Apologies if this ends up on the list multiple times. I seem to have trouble getting this posted in a timely fashion. In general, MAC OUI designations may indicate a particular AP. IP multicast group participation may also be used by some APs. Some APs have a few unique ports open. Lastly, APs may be found with a radio on a particular default channel. All of these potentially identifying characteristics may be used to help audit the network for rogue IPs. Below is information on locating particular APs: Multicast Groups ---------------- 224.0.1.40 Cisco/Aironet (newer versions) 224.0.1.76 Lucent/Avaya 224.1.0.1 Cisco/Aironet You can locate who group members are by doing the following on a Cisco router: show ip igmp group <group-ip-address> Protocols/Ports --------------- Cisco/Aironet APs have two UDP ports open: 2887 and 7777. Well known AP MAC OUIs ---------------------- 0000f0 Samsung 00022d Lucent (Orinoco) 0002b3 Intel 00032f Global Sun Technology (Linksys) 00045a Linksys 0010e7 BreezeCom (BreezeNet) 0020d8 NetWave Technologies (BayNetworks) 003065 Apple 004005 ANI Communications 004096 Aironet 00508b Compaq 00601d Lucent (WaveLan) 0090d1 Leichu Enterprise Co. (Addtron) 00a0f8 Symbol Technologies 00e029 Standard Microsystems Corp. 080002 3Com 080046 Sony Well known AP default channels ------------------------------ 4: Lucent 6: Aironet, Compaq, BreezeNet John
On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
Apologies if this ends up on the list multiple times. I seem to have trouble getting this posted in a timely fashion.
In general, MAC OUI designations may indicate a particular AP. IP multicast group participation may also be used by some APs. Some APs have a few unique ports open. Lastly, APs may be found with a radio on a particular default channel. All of these potentially identifying characteristics may be used to help audit the network for rogue IPs. Below is information on locating particular APs:
Why are you posting this here? The information is somewhat incomplete/incorrect as well. Persons interested in finding rogue AP's would be much better off with a tool such as kismet that already identifies model/make of access points based on various datapoints (including the types you posted), as well as the ability to determine in where the AP is (pysically) with the use of a GPS unit. As a side benefit, it can make pretty maps. http://www.poptix.net/thehills.jpg
John
-- Matthew S. Hallacy FUBAR, LART, BOFH Certified http://www.poptix.net GPG public key 0x01938203
On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
In general, MAC OUI designations may indicate a particular AP. IP multicast group participation may also be used by some APs. Some APs have a few unique ports open. Lastly, APs may be found with a radio on a particular default channel. All of these potentially identifying characteristics may be used to help audit the network for rogue IPs.
Why are you posting this here? The information is somewhat incomplete/incorrect as well. Persons interested in finding rogue AP's would be much better off with a tool such as kismet that already identifies model/make of access points based on various datapoints (including the types you
On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy" <poptix@techmonkeys.org> wrote: posted),
as well as the ability to determine in where the AP is (pysically) with the use of a GPS unit.
It appears that kismet requires either someone to walk around the facility while running the program or that you have you have it installed on machines all over your site. Neither of those options interest me as a long term solution to rogue AP monitoring. It sounds like John is referring to using a network IDS system, maybe one per subnet, to try to infer from the wired (maybe) network traffic that an unwanted AP is connected to your wired network. Given that you may want to run such an IDS anyway, this could give you a decent start on handling rogues. Personally, I think the idea of checking radio traffic to be a more complete solution, but don't want to have to install a bunch of wireless machines all over the site to detect this. I'm really waiting for the AP vendors to incorporate a rogue detection system in the APs itself. This could solve the problem for those sites that have fully deployed APs. Tony Rall
On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
It sounds like John is referring to using a network IDS system, maybe one per subnet, to try to infer from the wired (maybe) network traffic that an unwanted AP is connected to your wired network. Given that you may want
Actually, the info was to meant to provide operators with very rudimentary AP tracking info that can mostly be done from the network devices. If someone has login access to a switch/router, you can use the MAC and IGMP address info to identify potential APs fairly easily at the CLI or via scripts. If there is incorrect or missing information, as I mentioned at the mic, I'd appreciate any updates. Feel free to send them to me via private email and I can send out an update if there is interest. John
Sorry to waste more bandwidth on this, but there is a very good list at: http://fingerprint.unbolted.net/view.php which also includes the adapter information. Len On Tue, Feb 11, 2003 at 02:28:01PM -0600, John Kristoff wrote: [snip]
Actually, the info was to meant to provide operators with very rudimentary AP tracking info that can mostly be done from the network devices. If someone has login access to a switch/router, you can use the MAC and IGMP address info to identify potential APs fairly easily at the CLI or via scripts.
If there is incorrect or missing information, as I mentioned at the mic, I'd appreciate any updates. Feel free to send them to me via private email and I can send out an update if there is interest.
John
On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
In general, MAC OUI designations may indicate a particular AP. IP multicast group participation may also be used by some APs. Some APs have a few unique ports open. Lastly, APs may be found with a radio on a particular default channel. All of these potentially identifying characteristics may be used to help audit the network for rogue IPs.
Why are you posting this here? The information is somewhat incomplete/incorrect as well. Persons interested in finding rogue AP's would be much better off with a tool such as kismet that already identifies model/make of access points based on various datapoints (including the types you
On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy" <poptix@techmonkeys.org> wrote: posted),
as well as the ability to determine in where the AP is (pysically) with the use of a GPS unit.
It appears that kismet requires either someone to walk around the facility while running the program or that you have you have it installed on machines all over your site. Neither of those options interest me as a long term solution to rogue AP monitoring.
Most solutions are going to require some walking around. How else would you find them? [ snip ] You could setup a laptop, a GPS with a data cable, NetStumbler[free], and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly for a half a mile without walking around. I've just acquired this setup myself. Google on "war driving +F150" and you'll see a setup to help for < $55 A network IDS will most definately detect odd MAC addrs or manufacturer octets, but you'll have to maintain the signatures. It's much easier using the 'war driving' setup.
participants (5)
-
John Kristoff -
Len Rose -
Martin Hannigan -
Matthew S. Hallacy -
Tony Rall