lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050827102630.499d20d7.vtlists@wyae.de>
Date: Sat, 27 Aug 2005 10:26:30 +0200
From: Volker Tanger <vtlists@...e.de>
To: bugtraq@...urityfocus.com
Subject: Re: Tool for Identifying Rogue Linksys Routers


Hi Group!

On Fri, 26 Aug 2005 09:32:31 -0500
Graham Wilson <graham@...od.org> wrote:
>
> > Is there a scanning tool out there that can determine if there are
> > unauthorized Linksys (type) routers in a specific VLAN?

I assume you have not port-locked your switches? Many managed Layer-2
switches can do that. Only allow 1-2 IP addresses per port and
auto-shutdown those exceeding this limit. This way you have an
automatic, continuously running monitoring (and self-punishment) of
people connecting rogue switches/routers. Plus you know where (on which
plug) to search for the system. Won't detect NAT-masquerading routers
that have their external interface connected to LAN, though.

A purely passive approach would be to use ARPWATCH and filter out all
known MAC address headers. Easy if you have a homogenous network (e.g.
all PCs are Dell), a PITB of you are a wild mishmash (open pool at
university or LAN party). You even can run this from a CRON job. And if
you're really, really thorough you could inventarize all your PCs
(semi-automatically) and have an alert for each new MAC address that pop
up.

For a scan you could run arpwatch and then ping all hosts using nmap
(assuming that your network is 192.168.1.*/24 in this example):
 
  # nmap -sP 192.168.1.0/24

Depending on your network architecture you might want to slow that down
with

  # nmap -T polite -sP 192.168.1.0/24

Arpwatch will do the job of collecting all ARP addresses for you.

Bye

Volker

-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists@...e.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