[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.63.0508291113350.3430@localhost.localdomain>
Date: Wed Aug 31 14:47:03 2005
From: gboyce at badbelly.com (Gregory Boyce)
Subject: Re: Tool for Identifying Rogue Linksys Routers
On Fri, 26 Aug 2005, Dave Hull wrote:
> If the Linksys devices are DHCP clients themselves, you might be able
> to use DHCPFingerprint to locate them when they renew their leases.
The only problem with this is that the Linksys is serving out IP addresses
via DHCP.
Linksys routers generally have a dedicated WAN port, and a few LAN ports.
They are DHCP clients on the WAN port, and have a configurable DHCP server
on the LAN ports.
If this device is serving out DHCP addresses to the network, then the LAN
side of the linksys is plugged into their network.
Assuming that the main priority here is to stop the rogue DHCP server on
the network, I would configure a machine with an address in the
192.168.1.0/24 subnet, and try accessing the device on its default IP
(192.168.1.1) in a web browser. The default username/password is often
"admin"/"admin". Otherwise you can look up the default by looking online
for that model (I believe the login link gives the model number). If they
haven't changed the password, you can now disable the DHCP server.
Of course you'll still want to track down the device in order to shut off
the most likely unsecured wireless access to your network. Since you've
been accessing the system, you should have the MAC in your ARP cache for
192.168.1.1. Other people have mentioned ways to track down the system
based on the mac.
--
Greg Boyce
Powered by blists - more mailing lists