Home page logo
/

nanog logo nanog mailing list archives

Locating rogue APs
From: John Kristoff <jtk () aharp is-net depaul edu>
Date: Tue, 11 Feb 2003 11:27:28 -0600


Apologies if this ends up on the list multiple times.  I seem to
have trouble getting this posted in a timely fashion.

In general, MAC OUI designations may indicate a particular AP.  IP
multicast group participation may also be used by some APs. Some
APs have a few unique ports open.  Lastly, APs may be found with
a radio on a particular default channel.  All of these potentially
identifying characteristics may be used to help audit the network
for rogue IPs.  Below is information on locating particular APs:

Multicast Groups
----------------
224.0.1.40   Cisco/Aironet (newer versions)
224.0.1.76   Lucent/Avaya
224.1.0.1    Cisco/Aironet

You can locate who group members are by doing the following on a
Cisco router:

  show ip igmp group <group-ip-address>

Protocols/Ports
---------------
Cisco/Aironet APs have two UDP ports open: 2887 and 7777.

Well known AP MAC OUIs
----------------------
0000f0  Samsung
00022d  Lucent (Orinoco)
0002b3  Intel
00032f  Global Sun Technology (Linksys)
00045a  Linksys
0010e7  BreezeCom (BreezeNet)
0020d8  NetWave Technologies (BayNetworks)
003065  Apple
004005  ANI Communications
004096  Aironet
00508b  Compaq
00601d  Lucent (WaveLan)
0090d1  Leichu Enterprise Co. (Addtron)
00a0f8  Symbol Technologies
00e029  Standard Microsystems Corp.
080002  3Com
080046  Sony

Well known AP default channels
------------------------------
4: Lucent
6: Aironet, Compaq, BreezeNet

John


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault