Thread: Detecting Rogue Access Points
View Single Post
Old 01-19-2005   #14 (permalink)
streaker69
Psychic Amish Stumbler
 
streaker69's Avatar
 
Join Date: Jul 2004
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
Posts: 11,915
Quote:
Originally Posted by The Others
Now, i don't want to throw an Access Point shaped spanner in the works, but...

The above suggestions are all fantastic ways of hunting down an 802.11b/g access point. I'm only concerned that finding an 802.11a access point will not be possible. Also note that people can easily evade a NetStumbler setup by disabling SSID broadcasts.

I like Streaker69's idea of using airsnare, but, be warned, setting up a list of friendly MAC addresses will take you an age; it took me long enough to to my house setup. I dont know any details, but, I'm sure there must be a commercial, easier, option available. After all, you only need to capture MAC addresses of equipment on your LAN. Note, spoofing a MAC address is very easy, especially on access points and routers that usually have a web based interface to do so. With this in mind, an airsnare or similar based approach will fall flat on it's face.
True enough, but do you think the Suits in there are gonna be spoofing an address? Even so, what address are they gonna spoof? One that already exists on the network? You can't have two devices with the same MAC on the same network, at least that's what I always learned. I may be wrong, but what would happen if two machines with the same MAC show up? I know a few years ago, we were tracking down why a Netware network kept crashing and we found out that two nics had the same MAC on the LAN. They were cheap cards from japan and apparently all the cards from this one company had the same MAC.

My idea was just a thought, and it could be used to supplement other plans as well. Using Solarwinds Engineering tools, I can ping sweep an entire network in a few seconds and get all MAC's of all machines connected. You run it at various times during the week/day and you'd eventually get all the MAC's. Once you have the list, compare all of them to the OUI list to make sure it's a brand your company purchased, if your company has a standard list of hardware that's purchased it wouldn't be tough to track down a rogue device.

I'm just throwing out ideas.
__________________
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
streaker69 is offline   Reply With Quote