Security ?

Security ?

Postby infinisource » Wed Aug 30, 2006 5:01 pm

Here is my setup...

Cisco 350 AP
Windows 2003 AD Domain

All wireless devices must authenticate using WEP and be authenticated against AD using P-eap.

I have setup my certificate authority on the AD Domain, DHCP is running, the clients that need wireless access are in a security group on the domain and have dial-in permission.

The authenticated clients are not the problem... my problem is someone outside of my network is trying to gain access, of course they can't so far because they need a cert., group membership, dial-in access... I have their mac address, what other kind of information can I get from this device and how would I do that?

Basically I am trying to get information on a rouge client. Does this make sense? Any thoughts, ideas or suggestions would greatly be appreciated.

Thanks, Paul
infinisource
Mini Stumbler
 
Posts: 5
Joined: Wed Aug 30, 2006 4:37 pm

Postby streaker69 » Wed Aug 30, 2006 5:03 pm

AirSnare or Airsnort will both gather more information about what that particular Luser is attempting against your system.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby King_Ice_Flash » Wed Aug 30, 2006 5:04 pm

A 12 gauge is usually a pretty good deterrent. Wakes up the sleepers in the cubicle next to you pretty well also.
"Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."
User avatar
King_Ice_Flash
 
Posts: 2658
Joined: Tue May 20, 2003 11:00 am
Location: WI

Postby infinisource » Wed Aug 30, 2006 5:10 pm

Danke! I will check out both utilities... and if all else fails the shotgun will have to do I suppose :)
infinisource
Mini Stumbler
 
Posts: 5
Joined: Wed Aug 30, 2006 4:37 pm

Postby streaker69 » Wed Aug 30, 2006 5:12 pm

Keep in mind, that during your investigation you may find it's just a machine that's just trying to connect, because someone attempted it once and it may not actualy be a real attempt.

Have you checked your logs to show that they're actually trying to authenticate agains your AD? If they've gotten that far, then they've already cracked your WEP.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby infinisource » Wed Aug 30, 2006 5:23 pm

Yeah I've checked the IAS Logs and no attempt has been made to authenticate against AD yet.
infinisource
Mini Stumbler
 
Posts: 5
Joined: Wed Aug 30, 2006 4:37 pm

Postby streaker69 » Wed Aug 30, 2006 5:26 pm

infinisource wrote:Yeah I've checked the IAS Logs and no attempt has been made to authenticate against AD yet.


So you're just seeing attempts against the router as they attempt various WEP keys. Your SSID is not a common one right?

And you've checked the MAC against the list of MAC's that are actually allowed on your network, so that it isn't a machine that can't connect because someone erased the WEP key?

After all, a good Network Admin knows the MAC's of every single device that's allowed to be on the network.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby infinisource » Wed Aug 30, 2006 5:29 pm

Yeah it's not one of the mac's that I allow. My ssid is not the default cisco ssid, that was one of the first things I changed when the AP was setup.
infinisource
Mini Stumbler
 
Posts: 5
Joined: Wed Aug 30, 2006 4:37 pm

Postby streaker69 » Wed Aug 30, 2006 5:30 pm

infinisource wrote:Yeah it's not one of the mac's that I allow. My ssid is not the default cisco ssid, that was one of the first things I changed when the AP was setup.


Are you near any Apt. complexes or homes or anything?
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby King_Ice_Flash » Wed Aug 30, 2006 5:38 pm

Or is the SSID SST-PR-1

DA DA DAAAAAAAAA!
"Yeah," said a voice from under the table, "you go to pieces so fast people get hit by the shrapnel."
User avatar
King_Ice_Flash
 
Posts: 2658
Joined: Tue May 20, 2003 11:00 am
Location: WI

Postby infinisource » Wed Aug 30, 2006 5:39 pm

yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.
infinisource
Mini Stumbler
 
Posts: 5
Joined: Wed Aug 30, 2006 4:37 pm

Postby streaker69 » Wed Aug 30, 2006 5:40 pm

infinisource wrote:yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.


You're not going to detect client machines unless you're using Kismet.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby beakmyn » Wed Aug 30, 2006 5:41 pm

infinisource wrote:yeah there are several AP's that are close by, but the one mac address that is trying to connect isn't the same MAC address as the AP's that are around.


Right but with kismet you could see if that MAC is a client on the other APs which might shed some light on who is doing it.
beakmyn
 
Posts: 4858
Joined: Sun Aug 03, 2003 1:53 pm

Postby streaker69 » Wed Aug 30, 2006 6:19 pm

King_Ice_Flash wrote:Or is the SSID SST-PR-1

DA DA DAAAAAAAAA!


Cattle Mutilations are up.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby PPC1 » Wed Sep 06, 2006 6:21 am

streaker69 wrote:You're not going to detect client machines unless you're using Kismet.


For us windooze-users there´s allways AirMagnet. We use AirMagnet Enterprise and Laptop Analyzer and they will detect both APs and stations (clients). We use it to detect rogue clients.
User avatar
PPC1
Mini Stumbler
 
Posts: 98
Joined: Wed Oct 20, 2004 6:33 am


Return to Windows

Who is online

Users browsing this forum: No registered users and 4 guests