Penetration Testing mailing list archives
Re: MORE: Tools for Detecting Wireless APs - from the wire side.
From: Bennett Todd <bet () rahul net>
Date: Wed, 12 Jun 2002 09:20:03 -0400
2002-06-11-16:07:18 Pierre Vandevenne:
WW> commercial access point. These are typically on appliance devices, and can't WW> change their MAC. Ahem. Have you ever physically opened these devices ? [...] Now, is there any doubt that the MAC adresses of those PCMCIA can be changed ? I can provide a few pictures of the internal of some devices if you like.
Certainly, all APs undoubtedly use the same chipsets, and some of 'em actually have PCMCIA carriers inside. But that's not the point. APs are sold as appliances. They run embedded OSes. I've found VxWorks in one, identified because they forgot to turn off the WDB debugger port when they shipped image, and I nmapped it. Sure, a sufficiently clever and determined hacker could write a custom OS for an AP, with support for changing the MAC addr, burn it in a prom, open the thing up, and replace the embedded OS with their own hack. Easier though, if you're that determined, to just use a laptop as your access point --- even if you can't find drivers capable of making it a real AP in infrastructure mode, you can still do unofficial wireless just fine in adhoc mode. That's my home net of choice. For such hacks (as well as this hypothetical embedded OS hacker) your choices are pretty much limited to physical walkabout with kismet or whatever, despite the limitations of that approach. But APs are inexpensive, plug-n-go appliances. Folks with less technical saavy, folks who aren't up to writing custom embedded OSes to allow them to change the MAC addr, buy these things and hook 'em in, generally in ignorance of the risk they're exposing the company to. For this sort of casual error, the wired-side audits are the way to go. And the exercise of setting up that MAC addr catalogueing system has additional benefits. If you're gonna do it on an enterprise scale, you've gotta automate it; manually collecting arp tables from hundreds or thousands of routers is too painful. Once you've automated it, there's no reason not to schedule daily, or even hourly, or even every 10 minutes polls gathering this data --- and then you're set to generate a ticket to the helpdesk any time a new MAC addr appears; they've got to find the monkey that installed the box to close the ticket. Make their lives easier, have the system also collect all your switches' CAM tables and include the exact switch port in the ticket you generate. Now you're not only stomping out rogue APs, you're also showing up and breaking down the door when vendors plug their laptops into your network, etc. And _This_ in turn has benefits far beyond the direct tangible getting a grip on your net; when you create the perception that you know what's going on, people are more inclined to behave themselves. -Bennett
Attachment:
_bin
Description:
Current thread:
- MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 10)
- Re: Tools for Detecting Wireless APs - from the wire side. Larry Youngquist (Jun 10)
- <Possible follow-ups>
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Isherwood Jeff C Contr AFRL/IFOSS (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 10)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Weaver, Woody (Jun 11)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Woody Weaver (Jun 12)
- Re: MORE: Tools for Detecting Wireless APs - from the wire side. Bennett Todd (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Jon (Jun 12)
- Re[2]: MORE: Tools for Detecting Wireless APs - from the wire side. Pierre Vandevenne (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 11)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. R. DuFresne (Jun 13)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. John Adams (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. ed d (Jun 12)
- RE: MORE: Tools for Detecting Wireless APs - from the wire side. Andrews, Ryan (Jun 14)