From: Lot Flo (l0tusphlower@yahoo.com)
Date: Tue Jun 11 2002 - 15:40:29 EDT
An obvious idea that was not directly mentioned is to
attempt to connect to the management ports (Cisco
Aironet AP can have telnet and http enabled, as well
as snmp) of the various AP's and banner grab (of
course, if access control mechanisms are in place,
this could skew your results). In light of this idea,
it would be nice to see the default services, banners,
unique ICMP, TCP, UDP responses of the different AP's
centrally documented so our fellow professionals could
learn to recognize these devices faster. Also,
certainly some type of sniffing on the wired LAN could
be used to gather AP MAC addresses as well as
clear-text HTTP management of the AP through strings
such as (assuming Aironet) GET /SetWEP_Keys.shm and
others. If the AP environment is using a RADIUS
server for authentication such as Ciscos LEAP or EAP,
EAP-TTLS, etc you could sniff the RADIUS access
request and obtain info about the AP that way (I don't
have a trace handy at the moment, so can't give any
more
info). Of course, the usual issues related to
sniffing apply, but these are a few additional ideas.
Curt Wilson
Security Engineer
__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT