From: Mark Maher (mmaher@ochsner.org)
Date: Fri Jul 14 2006 - 09:57:42 EDT
1) AP fingerprinting using Nessus - use plugin number 11026 (just this
plugin to prevent possible DoS). Scan the ports ranging from 21- 80 to
make sure you get SNMP (UDP/69), etc.
2) Wired-side MAC prefix analysis. Remotely query ARP tables on
routers. Collect a database of MAC address prefix that correspond to
different wireless equipment. Vendors allocate MAC's to specific
products (by OUI value). Can also find MAC addresses by: CAM tables on
switches, DHCP server logs, and ARP caches on routers. Then compare the
entries in the ARP table to your database of known prefixes for wireless
equipment. A database of MAC prefixes was at
http://www.ffrf.net/fingerprint (this was used by Kismet to identify
devices), but the site appears to be down). A tool I use to collect the
database of wired MAC 's is Netdisco (open source - http://netdisco.org
). Netdisco queries routers and switches using SNMP, telnet or CDP, and
writes the output to a PostgreSQL database by MAC and IP addresses for
nodes on wired and the wireless side.
A big issue I've encountered with wired-side scanning is
false-negatives, since not all of the AP's can be recognized with stack
fingerprinting and banner analysis. You will not recognize soft AP's
also. Wired-side scanning does not completely address the threat of
rogues.
I've used the AirWave RAPIDS product you mentioned and it's impressive
as it provides wired and wireless-side scanning.
Hope this helps.
Mark Maher
Ochsner Health Systems
>>> <kuffya@gmail.com> 07/13/06 6:40 AM >>>
Hi list,
The client has got a huge network to be audited for Rogue Access
Points...the timeframes are tight so we're going to work on the wired
side, only, and I've been wondering how to do this more effectively.I
have identified two options:
- Run a 'customized' version of nmap to include only the Wireless AP
signatures in the fingerprint database and investigate on any devices
that are different makes & models from the ones 'officially endorsed'
- Acquire a copy of RAPIDS from Airwave.com... which is supposed to do
just that, and has a large databaase of Wireless Vendor Fingerprints.
Has anyone used it or do you have any alternative products to suggest?
I'm looking forward to your thoughts, folks.
Many thanks, once again
Stelios
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's
Choice Award from eWeek. As attacks through web applications continue
to rise,
you need to proactively protect your applications from hackers. Cenzic
has the
most comprehensive solutions to meet your application security
penetration
testing and vulnerability management needs. You have an option to go
with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm
your
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:17 EDT