Finding clandestine routers on a network

Hi!

Is there a way with a network port scanner (or other tools) to find
clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
did a search on Internet
to find if these equipments are using a special TCP port or
configuration without any success ....

Regards!

L. Cerantola
IT Security
Laval University

LC

On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:

>Hi!
>
>Is there a way with a network port scanner (or other tools) to find
>clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
>did a search on Internet
>to find if these equipments are using a special TCP port or
>configuration without any success ....
>
>Regards!
>
>L. Cerantola
>IT Security
>Laval University

I doubt that there's a definitive broadcast issued by a NAT router to identify
itself as such. But, using my imagination, I can come up with several ways to
start.

If you scan your network, ip address by ip address, and resolve each ip address
to MAC address, you can look at each MAC address. MAC addresses are unique, and
a portion of each address is unique to a manufacturer. Another portion of the
MAC address, depending upon manufacturer, should identify product or model.

A product like Softperfect Network Scanner (free) from
<http://www.softperfect.com/> will scan your network, and display all ip
addresses in use, and network name used by each address. A NAT router will show
in the SNS display, but with no name (mine does anyway).

Looking at the problem from another direction, if you search your network for
workstations using a default gateway that you don't know about, you will have
the ip address of the illegal router, PLUS the idiots using that illegal router.

This could be kind of fun.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck

"Chuck" <> wrote in message
news:...
> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
>
> >Hi!
> >
> >Is there a way with a network port scanner (or other tools) to find
> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >did a search on Internet
> >to find if these equipments are using a special TCP port or
> >configuration without any success ....
> >
> >Regards!
> >
> >L. Cerantola
> >IT Security
> >Laval University
>
> I doubt that there's a definitive broadcast issued by a NAT router to
identify
> itself as such. But, using my imagination, I can come up with several
ways to
> start.
>
> If you scan your network, ip address by ip address, and resolve each ip
address
> to MAC address, you can look at each MAC address. MAC addresses are
unique, and
> a portion of each address is unique to a manufacturer. Another portion of
the
> MAC address, depending upon manufacturer, should identify product or
model.

True, but most "personal" type routers (Linksys, DLink, etc) that I come
across nowadays let you spoof the MAC address on the WAN interface.

>
> A product like Softperfect Network Scanner (free) from
> <http://www.softperfect.com/> will scan your network, and display all ip
> addresses in use, and network name used by each address. A NAT router
will show
> in the SNS display, but with no name (mine does anyway).
>
> Looking at the problem from another direction, if you search your network
for
> workstations using a default gateway that you don't know about, you will
have
> the ip address of the illegal router, PLUS the idiots using that illegal
router.

Except he won't even see the workstation(s) if it's/they're behind a NAT
router, though, unless the user is forwarding traffic to a host behind it or
has it set up in a DMZ.

ParrotRob

On Sat, 29 May 2004 18:04:51 -0400, "ParrotRob" <> wrote:

>"Chuck" <> wrote in message
>news:.. .
>> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
>>
>> >Hi!
>> >
>> >Is there a way with a network port scanner (or other tools) to find
>> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
>> >did a search on Internet
>> >to find if these equipments are using a special TCP port or
>> >configuration without any success ....
>> >
>> >Regards!
>> >
>> >L. Cerantola
>> >IT Security
>> >Laval University
>>
>> I doubt that there's a definitive broadcast issued by a NAT router to
>identify
>> itself as such. But, using my imagination, I can come up with several
>ways to
>> start.
>>
>> If you scan your network, ip address by ip address, and resolve each ip
>address
>> to MAC address, you can look at each MAC address. MAC addresses are
>unique, and
>> a portion of each address is unique to a manufacturer. Another portion of
>the
>> MAC address, depending upon manufacturer, should identify product or
>model.
>
>True, but most "personal" type routers (Linksys, DLink, etc) that I come
>across nowadays let you spoof the MAC address on the WAN interface.
>
>>
>> A product like Softperfect Network Scanner (free) from
>> <http://www.softperfect.com/> will scan your network, and display all ip
>> addresses in use, and network name used by each address. A NAT router
>will show
>> in the SNS display, but with no name (mine does anyway).
>>
>> Looking at the problem from another direction, if you search your network
>for
>> workstations using a default gateway that you don't know about, you will
>have
>> the ip address of the illegal router, PLUS the idiots using that illegal
>router.
>
>Except he won't even see the workstation(s) if it's/they're behind a NAT
>router, though, unless the user is forwarding traffic to a host behind it or
>has it set up in a DMZ.

OK, you're talking about something I wasn't even considering - a bunch of
workstations setting up their own subnet, and hiding under a NAT router. I
guess we should ask the OP what he's worrying about.

I was thinking somebody secretly setting up a NAT router as a gateway to the
internet, and connecting it to their LAN, with workstations bypassing the
official proxy server / firewall. You're talking about something totally
different.

