Re: Tool for Identifying Rogue Linksys Routers

[Gregory Boyce <gboyce () badbelly com>]

On Fri, 26 Aug 2005, Dave Hull wrote:

> If the Linksys devices are DHCP clients themselves, you might be able
> to use DHCPFingerprint to locate them when they renew their leases.

The only problem with this is that the Linksys is serving out IP addresses 
via DHCP.

Linksys routers generally have a dedicated WAN port, and a few LAN ports. 
They are DHCP clients on the WAN port, and have a configurable DHCP server 
on the LAN ports.

If this device is serving out DHCP addresses to the network, then the LAN 
side of the linksys is plugged into their network.

Assuming that the main priority here is to stop the rogue DHCP server on 
the network, I would configure a machine with an address in the 
192.168.1.0/24 subnet, and try accessing the device on its default IP 
(192.168.1.1) in a web browser.  The default username/password is often 
"admin"/"admin".  Otherwise you can look up the default by looking online 
for that model (I believe the login link gives the model number).  If they 
haven't changed the password, you can now disable the DHCP server.

Of course you'll still want to track down the device in order to shut off 
the most likely unsecured wireless access to your network.  Since you've 
been accessing the system, you should have the MAC in your ARP cache for 
192.168.1.1.  Other people have mentioned ways to track down the system 
based on the mac.

--
Greg Boyce
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/