-----Original Message-----
From: Warren, John [mailto:John.B.Warren@txgt.com]
Sent: 19 April 2006 20:09
To: security-basics@securityfocus.com
Subject: Finding Wireless AP's on your network
What would be the best way to locate wireless devices on a
remote network? Some of these sites are hundreds of miles
away from me, so it's not feasible to detect them via normal
methods (i.e., airsnort, kismet, etc). Is there a way that I
can easily tell if one is plugged into one of the switches at
the remote location?
Given that an AP could be connected anywhere (even as an adapter onto an
existing host machine, creating a bridge), it's not too easy; couple of
suggestions :
1. Using a recent nmap (ramped down to avoid annoying anyone if your
links to remote site aren't large) with -sV (service/version detection)
and -O (operating system detection) should help as a start, depending on
the size of your network and the variety of kit you'd expect to see.
This should at least give you a start point. If run regularly you can
build up a pattern of what you would expect to see and generate reports
on things that haven't connected before.
2. If you're using DHCP to assign addresses on your network you could
check for unusual amounts of leases being assigned (e.g. to a single MAC
address)
3. Use SNMP or scripts to pull the data off your switches (if they're
managed) to dump CAM/MAC tables - e.g. use "show mac" or "show cam
dynamic" on Cisco kit.
The other suggestions (nessus, shipping out soekris boxes etc) are all
just as good; I don't think there's any easy way at the moment without
regular auditing of some kind.
HTH
Nick Besant
Communications on or through ioko's computer systems may be monitored or
recorded to secure effective system operation and for other lawful purposes.
Unless otherwise agreed expressly in writing, this communication is to be
treated as confidential and the information in it may not be used or disclosed
except for the purpose for which it has been sent. If you have reason to
believe that you are not the intended recipient of this communication, please
contact the sender immediately. No employee is authorised to conclude any
binding agreement on behalf of ioko with another party by e-mail without prior
express written confirmation.
ioko365 Ltd. VAT reg 656 2443 31. Reg no 3048367. All rights reserved.
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
