Apologies if this ends up on the list multiple times. I seem to
have trouble getting this posted in a timely fashion.
In general, MAC OUI designations may indicate a particular AP. IP
multicast group participation may also be used by some APs. Some
APs have a few unique ports open. Lastly, APs may be found with
a radio on a particular default channel. All of these potentially
identifying characteristics may be used to help audit the network
for rogue IPs. Below is information on locating particular APs:
Multicast Groups
Apologies if this ends up on the list multiple times. I seem to
have trouble getting this posted in a timely fashion.
In general, MAC OUI designations may indicate a particular AP. IP
multicast group participation may also be used by some APs. Some
APs have a few unique ports open. Lastly, APs may be found with
a radio on a particular default channel. All of these potentially
identifying characteristics may be used to help audit the network
for rogue IPs. Below is information on locating particular APs:
Why are you posting this here? The information is somewhat incomplete/incorrect
as well. Persons interested in finding rogue AP's would be much better
off with a tool such as kismet that already identifies model/make of
access points based on various datapoints (including the types you posted),
as well as the ability to determine in where the AP is (pysically) with
the use of a GPS unit.
As a side benefit, it can make pretty maps.
http://www.poptix.net/thehills.jpg
> In general, MAC OUI designations may indicate a particular AP. IP
> multicast group participation may also be used by some APs. Some
> APs have a few unique ports open. Lastly, APs may be found with
> a radio on a particular default channel. All of these potentially
> identifying characteristics may be used to help audit the network
> for rogue IPs.
Why are you posting this here? The information is somewhat
incomplete/incorrect
as well. Persons interested in finding rogue AP's would be much better
off with a tool such as kismet that already identifies model/make of
access points based on various datapoints (including the types you
posted),
as well as the ability to determine in where the AP is (pysically) with
the use of a GPS unit.
It appears that kismet requires either someone to walk around the facility
while running the program or that you have you have it installed on
machines all over your site. Neither of those options interest me as a
long term solution to rogue AP monitoring.
It sounds like John is referring to using a network IDS system, maybe one
per subnet, to try to infer from the wired (maybe) network traffic that an
unwanted AP is connected to your wired network. Given that you may want
to run such an IDS anyway, this could give you a decent start on handling
rogues.
Personally, I think the idea of checking radio traffic to be a more
complete solution, but don't want to have to install a bunch of wireless
machines all over the site to detect this. I'm really waiting for the AP
vendors to incorporate a rogue detection system in the APs itself. This
could solve the problem for those sites that have fully deployed APs.
Tony Rall
Actually, the info was to meant to provide operators with very
rudimentary AP tracking info that can mostly be done from the network
devices. If someone has login access to a switch/router, you can
use the MAC and IGMP address info to identify potential APs fairly
easily at the CLI or via scripts.
If there is incorrect or missing information, as I mentioned at the
mic, I'd appreciate any updates. Feel free to send them to me via
private email and I can send out an update if there is interest.
John
Sorry to waste more bandwidth on this, but there is a very
good list at: http://fingerprint.unbolted.net/view.php
which also includes the adapter information.
Len
[snip]
Most solutions are going to require some walking around. How else
would you find them?
[ snip ]
You could setup a laptop, a GPS with a data cable, NetStumbler[free],
and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly
for a half a mile without walking around. I've just acquired this
setup myself. Google on "war driving +F150" and you'll see a setup
to help for < $55
A network IDS will most definately detect odd MAC addrs or manufacturer
octets, but you'll have to maintain the signatures. It's much easier
using the 'war driving' setup.