RE: MORE: Tools for Detecting Wireless APs - from the wire side.

From: R. DuFresne (dufresne@sysinfo.com)
Date: Wed Jun 12 2002 - 23:13:14 EDT

• Next message: Krish Ahya: "Re: Sniff/Source Route Cisco Router Traffic?"
• Previous message: Jason: "hacking a NT domain after the member server"
• In reply to: John Adams: "RE: MORE: Tools for Detecting Wireless APs - from the wire side."
• Next in thread: ed d: "RE: MORE: Tools for Detecting Wireless APs - from the wire side."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, 11 Jun 2002, John Adams wrote:

> On Tue, 11 Jun 2002, ed d wrote:
>
> > depending on how the clients in your network get their ip addresses, you
> > might be able to search through your dhcp logs and pull all of the ap mac
> > addresses.
> >
> > this discounts rogue aps with statics, but if i was to drop a rogue ap into
> > a network, i would probably turn on dhcp, then let it go.
>
> Ahh, but this is useless if the AP DHCPs an address and then NATs everyone
> on wireless.
>
> > a good site for mac address/vendor coorelation is:
> > http://standards.ieee.org/regauth/oui/oui.txt
>
> I disagree with the entire "find them by Vendor MAC prefix to find APs"
> approach. Many vendors are assigned blocks of MAC prefixes (look at Cisco,
> for example) and share these blocks between disparate devices, both wired
> and wireless.
>

Actually, I believe they are assigned a number of MAC blocks over time,
thus a search of 3Com MAC's should produce a number of MAC blocks.

http://www.codito.de/manufactor_hash

http://coffer.com/mac_find/

   00068C 3Com Corporation
   000A04 3Com Europe Ltd
   00104B 3com corporation
   00105A 3com corporation
   0020AF 3COM Corporation
   00301E 3COM Europe Ltd.
   005004 3COM CORPORATION
   005099 3com europe, ltd.
   0050DA 3COM CORPORATION
   006008 3com corporation
   00608C 3Com (1990 onwards)
   006097 3Com
   009004 3com europe ltd.
   00A024 3com Corporation
   00D096 3com Europe Ltd.
   00D0D8 3Com Corporation (was: Nomadic Technologies)
   026060 3COM
   02608C 3COM IBM PC; Imagen; Valid; Cisco; Macintosh; Apple
   02C08C 3com corporation
   080002 Bridge (was: 3Com)
   08004E 3com europe ltd.
   3C0000 3Com dual function (V.34 modem + Ethernet) card

Thanks,

Ron DuFrense

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart
testing, only testing, and damn good at it too!
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: Krish Ahya: "Re: Sniff/Source Route Cisco Router Traffic?"
• Previous message: Jason: "hacking a NT domain after the member server"
• In reply to: John Adams: "RE: MORE: Tools for Detecting Wireless APs - from the wire side."
• Next in thread: ed d: "RE: MORE: Tools for Detecting Wireless APs - from the wire side."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT