Tracking Rogue Hosts

[thehorse13]

This article is excellent for those looking to find ways to track rogue hosts on a network. The article describes how to do this the same way that I show Jr. Security Admins to perform the task, so I can assure you that it is a good read. It also has several links to look up MAC addresses and see what manufacturer is associated with them. This article also deals with rogue WAPS and DHCP servers.

http://www.securityfocus.com/infocus/1705

--TH13

[Tiger Shark]

Hoss: Nice read if you run managed switches.... No bloody help to a poor sysadmin of a non-profit who wasn't able to afford managed switches when he built the infrastructure.......

With only regular switches or hubs locating a rogue machine is a major headache. I have had need to look for machines in the past and it's a peice of cake following them to the collision domain but at that point it kinda like being given a persons address and a map of the USA and told "fetch".....<LOL> If someone was hiding the box as they mentioned then trial and error is the order of the day.

Here's a brief description of the system I have used - walkie-talkies and an assistant really help save on shoe leather here......

Sit at any station and ping the offender. Go to your switch and disconnect a physical segment, (another switch/hub). Ping offender. If no reply then it is on the physical segment you pinged. If there is a reply then it is not. Plug back in the unplugged switch. Go to the switch that was connected to and unplug any hubs/switches plugged into it and ping until no reply. Move to that hub that doesn't reply. By now you should be at a switch that has only clients plugged in. Start disconnecting and pinging until no reply. On no reply trace the cable to the box. When box is found locate the owner and a funeral parlor.... The rest is self explanatory....

[phishphreek]

Very nice read.

Wouldn't a good way to help prevent someone from just plugging in a box be to filter MAC addresses at the switch? Of course, you'd need managed switches...

I know it'd be a pain everytime you plug in a new box... you'd have to login the switch and make appropriate changes... (easy if you're a small shop... but harder the more people you have to go through)

It would also be possible for someone to yank out the NIC from another box on the network and put it in their own box. (which you would def. notice when Joe User calls and can't connect)

Then again... someone could put in a small home broadband router and spoof any MAC they wanted... then let the rest of the boxes plugged into that router NAT out... or worse... an out of box install of a WAP!

Sorry... just brainstorming over here... waiting for lunch time...

What are some other possible ways to prevent people from putting up rogue boxes?

[Geppy]

I would like to add something on the detection of rogue AP, working as a security engineer on a large network I find this a very difficult task.

Because wardriving all the offices is to time demanding I've been looking into some other ways of finding rogue APs. First step is to look through all MAC tables of the switches (and DHCP servers) to see if Wireless MACs can be found, but not all APs can be identified by its MAC address.

I beleive that the real challenge starts here: How can you find the rest of the roque APs?
At the moment building a scanner that can Identify rogue APs by performing OS fingerprinting (hping), Banner grabbing, etc. When we first ran this scanner it picked up loads of roque APs, but again this is only best effort. I still see ways were rogue APs are not picked up by such scanners.

For now the only sollution I see from protecting networks from rogue devices is 802.1x (more ...) , but that is not quite here yet.

Anyone suggestions how to improve rogue AP detection?