-
February 27th, 2004, 07:09 PM
#1
Junior Member
Home routers search
Hey,
I'd like to be able to scan my network and detect if any has plugged in a router (against policy).
I can login to the switch and view the mac addresses, but I haven't been successful in finding a program to identify if the MAC belongs to a linksys router, belkin wireless router, etc.
I can also setup a SPAN port and look at all the traffic, but I'm not sure what to look for to see if someone is using a NAT router off the switch.
Any suggestions?
-
February 27th, 2004, 07:15 PM
#2
Well as far as I know you can't look at a MAC Address and say Ahh theres a linksys BEFSfx 41 router.
Also most routers have the option of cloning a client computers mac address so it looks like its only one computer there.
The only way I would know how to keep track of all this is to get all MAC addressess, and keep a file of them. Then check the network every so often and see if theres a different mac address in there from what you have in your file.
But even that can't guaranty that you'll stop them, cause like I said earlier, routers can copy a mac address from another computer.
-
February 27th, 2004, 07:20 PM
#3
Junior Member
Lets assume that the router isn't cloning the computer's MAC and the user isn't changing the MAC on the router.
-
February 27th, 2004, 07:25 PM
#4
Thats where its nice to have a record of all legal mac addresses on the network.
Then you compare current mac addressess to your legal mac address list.
If you find a mac address thats not on you list then just log into the switch find the IP and deal with it however you need to.
-
February 27th, 2004, 07:30 PM
#5
What platform are you using?
You can use something like "nbtscan" if you have netbios enabled, but output to CSV. Then import to spread sheet and sort by the MAC address fields. Then compare it to the manufacturer list of the NIC.
Get a list of manufacturers @ http://standards.ieee.org/regauth/oui/oui.txt
The first 24bits of the 48bit MAC will be the manufacturer code.
Example: 00-03-47-xx-xx-xx
Then compare it to the list... in this case it is made by. Intel Corporation
Linksys would be something like:
00-04-5A (hex) The Linksys Group, Inc.
00045A (base 16) The Linksys Group, Inc.
17401 Armstrong Ave.
Irvine CA 92614
UNITED STATES
Just remember... there are far more manufacturers than just linksys...
And... linksys does make other products than routers so, you could have more false positives.
Or, you could do a ping scan and then retrieve the MAC addresses using arp -a.
Then compare them.
I'm not sure how big of a cache that arp will keep though.
I'm not aware of any programs that will give you this info across the network.
nmap's OS fingerprinting? But, it won't show up as "linksys"... it'll show up the operating system. Then if you know you only have a couple of linux boxes, then check into those devices a bit more. I know that dlink uses a varient of *nix and pretty sure the linksys does too. Though... I'm not completely positive.
Just a couple of random ideas.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
February 27th, 2004, 07:32 PM
#6
Now that you bring up port scanners phish, I did have nmap show me a linksys router once.
Also, I believe languard will almost do the samething. You can download a free trial.
http://www.gfi.com/downloads/downloads.asp?pid=8&lid=1
-
February 27th, 2004, 07:32 PM
#7
Junior Member
It seems that your time would be better spent looking for unusual traffic caused by a router being plugged in, rather than scanning for a device. Just a thought.
Tim Potts
Network Analyst
-
February 27th, 2004, 08:15 PM
#8
The newest version of NMap will ID many of the home type routers for you..... It hasn't been ported to Win32 yet though.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 27th, 2004, 08:18 PM
#9
Junior Member
Excellent!
In my situation, 99.9% of the computers that are in use on the network are windows machines. I could scan with nmap or languard and which ever one pops up with something other that windows, I can further investigate.
Also, for checking the MAC addresses, I can log into the switch and view the MACs from there; no need to ping/arp. Comparing the MACs to the registered list is what I thought about first, but a test cable/dsl router i have (linksys) has a MAC address matched to some other company.
-
February 27th, 2004, 08:27 PM
#10
Darth: If was was smart enough to be popping my own little linksys on your network against policy the first thing I would be doing is using the MAC spoofing facility built into the linksys so I don;t get caught thus your idea about watching the MAC addresses is flawed.
You could also try P0f here on a DC so you can see the ID's of the machines. Anything coming up as "natted" or unknown should be investigated.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|