sim wrote: > > My question is how does one proactively monitor for a WAP in a standard > routed/switched environment. Is there any intelligent way to accomplish > this? I would be interested in ideas/solutions for LAN's and WAN's. Is > there something I can look for within each packet or perhaps specific > types of traffic (broadcast?) create by the WAP?
Hi, Assuming you have an appropriate 802.11b adapter you could try using Netstumbler[1]. This is specifically designed to scan for Wireless accesses points within your (not-so) immediate area. You may very well be surprised by what you find in or around your organization. Netstumbler will display the IP & MAC address (and therefore the vendor) of any "Stumbled" access points, as well as some other interesting things. As this software will provide you with the MAC/IP address of an AP, you should be able to isolate devices to a given switchport quite easily by examining the ARP tables on your layer 2 switch(es). Certainly quicker than walking from floor to floor :-). Other "stumbling" solutions exist for *nix platforms, a quick search on google.com for "wardriving" will no doubt reveal most of what you need. A tool such as ARPwatch (*nix based) could be used to keep track of MAC/IP pairings of devices on your network. It can also be configured to alert when new devices are detected on the network. Useful if you run a tight[2] ship, but otherwise may lead to some wild goose chases. The first 3 bytes of a MAC address identify the vendor of the device (ARPwatch will convert this to something meaningful AFAIK), so if you spot a device made by vendor Y on your otherwise vendor Z network it could possibly be considered "hostile" :-). Cisco AP's use CDP to discover their local Cisco brethren, assuming you're a Cisco based shop then this could be another method of looking for rogue devices (assuming your fellow employees have expensive Cisco tastes!). If your not using Cisco kit, then sniffing for CDP traffic could be one way of looking for Cisco AP's. A bit of a shot in the dark though. Most/all AP's act as bridges, I'm not sure if there is any easy way of looking for this type of device on a network. Perhaps looking for STP broadcasts from unknown devices may be an option (probably a Cisco bias towards this one again though)? The majority of these devices are SNMP capable. A lot of vendors still ship devices with SNMP enabled and use weak[3] ro/rw community strings such as 'public', 'private' or 'secret'. You may already have network management products that can be used to discover SNMP capable devices. If not, then google.com will point you in the right direction. Walking the system (.1.3.6.1.2.1.1) OID should provide a means of identifying a device (if the software you use doesn't do this). As an act of desperation, you my consider active TCP/IP stack fingerprinting. Tools such as NMAP[4], Xprobe[5] and others can be used to "guess" the operating system a remote host is running by examining the characteristics of TCP/UDP/ICMP/IP packets. This would however depend on the state of these tools fingerprint databases with regard to AP's and it's probably not feasible/desirable on a medium/large network in any case. Hope this helps. Cheers, Mike. [1] http://www.netstumbler.com. [2] tight as in "My wiring closet is also my gun cabinet". [3] utter wank[6] is a more preferred term here. [4] http://www.insecure.org/nmap/index.html. [5] http://www.sys-security.com/html/projects/X.html. [6] http://www.dictionary.com/cgi-bin/dict.pl?term=wank (For those who are not from the UK)
