Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Wired detection of rogue access points

from [Waters, Chris] Network Security [Permanent Link]
Subject: RE: Wired detection of rogue access points
Date: Wed, 21 Mar 2007 15:31:44 -0400 
Hi,

One of the things we have found is that the biggest obstacle to accurate 
scanning can be the other security products on the network. If you have host 
IPS or network IPS they can both block the scanning activity and so you end up 
with only the mac address to do classification with. The IPS is doing its job 
when it blocks the scanning traffic so the best thing to do is to white-list 
the IP address that RogueScanner is running from with the IPS.

The latest (2.2) release of RogueScanner includes DHCP based fingerprinting 
which adds a lot of accuracy. You need to be patient though since it can take 
24 hours or more to see DHCP traffic.

BTW, I am going to be at Shmoocon later this week and we will be showing off 
network scanning as part of the Shmoocon labs if anyone wants to drop by and 
see it in action.

Regards,

Chris Waters
CTO, PhD
Network Chemistry, Inc
cwaters@networkchemistry.com

-----Original Message-----
From: Hari Sekhon [mailto:hpsekhon@googlemail.com] 
Sent: Wednesday, March 21, 2007 12:02 PM
To: Waters, Chris; focus-ids@securityfocus.com
Subject: Re: Wired detection of rogue access points

I tried it out, and I understand what you are trying to do but my 
results where a fair way off, some were spot on, but a lot of others 
weren't. I know it's not an easy job to fingerprint in this way. 
Couldn't you leverage some Nmap work, since they have good and reliable 
fingerprints.

Also, there were so many wifi-suspect that I either would spend ages 
investigating everything or not at all (possibly the latter)

-h

Hari Sekhon



Chris Waters wrote:

Hi,

Every network device has some fingerprint in the way that it interacts
with the network. This includes things like the open ports, the
responses to probes on those ports, the operating system it is
running, the broadcast protocols is uses (DHCP, UPnP, CDP, IAPP, etc),
its MAC address, etc.

This fingerprint information can be used to uniquely identify
virtually every type of network device, assuming of course that you
have a database of the fingerprints for all the devices that might
exist on the network.

This is exactly how RogueScanner (roguescanner.networkchemistry.net)
works. It probes devices to determine their fingerprints as well as
looking at the packets that they broadcast onto the network. By using
lots of techniques together it is possible to accurately find and
classify all sorts of devices, including wifi routers which may using
firewalling and MAC address cloning to hide themselves.

Regards,

Chris Waters
CTO, PhD
Network Chemistry, Inc
cwaters@networkchemistry.com

On Mon, 2007-03-19 at 10:20 +0000, johnnywkm@gmail.com wrote:

Hello there,

Can anyone point me to a wired LAN scanner/sniffer that detects 
wireless access points connected to the LAN?



Doesn't look possible to me. You can detect wireless stuff but not
from cable side. There is a endless ways to hide it but you cannot
hide radio waves so easily.

   Tõnu



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 

to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Wired detection of rogue access points, Hari Sekhon
Next by Date:  Re: Bittorrent - utorrent, scott
Previous by Thread:  Re: Wired detection of rogue access points, Hari Sekhon
Next by Thread:  Re: Wired detection of rogue access points, krymson
Indexes:  [Date] [Thread] [Top] [All Lists]