RE: Identification of non Cisco AP's

From: Jonathan Gauntt (jon0966@yahoo.com)
Date: Thu Jul 28 2005 - 01:43:25 EDT


Unfortunately our network is in 46 states so the easiest I think from this
point on is to scan the network. I have nessus at home and will probably
fire that up on a vpn connection soon after the SuperScan results.

Our users are not extremely IT oriented so they have basically gone out from
time to time and purchased a non Cisco AP and plugged into the local LAN
grabbing an IP from DHCP.

I was required to deploy the Cisco Wireless Lan Solution Engine last month
and part of our HIPAA audit requires security measures.

So far I found an open AP in one of the practices so it's looking good.

Thank you,

Jonathan

-----Original Message-----
From: Chuck [mailto:chuck.lists@gmail.com]
Sent: Wednesday, July 27, 2005 9:04 AM
To: security-management@securityfocus.com; pen-test@securityfocus.com
Subject: Re: Identification of non Cisco AP's

I would guess that most of these access points would have ports 80
and/or 443 open for management. So you could get down to a short list
by scanning for those ports (assuming your network doesn't have a
whole bunch of other web servers). You could do this with nmap, if
that takes too long, with scanrand. Nmap can use a file full of
networks to scan with the -iL switch, so you don't have to scan the
whole Class A.

Then, when you have a list of systems with those ports open, you run a
little banner grabber script to do a HEAD or GET on each server and
you should be able to identify what they are from the Server: header.
If this doesn't give enough info, just pull up the page in a browser.

If they don't have a web interface available to your side of the
network (which would be the case if they are a home router/firewall/ap
type of device) you could try OS fingerprinting the network with nmap
or xprobe, but that will take a while and these devices probably won't
respond so that may not be easy. You may be able to identify these
devices by the fact that they don't respond, but you would have to
know the IP is in use from DHCP logs or traffic analysis. If there
are large enough broadcast domains or if you have IDSs deployed or are
using DHCP, you may be able to identify these devices by MAC
addresses, but again, most of these devices can spoof their MAC. In
short, it may be easier to wardrive/walk around your area if the
network is in one physical location.

Good luck.

Chuck

On 7/26/05, Jonathan Gauntt <jon0966@yahoo.com> wrote:
> Hi,
>
> I have been tasked with the project of scanning and identifying all non
> Cisco wireless access points within the company's network.
>
> We have about 800 /22 and /24 subnets, and because of the IP addressing
> scheme in place, might just be easier for me to scan the whole class A
range
> of IP's.
>
> I have access to Nessus and GFI Security Scanner. Since we over 8000 IP's
> in place, does anyone have any advice on the best way to identify these
non
> Cisco AP's such as Linksys and Netgear, etc.



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:39 EDT