From: Woody Weaver (woody.weaver@callisma.com)
Date: Tue Jun 11 2002 - 19:39:36 EDT
On Tuesday, June 11, 2002 4:07 PM, Pierre Vandevenne
[mailto:pierre@datarescue.com] wrote:
PV> Hello Woody,
Greets, Pierre,
WW> commercial access point. These are typically on appliance devices, and
can't
WW> change their MAC.
PV> Ahem. Have you ever physically opened these devices ?
[...]
No, but that isn't the point I was trying to make.
Jeffrey.Isherwood@rl.af.mil, who started this thread, classified three
threat agents:
Malicious Those that do NOT want to be found or secured
Well intentioned Those that don't understand the need to be secured
Clueless You can find these and secure them?
I submit that if we are talking about someone who opens up their AP to
fiddle with its guts, it clearly falls into the first category. As I think I
observed, if you are dealing with this threat model, then basically you are
screwed. If I were that guy, I wouldn't be fiddling with the guts of an AP,
I'd build a linux box, put its inbound IP stack on a ringback, and while you
might see it at layer 2 -- but you would see the mac address of one of the
same kind of cards you have on the net, assuming I didn't want to just crash
an existing box and then take over its mac -- you aren't going to get
anything useful out of a port scan or Sneaky TCP options or funky ICMP or
any of that junk.
As for those in the other two categories, hopefully with tools you can
address these. I'm speaking to you know over two wireless links: a linksys
WPC11 card to a linksys WAP11 in the basement, and a BreezeCOM -
BreezeACCESS 2.4 (thank you, Frederick Wireless -- very robust, efficient,
and friendly last-mile provider in north central Maryland) from my house to
downtown. You could find the BreezeCOM pretty easily: the unit has an SNMP
agent that talks to the world. I probably don't have the latest
nmap-os-fingerprints, but it doesn't recognize it. (xprobe thinks its
FINAL:[ Windows Based. Open/Net/FreeBSD/DG-UX/HP-UX 10.x etc ]. giggle.)
Anyway, it would gladly give up enterprises.710.10.2.1.1, so that isn't
really an issue. Piece of cake. Guess this comes under the "clueless"
category.
The linksys is going to be a bit more of a trick to identify. Its got a web
server and a tftp server, sure, but I took the defaults. My home network is
192.168.0/24. The defaults put the wired side at 192.168.1/24. So unless I
get a strange urge to monitor the AP, its invisible at layer 3. But traffic
is flowing... and the only way, from the wired side, I know of to detect
this is to find one of the bridged hosts:
? (192.168.0.2) at 00:06:25:A6:35:F5 [ether] on eth0
go to the tables at http://standards.ieee.org/regauth/oui/oui.txt and you
get
00-06-25 (hex) The Linksys Group, Inc.
000625 (base 16) The Linksys Group, Inc.
17401 Armstrong Ave.
Irvine CA 92614
UNITED STATES
Doing the usual host identification would tell you that this is a user class
machine, so either you've purchased some linksys 10/100 cards, or there is
an issue. (Maybe the fact that Linksys has 00-04-5A as well means you could
distinguish the wired from the wireless, dunno.) From there, I guess you
trace it via the switch port the MAC address is on, and then trace cabling.
Guess this one comes under the "well intentioned" category. And its a hard
problem, particularly if you are dealing with a lot of remote units. Its the
old "unknown unmanaged hub" problem. (Sidebar: Loran's old Kinetics box
would provide you with the existence of the unmanaged hubs. Perhaps other
network management devices would as well. That might be a useful tool for a
site survey.)
KEY POINT: THIS WAS A DEFAULT INSTALLATION. No magic AP hardening. The box
is stealthy from the wired side just because I didn't bother to change the
defaults.
But if I put this into a "real world" context, I've done surveys from the
wired side several times. Always, if the enterprise has more than 5,000
responding IPs or so, you will find wireless hosts; and generally they fall
into the latter two categories, so layer 2 approaches will find them.
Well, this is getting rather long, but Jeffrey, good luck with your paper.
--woody
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT