Hi, One of the things we have found is that the biggest obstacle to accurate scanning can be the other security products on the network. If you have host IPS or network IPS they can both block the scanning activity and so you end up with only the mac address to do classification with. The IPS is doing its job when it blocks the scanning traffic so the best thing to do is to white-list the IP address that RogueScanner is running from with the IPS.
The latest (2.2) release of RogueScanner includes DHCP based fingerprinting which adds a lot of accuracy. You need to be patient though since it can take 24 hours or more to see DHCP traffic. BTW, I am going to be at Shmoocon later this week and we will be showing off network scanning as part of the Shmoocon labs if anyone wants to drop by and see it in action. Regards, Chris Waters CTO, PhD Network Chemistry, Inc [EMAIL PROTECTED] -----Original Message----- From: Hari Sekhon [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 21, 2007 12:02 PM To: Waters, Chris; [email protected] Subject: Re: Wired detection of rogue access points I tried it out, and I understand what you are trying to do but my results where a fair way off, some were spot on, but a lot of others weren't. I know it's not an easy job to fingerprint in this way. Couldn't you leverage some Nmap work, since they have good and reliable fingerprints. Also, there were so many wifi-suspect that I either would spend ages investigating everything or not at all (possibly the latter) -h Hari Sekhon Chris Waters wrote: > Hi, > > Every network device has some fingerprint in the way that it interacts > with the network. This includes things like the open ports, the > responses to probes on those ports, the operating system it is > running, the broadcast protocols is uses (DHCP, UPnP, CDP, IAPP, etc), > its MAC address, etc. > > This fingerprint information can be used to uniquely identify > virtually every type of network device, assuming of course that you > have a database of the fingerprints for all the devices that might > exist on the network. > > This is exactly how RogueScanner (roguescanner.networkchemistry.net) > works. It probes devices to determine their fingerprints as well as > looking at the packets that they broadcast onto the network. By using > lots of techniques together it is possible to accurately find and > classify all sorts of devices, including wifi routers which may using > firewalling and MAC address cloning to hide themselves. > > Regards, > > Chris Waters > CTO, PhD > Network Chemistry, Inc > [EMAIL PROTECTED] > > On Mon, 2007-03-19 at 10:20 +0000, [EMAIL PROTECTED] wrote: >> Hello there, >> >> Can anyone point me to a wired LAN scanner/sniffer that detects >> wireless access points connected to the LAN? >> > > Doesn't look possible to me. You can detect wireless stuff but not > from cable side. There is a endless ways to hide it but you cannot > hide radio waves so easily. > > Tõnu > > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
