check ?

imagine a company network with a few hundred computers connected. is it
possile to check if somewhere someone connected an AP to this network ??

many thanks

martin

In article <d4q4d8$p51$(E-Mail Removed)>, Martin!
<(E-Mail Removed)> wrote:

> imagine a company network with a few hundred computers connected. is it
> possile to check if somewhere someone connected an AP to this network ??

You could periodically wander around running something like NetStumbler
and see what it finds. (Although it won't show anything with the SSID
Broadcast disabled, I believe Kismet under Linux or OS X will)

chris wrote:

> In article <d4q4d8$p51$(E-Mail Removed)>, Martin!
> <(E-Mail Removed)> wrote:
>
>
>>imagine a company network with a few hundred computers connected. is it
>>possile to check if somewhere someone connected an AP to this network ??
>
>
> You could periodically wander around running something like NetStumbler
> and see what it finds. (Although it won't show anything with the SSID
> Broadcast disabled, I believe Kismet under Linux or OS X will)


i was actually looking for some kind of network probe. not that i am to
lazy to get out of my chair, but the network may contain several VPN's
and thus some computers may be on the other side of the planet.

On Thu, 28 Apr 2005 09:46:43 +0200, "Martin!"
<(E-Mail Removed)> wrote:

>imagine a company network with a few hundred computers connected. is it
>possile to check if somewhere someone connected an AP to this network ??

I don't know if this is applicable, but AirSnare might be worth a try.
http://home.comcast.net/~jay.deboer/airsnare/
It looks for new MAC addresses on the network. Methinks it will work
through your VPN, but I'm not sure.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff Liebermann wrote:

> On Thu, 28 Apr 2005 09:46:43 +0200, "Martin!"
> <(E-Mail Removed)> wrote:
>
>
>>imagine a company network with a few hundred computers connected. is it
>>possile to check if somewhere someone connected an AP to this network ??
>
>
> I don't know if this is applicable, but AirSnare might be worth a try.
> http://home.comcast.net/~jay.deboer/airsnare/
> It looks for new MAC addresses on the network. Methinks it will work
> through your VPN, but I'm not sure.
>
>


it look interesting ! i will check it for sure
thanks

In article <d4ql97$ifu$(E-Mail Removed)>, Martin! wrote:

>chris wrote:
>
>> In article <d4q4d8$p51$(E-Mail Removed)>, Martin!
>> <(E-Mail Removed)> wrote:

>>>imagine a company network with a few hundred computers connected. is it
>>>possile to check if somewhere someone connected an AP to this network ??

Depends on the skills of the antagonist.

>> You could periodically wander around running something like NetStumbler
>> and see what it finds.

The FIRST step is to see that the _published_ company policy says that
adding such stuff is a no-no (see your legal advisor). Next, you make sure
that everyone is aware of the policy (ideally, they sign a copy of the
policy and return that to HR), and you have prominent sighs at all entries
reminding people of this. Then do the walk-through, carrying an appropriate
sniffer and a two handed broad sword. Putting severed heads on pikes at the
entrance to the facility usually acts to reinforce the message, especially
if an explanatory sign is attached ("I ran an unauthorized access point",
along with the more common "I got caught surfing pr0n sites", "I clicked
on a virus link" or "I forgot my password" - you get the idea.

>i was actually looking for some kind of network probe. not that i am to
>lazy to get out of my chair, but the network may contain several VPN's
>and thus some computers may be on the other side of the planet.

Much harder to do (though still possible). Best solution is to have
dedicated PCs set up as "Big Brother" monitors, sniffing traffic on the
local wires (use the 'monitor port' on switches). The two tools you need
are a hardware address monitor (such as 'arpwatch') to notice unknown
systems. Monitor the hardware addresses against a list of known authorized
systems, and look for the MAC addresses of wireless gear. The second
tool is a passive fingerprinting tool (such as p0f) used in the
masquerade detection mode (watch packets out of each host for consistency
and indications of more than one real host behind a single MAC address).

