (look at Cisco,
>for example) and share these blocks between disparate devices, both wired
>and wireless.
>
>--john
>
>--
>John Adams . Sr. Security Engineer . Inktomi Corporation
>
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus Security Intelligence Alert
>(SIA)
>Service. For more information on SecurityFocus' SIA service which
>automatically alerts you to the latest security vulnerabilities please see:
>https://alerts.securityfocus.com/

_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT