Using Ethernet scans to locate WLAN APs ?

I am working in a larger company, with quite a few branch offices, so
travelling around to scan for APs in not practical.

Is there any tools that can scan for APs using the ethernet ? I was
mostly thinking of scanning for MAC address-ranges that is known to be
used by WLAN equipment.

Other solutions:
Scan for HTTP servers - But will give many false positives, and if the
web interface is deactivated, or has been moved to another port it
will not work.

Looking for 192.168.x.y traffic would probably find WLAN bridges - but
would also give false positives.

Is there any - even half-good - solution that will work ?

Povl H. Pedersen wrote:

> I am working in a larger company, with quite a few branch offices, so
> travelling around to scan for APs in not practical.

> Is there any tools that can scan for APs using the ethernet ? I was
> mostly thinking of scanning for MAC address-ranges that is known to be
> used by WLAN equipment.

There may be some difficulties:

1. You have to be in the local collision domain to scan the MAC addresses.
2. Not all MAC address ranges for WLAN devices are published.

> Other solutions:
> Scan for HTTP servers - But will give many false positives, and if the
> web interface is deactivated, or has been moved to another port it
> will not work.

So it won't help you to be sure...

> Looking for 192.168.x.y traffic would probably find WLAN bridges - but
> would also give false positives.
>
> Is there any - even half-good - solution that will work ?

There are some ways to prevent the use of unauthorized access points:

1. Walk around and scan for them. (OK that may not be a good if the ways are
too long)

2. Use drones that cover the needed areas. You can buy some Linksys
WRT54G(S) router and place them all over the area. After installing OpenWRT
and the Kismet drone you can make them scan from a remote station.

3. Use managed switches. The administrator has to authorize every device in
the network than.

A real threat are Bluetooth bases access points. With their frequency
hopping they are very hard to find...

Thomas

(E-Mail Removed) (Povl H. Pedersen) wrote:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.

Even this won't help if a router is used, as the WWWeb interface shows
up on the LAN side, and you are looking at the WAN interface. In
fact, with MAC address cloning feature in nearly every cheap router
out there, even a fully locked down infrastructure won't work.

Policies, procedures, maybe a bounty on unauthorized network devices?

[Please note that if you're going to be restrictive, you also really
need to be very responsive to employees need for communications. If I
need a network widget to do my job and I'm looking at a 6-month
process and a VP signature, I'm more likely to buy a $50 router and
hide it in the ceiling. At my last full-time job the IT department
was the biggest hurdle to getting any work done... Why not set up
properly secured APs for your clients to use?]

On 22 Nov 2004 23:58:25 -0800, Povl H. Pedersen spoketh

>I am working in a larger company, with quite a few branch offices, so
>travelling around to scan for APs in not practical.
>
>Is there any tools that can scan for APs using the ethernet ? I was
>mostly thinking of scanning for MAC address-ranges that is known to be
>used by WLAN equipment.
>
>Other solutions:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.
>
>Looking for 192.168.x.y traffic would probably find WLAN bridges - but
>would also give false positives.
>
>Is there any - even half-good - solution that will work ?

Well, might be able to get the MAC addresses of all the devices by doing
a "broadcast" ping on the LAN segment you're looking to investigate.
Your arp table should then list all the equipment in the office. Knowing
which is what is going to be a whole other story. You might be able to
get the manufacturer out of it, but there's still the question of what
is a NIC, what is a switch and what is a WAP... I.E. Linksys uses
00-0c-12 in the MAC addresses, and there's no way to tell which is
what...

The web-server scan would work better. The HTTP server on most cheap
WAPs can't be disabled (it's the only means of configuration), so if you
get a hit on port 80, it might be something that shouldn't be in the
office... If you can collect the IP addresses of devices from certain
manufacturers (i.e. Linksys, D-Link and Netgear), you can always
port-scan these IP addresses to see what ports are open, and then
investigate some of the more suspect ones further.

It's unlikely that someone would use a wireless router in the office, as
that would cause severe connectivity issues, but someone with the right
knowledge could still use this method, and that would be difficult for
you to spot.

If you got Active Directory deployed all around, and are using DHCP, you
can always check your DHCP leases and see if there's any funky devices
showing up there...

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

On 22 Nov 2004 23:58:25 -0800, (E-Mail Removed) (Povl H. Pedersen)
wrote:

>I am working in a larger company, with quite a few branch offices, so
>travelling around to scan for APs in not practical.

Are you using any network management tools (OpenView, OpenNMS,
Unicenter TNG, Tivoli, etc). These will detect any new hardware on
the LAN through either LAN discovery or through "probes".

>Is there any tools that can scan for APs using the ethernet ? I was
>mostly thinking of scanning for MAC address-ranges that is known to be
>used by WLAN equipment.

Let's separate scanning and sniffing. I can scribble a simple scanner
script that uses arping (ping by MAC address) that scans through a
block of MAC addresses known to be used by commodity wireless
manufacturers. This has the potential of generating lots of useless
traffic, false positives, and missing a few manufacturers that don't
bother to register their MAC addresses with the IEEE. Let's just say
I'm not a big fan of scanning.
http://www.habets.pp.se/synscan/prog...hp?prog=arping

Sniffing is done with aprwatch (or winarpwatch), which detects new MAC
addresses on the LAN.
http://www.habets.pp.se/synscan/prog...hp?prog=arping
Most access points and wireless routers are noisy enough to belch
broadcasts that can be picked up throughout a switched LAN. Using
VLAN's may require sniffing at the switch through a monitor port.
Lots of other complications but methinks this would be a good start.

>Other solutions:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.

Scan by IP for web interfaces? If your LAN is running on 10.0.0.xxx
but your wireless access point has a management web server running on
192.168.1.1, you're not going to see the web server from the LAN. If
they're clever and use a router, but plugging the router WAN port into
your LAN, and network management from the WAN port is turned off (by
default), then you will also not see the web server. The only way it
can work is if the rogue access point or wireless router is
intentionally installed in a rather clumsy manner.

A rogue access point I missed was when a clever employee setup his
desktop XP box with a USB wireless client. The client was setup for
Ad-hoc (peer to peer) mode. XP was setup to bridge between the
ethernet port and the USB wireless card. Instant wireless bridge to
the network. He then could setup his laptop as Ad-hoc and connect.
Incidentally, this was done because he only had one wired ethernet
port in his office and IT came unglued when he dared to bring in a 4
port switch, which was designated as some kind of dangerous
unauthorized equipment. Anyway, I couldn't see the USB wireless cards
MAC address on the network, and my wireless sniffing didn't detect the
ad-hoc network. Netstumbler might have shown it, but we were using a
wireless client and Ethereal, which didn't. Neither sniffing or
scanning would have found this one.

>Looking for 192.168.x.y traffic would probably find WLAN bridges - but
>would also give false positives.
>
>Is there any - even half-good - solution that will work ?

Build a database of known devices on the LAN by MAC address. Use
arpwatch to detect new devices. Be prepared to deal with false
alarms. Use inventory control reports (Belarc Advisor) to dump
hardware and software lists to check for unauthorized software and
hardware.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> wrote:
>Build a database of known devices on the LAN by MAC address.

Since most consumer grade routers have a MAC address cloning feature
specifically to get around these kinds of restrictions, you may not
catch a common workaround...

On Tue, 23 Nov 2004 21:38:45 -0500, William P.N. Smith wrote:

>Jeff Liebermann <(E-Mail Removed)> wrote:
>>Build a database of known devices on the LAN by MAC address.

>Since most consumer grade routers have a MAC address cloning feature
>specifically to get around these kinds of restrictions, you may not
>catch a common workaround...

Wrong. The MAC cloning feature allows cloning the MAC address of only
the WAN side port with that of the local "management" workstation.
This is primarily to circumvent authentication by MAC address as
practiced by some ISP's (i.e. Charter Cable). This cloned MAC address
does NOT appear on the LAN side traffic (because MAC address do not
propogate through routers). The MAC address of the LAN side switched
ethernet ports remain unchanged. Anyway, cloning the LAN side MAC
address with that of a workstation wouldn't work because we would end
up with two identical MAC addresses on the same LAN segment. Bad
idea.


Checking...from the status page of my office DI-614+

Device Information Firmware Version: 2.33 , 5 Jul 2004
LAN
MAC Address 00-40-05-CA-E0-42
IP Address 192.168.111.33
Subnet Mask 255.255.255.0
DHCP Server Enabled

WAN
MAC Address 00-40-05-CA-E0-43
Connection fixed IP
IP Address 63.198.98.51
Subnet Mask 255.255.255.248
Default Gateway 63.198.98.49
DNS 206.13.28.12 206.13.31.12

Wireless
MAC Address 00-40-05-C6-A0-E3
SSID LearnByDestroying
Channel 11
WEP 64 bits

In my case, the WAN side MAC address has NOT been cloned. I just did
a quick test of the cloning feature. Only the WAN side MAC address
changed.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# (E-Mail Removed)
# 831.421.6491 digital_pager (E-Mail Removed) AE6KS

Povl H. Pedersen wrote:

> I am working in a larger company, with quite a few branch offices, so
> travelling around to scan for APs in not practical.
>
> Is there any tools that can scan for APs using the ethernet ? I was
> mostly thinking of scanning for MAC address-ranges that is known to be
> used by WLAN equipment.
>
> Other solutions:
> Scan for HTTP servers - But will give many false positives, and if the
> web interface is deactivated, or has been moved to another port it
> will not work.
>
> Looking for 192.168.x.y traffic would probably find WLAN bridges - but
> would also give false positives.
>
> Is there any - even half-good - solution that will work ?
Have you thought of using SNMP and a network management app? Although
it is not a direct answer to the question, the results you get back for
an AP are different to those you get back for a wired connection and
so you should be able to tell the difference. You also get all the
MACs back. A good (and free) network management app is OpenNMS.

David

Jeff Liebermann <(E-Mail Removed)> wrote:
>William P.N. Smith wrote:
>>Jeff Liebermann <(E-Mail Removed)> wrote:
>>>Build a database of known devices on the LAN by MAC address.

>>Since most consumer grade routers have a MAC address cloning feature
>>specifically to get around these kinds of restrictions, you may not
>>catch a common workaround...

>Wrong. The MAC cloning feature allows cloning the MAC address of only
>the WAN side port with that of the local "management" workstation.

Yeah, that's what I'm saying. If your LAN infrastructure watches for
"unauthorized" MAC addresses, I'll unplug my workstation, plug in a
router, clone the workstation's MAC address into the router, and plug
in my devices behind the router.

In article <(E-Mail Removed)>, Povl H. Pedersen
wrote:

>I am working in a larger company, with quite a few branch offices, so
>travelling around to scan for APs in not practical.

As long as ALL of the users know it is forbidden to have an AP, the
sight of someone walking around the office with a laptop with WiFi
sniffer and a fighting axe generally gets their attention - the more
so if the axe has blood stains on the edge. Check with your legal
department, and see if it's OK with them.

>Is there any tools that can scan for APs using the ethernet ? I was
>mostly thinking of scanning for MAC address-ranges that is known to be
>used by WLAN equipment.

http://standards.ieee.org/regauth/oui/oui.txt

Not very practical, but possible. If you're on a switched network, putting
the sniffer ON the switch works best. If it's a managed switch, looking
at the ARP cache on the switch might provide clues.

>Other solutions:
>Scan for HTTP servers - But will give many false positives, and if the
>web interface is deactivated, or has been moved to another port it
>will not work.

[compton ~]$ whatis p0f nmap
p0f (1) - identify remote systems passively
nmap (1) - Network exploration tool and security scanner
[compton ~]$

http://lcamtuf.coredump.cx/p0f.shtml
http://www.insecure.org/nmap

Both tools are meant for a Unix environment, but both have windoze versions
if you are stuck on that platform. If you try to run nmap and don't notify
the (network) powers-that-be on the targeted network, you WILL cause some
brown stuff to hit the fan. It can be _VERY_ obvious, and might cause
firewall reactions.

>Looking for 192.168.x.y traffic would probably find WLAN bridges - but
>would also give false positives.

Depends on how clever the users are. Masquerading (NAT) can make it a bit
harder - though far from impossible to positively identify. Looking at MSS,
_source_ port numbers, window sizes, initial sequence numbers, TCP/IP flags
will very often spot the mickey. There are a number of documents that
describe how. Start with the p0f site. Or, do a google search for Xprobe
from (E-Mail Removed) (Ofir Arkin) and friends. The problem has existed
before, and has been solved many times.

Old guy