Didn't this get discussed recently? Yeah, look in this newsgroup
(alt.internet.wireless) for a thread "Using Ethernet scans to locate WLAN
APs ?" back in late November 2004.

Old guy

In article <d4ql97$ifu$(E-Mail Removed)>, Martin!
<(E-Mail Removed)> wrote:

> but the network may contain several VPN's
> and thus some computers may be on the other side of the planet.

ROAD TRIP!!!

What, your boss won't approve periodic travel to check for rogue WAPs?!?

:-)


-chris

>>but the network may contain several VPN's
>>and thus some computers may be on the other side of the planet.
>
>
> ROAD TRIP!!!
>
> What, your boss won't approve periodic travel to check for rogue WAPs?!?
>

i like that ! you mind if i use you as a qualified reference to
reinforce my request to travel scan the planet in 8888 days ?

lol

Moe Trin wrote:

> In article <d4ql97$ifu$(E-Mail Removed)>, Martin! wrote:
>
>
>>chris wrote:
>>
>>
>>>In article <d4q4d8$p51$(E-Mail Removed)>, Martin!
>>><(E-Mail Removed)> wrote:
>
>
>>>>imagine a company network with a few hundred computers connected. is it
>>>>possile to check if somewhere someone connected an AP to this network ??
>
>
> Depends on the skills of the antagonist.
>

maybe i should advice my boss to hire less clever people.

>
>>>You could periodically wander around running something like NetStumbler
>>>and see what it finds.
>
>
> The FIRST step is to see that the _published_ company policy says that
> adding such stuff is a no-no (see your legal advisor). Next, you make sure
> that everyone is aware of the policy (ideally, they sign a copy of the
> policy and return that to HR), and you have prominent sighs at all entries
> reminding people of this. Then do the walk-through, carrying an appropriate
> sniffer and a two handed broad sword. Putting severed heads on pikes at the
> entrance to the facility usually acts to reinforce the message, especially
> if an explanatory sign is attached ("I ran an unauthorized access point",
> along with the more common "I got caught surfing pr0n sites", "I clicked
> on a virus link" or "I forgot my password" - you get the idea.
>

i like that too, problem is that my boss has reserved the role of god
for himself in this company and hired me to be one of his angels.

>
>>i was actually looking for some kind of network probe. not that i am to
>>lazy to get out of my chair, but the network may contain several VPN's
>>and thus some computers may be on the other side of the planet.
>
>
> Much harder to do (though still possible). Best solution is to have
> dedicated PCs set up as "Big Brother" monitors, sniffing traffic on the
> local wires (use the 'monitor port' on switches). The two tools you need
> are a hardware address monitor (such as 'arpwatch') to notice unknown
> systems. Monitor the hardware addresses against a list of known authorized
> systems, and look for the MAC addresses of wireless gear. The second
> tool is a passive fingerprinting tool (such as p0f) used in the
> masquerade detection mode (watch packets out of each host for consistency
> and indications of more than one real host behind a single MAC address).
>

i'll check that !

> Didn't this get discussed recently? Yeah, look in this newsgroup
> (alt.internet.wireless) for a thread "Using Ethernet scans to locate WLAN
> APs ?" back in late November 2004.
>

i'll check that too !

> Old guy
>

if i could i would help you out here, but aging problems are not my
expertise. sorry.

thanks!

"Martin!" <(E-Mail Removed)> wrote:
>imagine a company network with a few hundred computers connected. is it
>possile to check if somewhere someone connected an AP to this network ??

Probably the zeroth question is "Do you have a canonical list of (MAC
addresses of) authorized equipment, and do you keep it up to date?".
If you don't know what's (supposed to be) on your network, you're
never going to detect unauthorized equipment of any kind, much less
rogue APs.

It might be better for everyone involved if you made it easy for
people to request authorized, properly secured APs from the IT
department. Then they wouldn't be tempted to go behind your back and
set up rogue ones just to get their jobs done.

Sure, you can look for MAC addresses, compare them against a list of
(supposed) AP vendors, and maybe detect some potential APs, but with
every SOHO router on the planet supporting MAC address cloning, you
really aren't going to get very far.