You're right - a MAC address spoof will hide the router if you're searching by
MAC address parsing. And if the miscreants know what they're doing, they can
block ICMP probes (pings) from the WAN port on the router. So no detecting by a
netscan either.

LC, can you describe your concern in a bit more detail please?

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck

Hi!

My concern is that people are installing these kind of devices on our netwprk to
permit more than one computer by network access (e.g. many computers sharing a
single wired (RJ45) or Wireless access point).

Regards!

Chuck wrote:

> On Sat, 29 May 2004 18:04:51 -0400, "ParrotRob" <> wrote:
>
> >"Chuck" <> wrote in message
> >news:.. .
> >> On Thu, 27 May 2004 14:36:27 GMT, LC <*email_address_deleted*> wrote:
> >>
> >> >Hi!
> >> >
> >> >Is there a way with a network port scanner (or other tools) to find
> >> >clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
> >> >did a search on Internet
> >> >to find if these equipments are using a special TCP port or
> >> >configuration without any success ....
> >> >
> >> >Regards!
> >> >
> >> >L. Cerantola
> >> >IT Security
> >> >Laval University
> >>
> >> I doubt that there's a definitive broadcast issued by a NAT router to
> >identify
> >> itself as such. But, using my imagination, I can come up with several
> >ways to
> >> start.
> >>
> >> If you scan your network, ip address by ip address, and resolve each ip
> >address
> >> to MAC address, you can look at each MAC address. MAC addresses are
> >unique, and
> >> a portion of each address is unique to a manufacturer. Another portion of
> >the
> >> MAC address, depending upon manufacturer, should identify product or
> >model.
> >
> >True, but most "personal" type routers (Linksys, DLink, etc) that I come
> >across nowadays let you spoof the MAC address on the WAN interface.
> >
> >>
> >> A product like Softperfect Network Scanner (free) from
> >> <http://www.softperfect.com/> will scan your network, and display all ip
> >> addresses in use, and network name used by each address. A NAT router
> >will show
> >> in the SNS display, but with no name (mine does anyway).
> >>
> >> Looking at the problem from another direction, if you search your network
> >for
> >> workstations using a default gateway that you don't know about, you will
> >have
> >> the ip address of the illegal router, PLUS the idiots using that illegal
> >router.
> >
> >Except he won't even see the workstation(s) if it's/they're behind a NAT
> >router, though, unless the user is forwarding traffic to a host behind it or
> >has it set up in a DMZ.
>
> OK, you're talking about something I wasn't even considering - a bunch of
> workstations setting up their own subnet, and hiding under a NAT router. I
> guess we should ask the OP what he's worrying about.
>
> I was thinking somebody secretly setting up a NAT router as a gateway to the
> internet, and connecting it to their LAN, with workstations bypassing the
> official proxy server / firewall. You're talking about something totally
> different.
>
> You're right - a MAC address spoof will hide the router if you're searching by
> MAC address parsing. And if the miscreants know what they're doing, they can
> block ICMP probes (pings) from the WAN port on the router. So no detecting by a
> netscan either.
>
> LC, can you describe your concern in a bit more detail please?
>
> Cheers,
> Chuck
> Paranoia comes from experience - and is not necessarily a bad thing.

=?iso-8859-1?Q?=A0L=2EC=2E?=

On Thu, 27 May 2004 14:36:27 GMT, LC <> wrote:

>Hi!
>
>Is there a way with a network port scanner (or other tools) to find
>clandestine routers like Linksys, SMC Barricade, etc. on a network ? I
>did a search on Internet
>to find if these equipments are using a special TCP port or
>configuration without any success ....
>
>Regards!
>
>L. Cerantola
>IT Security
>Laval University

LC,

NMAP <http://www.insecure.org/nmap/index.html> has various ping, probe, and scan
options that should help you identify devices on the network. Even NAT routers
blocking ICMP packets can be found if you're devious enough.

Devices like NAT routers, using MAC address spoofing, could masquerade as
computers, unfortunately. So using the MAC address to identify routers would be
unreliable.

Combining NMAP with SoftPerfect Network Scanner <http://www.softperfect.com/>,
you could use Netscan to whitewash most of the devices (ip addresses), then NMAP
suspicious ones using some of the exotic options (and NMAP has quite a few
possibilities). The nice thing about Netscan is that it will multithread (up to
100 addresses scanned simultaneously), scan an entire class C subnet in seconds,
identify all resources offered by each address found, and generate a text report
of what's found. And it's free.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck

On Mon, 31 May 2004 14:15:16 GMT, *L.C. <> wrote:

>Hi!
>
>My concern is that people are installing these kind of devices on our netwprk to
>permit more than one computer by network access (e.g. many computers sharing a
>single wired (RJ45) or Wireless access point).
>
>Regards!

Kewl. See my other post then.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

Chuck