Security ?

infinisource · 08-30-2006

Here is my setup...

Cisco 350 AP
Windows 2003 AD Domain

All wireless devices must authenticate using WEP and be authenticated against AD using P-eap.

I have setup my certificate authority on the AD Domain, DHCP is running, the clients that need wireless access are in a security group on the domain and have dial-in permission.

The authenticated clients are not the problem... my problem is someone outside of my network is trying to gain access, of course they can't so far because they need a cert., group membership, dial-in access... I have their mac address, what other kind of information can I get from this device and how would I do that?

Basically I am trying to get information on a rouge client. Does this make sense? Any thoughts, ideas or suggestions would greatly be appreciated.

Thanks, Paul

streaker69 · 08-30-2006

AirSnare or Airsnort will both gather more information about what that particular Luser is attempting against your system.

King_Ice_Flash · 08-30-2006

A 12 gauge is usually a pretty good deterrent. Wakes up the sleepers in the cubicle next to you pretty well also.

infinisource · 08-30-2006

Danke! I will check out both utilities... and if all else fails the shotgun will have to do I suppose

streaker69 · 08-30-2006

Keep in mind, that during your investigation you may find it's just a machine that's just trying to connect, because someone attempted it once and it may not actualy be a real attempt.

Have you checked your logs to show that they're actually trying to authenticate agains your AD? If they've gotten that far, then they've already cracked your WEP.

infinisource · 08-30-2006

Yeah I've checked the IAS Logs and no attempt has been made to authenticate against AD yet.

streaker69 · 08-30-2006

Quote:

Originally Posted by infinisource

Yeah I've checked the IAS Logs and no attempt has been made to authenticate against AD yet.

So you're just seeing attempts against the router as they attempt various WEP keys. Your SSID is not a common one right?

And you've checked the MAC against the list of MAC's that are actually allowed on your network, so that it isn't a machine that can't connect because someone erased the WEP key?

After all, a good Network Admin knows the MAC's of every single device that's allowed to be on the network.

infinisource · 08-30-2006

Yeah it's not one of the mac's that I allow. My ssid is not the default cisco ssid, that was one of the first things I changed when the AP was setup.

streaker69 · 08-30-2006

Quote:

Originally Posted by infinisource

Yeah it's not one of the mac's that I allow. My ssid is not the default cisco ssid, that was one of the first things I changed when the AP was setup.

Are you near any Apt. complexes or homes or anything?

King_Ice_Flash · 08-30-2006

Or is the SSID SST-Page Ranking-1

DA DA DAAAAAAAAA!

infinisource · 08-30-2006

yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.

streaker69 · 08-30-2006

Quote:

Originally Posted by infinisource

yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.

You're not going to detect client machines unless you're using Kismet.

beakmyn · 08-30-2006

Quote:

Originally Posted by infinisource

yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.

Right but with kismet you could see if that MAC is a client on the other APs which might shed some light on who is doing it.

streaker69 · 08-30-2006

Quote:

Originally Posted by King_Ice_Flash

Or is the SSID SST-Page Ranking-1

DA DA DAAAAAAAAA!

Cattle Mutilations are up.

PPC1 · 09-06-2006

Quote:

Originally Posted by streaker69

You're not going to detect client machines unless you're using Kismet.

For us windooze-users there´s allways AirMagnet. We use AirMagnet Enterprise and Laptop Analyzer and they will detect both APs and stations (clients). We use it to detect rogue clients.

08-30-2006	#1 (permalink)
infinisource Registered Member Join Date: Aug 2006 Posts: 5	Security ? Here is my setup... Cisco 350 AP Windows 2003 AD Domain All wireless devices must authenticate using WEP and be authenticated against AD using P-eap. I have setup my certificate authority on the AD Domain, DHCP is running, the clients that need wireless access are in a security group on the domain and have dial-in permission. The authenticated clients are not the problem... my problem is someone outside of my network is trying to gain access, of course they can't so far because they need a cert., group membership, dial-in access... I have their mac address, what other kind of information can I get from this device and how would I do that? Basically I am trying to get information on a rouge client. Does this make sense? Any thoughts, ideas or suggestions would greatly be appreciated. Thanks, Paul

08-30-2006	#2 (permalink)
streaker69 Psychic Amish Stumbler Join Date: Jul 2004 Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA Posts: 12,239	AirSnare or Airsnort will both gather more information about what that particular Luser is attempting against your system. __________________ Treat your gun like your genitals, only whip it out when it's absolutely necessary.

08-30-2006	#3 (permalink)
King_Ice_Flash Alien Paranoid Stumbler Join Date: May 2003 Location: WI Posts: 2,688	A 12 gauge is usually a pretty good deterrent. Wakes up the sleepers in the cubicle next to you pretty well also. __________________ "Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."

08-30-2006	#5 (permalink)
streaker69 Psychic Amish Stumbler Join Date: Jul 2004 Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA Posts: 12,239	Keep in mind, that during your investigation you may find it's just a machine that's just trying to connect, because someone attempted it once and it may not actualy be a real attempt. Have you checked your logs to show that they're actually trying to authenticate agains your AD? If they've gotten that far, then they've already cracked your WEP. __________________ Treat your gun like your genitals, only whip it out when it's absolutely necessary.

08-30-2006	#10 (permalink)
King_Ice_Flash Alien Paranoid Stumbler Join Date: May 2003 Location: WI Posts: 2,688	Or is the SSID SST-Page Ranking-1 DA DA DAAAAAAAAA! __________________ "Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."

08-30-2006	#4 (permalink)
infinisource Registered Member Join Date: Aug 2006 Posts: 5	Danke! I will check out both utilities... and if all else fails the shotgun will have to do I suppose

08-30-2006	#6 (permalink)
infinisource Registered Member Join Date: Aug 2006 Posts: 5	Yeah I've checked the IAS Logs and no attempt has been made to authenticate against AD yet.

08-30-2006	#8 (permalink)
infinisource Registered Member Join Date: Aug 2006 Posts: 5	Yeah it's not one of the mac's that I allow. My ssid is not the default cisco ssid, that was one of the first things I changed when the AP was setup.

08-30-2006	#11 (permalink)
infinisource Registered Member Join Date: Aug 2006 Posts: 5	yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode