lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.63.0508291113350.3430@localhost.localdomain>
Date: Mon, 29 Aug 2005 11:21:29 -0400 (EDT)
From: Gregory Boyce <gboyce@...belly.com>
To: Dave Hull <ireadit@...il.com>
Cc: Bugtraq <bugtraq@...urityfocus.com>,
	"Full-Disclosure \(E-mail\)" <full-disclosure@...ts.netsys.com>
Subject: Re: Tool for Identifying Rogue Linksys Routers


On Fri, 26 Aug 2005, Dave Hull wrote:

> If the Linksys devices are DHCP clients themselves, you might be able
> to use DHCPFingerprint to locate them when they renew their leases.

The only problem with this is that the Linksys is serving out IP addresses 
via DHCP.

Linksys routers generally have a dedicated WAN port, and a few LAN ports. 
They are DHCP clients on the WAN port, and have a configurable DHCP server 
on the LAN ports.

If this device is serving out DHCP addresses to the network, then the LAN 
side of the linksys is plugged into their network.

Assuming that the main priority here is to stop the rogue DHCP server on 
the network, I would configure a machine with an address in the 
192.168.1.0/24 subnet, and try accessing the device on its default IP 
(192.168.1.1) in a web browser.  The default username/password is often 
"admin"/"admin".  Otherwise you can look up the default by looking online 
for that model (I believe the login link gives the model number).  If they 
haven't changed the password, you can now disable the DHCP server.

Of course you'll still want to track down the device in order to shut off 
the most likely unsecured wireless access to your network.  Since you've 
been accessing the system, you should have the MAC in your ARP cache for 
192.168.1.1.  Other people have mentioned ways to track down the system 
based on the mac.

--
Greg Boyce
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