In a large network if there is an Ethernet port in the wall, is it possible to tell if a switch or wireless adapter is plugged into it? (I'm talking about the cheap home routers - with the built in switch). In other words would packets appear different than those coming from a single computer?
Asked
Active
Viewed 8,094 times
4 Answers
5
A basic router is both a network switch and another local system with an IP address. Things vary depending on how the router was configured, and how the network was configured, and what level of surveillance is applied.
The "switch" part is nominally undetectable at the software level: a switch is a relay system, which does not have a MAC address, let alone an IP address, and it is passive: it produces no ethernet frame on its own. What the network admin might detect is that a device has been plugged: when a device is plugged, the LED on the network switch at the other end of the wire goes up, indicating an active link. If the router has been plugged into a normally "empty" plug, then this could be detected, at least if the network switches have extended reporting capabilities or the sysadmin is enough of a maniac to count the LEDs on his switches every morning. Correspondingly, the "attacker" (by which I mean "whoever plugged the router") may make himself less detectable by replacing an existing machine with his router: unplug a desktop system (or a printer), put the router in its place. Of course, this makes the unplugged system unavailable, which may show up on the sysadmin radar, depending on what that system usually does.
Then comes the "system with IP address". Now we must look at what a typical home router offers and how it behaves. The router has three kinds of "ports":
- The "uplink port" which is normally linked with the ISP-provided modem (cable, ADSL...).
- The "ethernet switch": the other RJ45 plugs on the router.
- The "WiFi port", i.e. the over-the-air wireless LAN.
Most routers will maintain a bridge between the ethernet ports (other than the uplink port) and the WiFi, so that we may consider, for the purposes of this question, that the WiFi and the ethernet ports are equivalent.
If the attacker links the router's "uplink port" with the corporation network, then the router will automatically request an IP address with DHCP from the network infrastructure. Afterwards, it will do NAT on behalf on machines connected to its other ethernet ports or to the WiFi (the router will itself be a DHCP server on the ethernet/WiFi LAN). This can be detected by the sysadmin through the following ways:
When doing the DHCP request, the router will use its own MAC address, which is distinct from the MAC addresses of the normal systems. A meticulous sysadmin will instruct his DHCP server to give IP addresses only to a given, exhaustive list of known MAC addresses, and to raise alarms when an unknown MAC address is seen. Also, the same sysadmin may configure his switches to simply refuse any packet coming over a given port if that packet has a source MAC address which does not match the MAC address of the desktop system or printer which normally resides on this port.
Let's assume that the DHCP was allowed, or that the router was configured with a static IP address directly; then the router now has an IP address which is part of the local network, but does not react exactly like a normal machine (or printer). OS fingerprinting can be used by the sysadmin (typically with
nmap -O), on a regular basis, for all IP addresses which may normally occur on the network (e.g. all the addresses that his DHCP server may normally lease).
The attacker may try to evade the first kind of detection by making his router assume the MAC address of the desktop system or printer which normally uses the plug (typically, his own desktop system). Though every piece of ethernet hardware has its own MAC address, this can be overridden in software. A stock home router will not necessarily offer this feature, but reflashing the router with a better firmware (e.g. OpenWRT) can unlock that kind of manipulation. However, this won't help the attacker against OS fingerprinting. It is very hard to emulate the network behaviour of a Windows system, down to that level, unless the OS is indeed running Windows -- and Windows won't fit in the router.
An alternative way for the attacker is to configure the router NOT to act as a DHCP server on its ethernet/WiFi LAN, and to plug one of its non-uplink ethernet port into the local network. In that case, the router is no longer used as a "router" but as a switch. With this setup, all the machines which connect over WiFi are "as if" they were directly plugged in the local network. This moves the problem of evading detection to these machines.
On the one hand, this allows the attacker to plug back his desktop system in one of the router ethernet ports, so his system will work as usual. At that point, the home router is undetectable. On the other hand, every host which connects to the WiFi becomes subject to the detection powers of the sysadmin, since there is no NAT. The local switches may block the unexpected MAC addresses. The local DHCP server may refuse to give IP addresses to these newcomers.
To sum up, the sysadmin will be able to detect the "router" by doing the following:
Maintain a list of all "allowed" MAC addresses, and configure the switches to block (and possibly report) unexpected MAC addresses on each switch port. (This requires "intelligent" switches, of course.)
Configure the local DHCP server to always give a specific IP address for each allowed MAC address. Alternatively, don't use DHCP at all, instead use static IP allocation (but DHCP is convenient to distribute addresses of gateways and DNS, so a full static, DHCP-less scheme may increase sysadmin work).
Configure switches to report on any IP packet which uses an address which is not part of the list of allowed IP addresses.
Regularly, run some
nmap -Ofor all allowed IP addresses to see if each machine uses the expected kind of operating system.
With this setup, the sysadmin stands a very good chance of detecting any shenanigans related to a home router plugged in the local network.
At some point, you would have to consider the social side of things. When a user plugs a home router, this is for a reason, which may be legitimate. It is possible that the user wants to give free Internet access to a friend living in the next building; but it is also possible that the user really needs that kind of extra access to do his work. This might be a situation where the presence of a company-sponsored WiFi router, possibly suitably isolated in its own DMZ, could be a good idea. Detecting forbidden actions from users is good; making it so that the said users do not even wish to perform forbidden actions, is better.
Tom Leek
- 168,808
- 28
- 337
- 475
4
You can't detect if it's a wireless access point or not, what you can do is detect that a device was plugged in. With port security you can only allow your corporate devices to be plugged into the network whereas other detected apparatus will immediately cause the port to be shut down (white listing based on MAC address). Note that MAC spoofing is theoretically still possible.
The problem of plugging devices into free ethernet ports in the wall is also a sign of not having enough security awareness. Port security is one line of defense, the second line should be educating your users on corporate security and why they shouldn't be plugging in devices, even when it can be more convenient for them.
Lucas Kauffman
- 54,169
- 17
- 112
- 196
-
Modern NAC solutions use more than just the MAC addresses to identify devices so might be possible to identify any rogue devices on the network. Another defense is the wireless NAC that can detect any rogue wireless signal devices. – AdnanG Aug 30 '13 at 11:15
0
If you are lucky enough to own Fyodor's Nmap Network Scanning book, then you will have a chapter dedicated to this question: "8.8 SOLUTION: Detect Rogue Wireless Access Points on an Enterprise Network", p. 202.
While you cannot detect all access point with 100% certainty, you should be able to detect most of them by scanning and searching toward most common characteristics which distinguishes an access point from an expected workstation:
- TCP/IP fingerprinting device type may display it as a WAP, switch or router,
- TCP/IP fingerprinting details may mention terms such as wireless or wap,
- Version detection type will provide the same kind of information as the two points above but obtained a different way, the same key words should be searched here,
- Vendor name which will be deduced from MAC address, TCP/IP fingerprinting and version detection, may contain strings such as Linksys, Netgear, Belkin, D-Link, etc.
- Hostnames are rarely changed by most end-users and may reveal an access point also due to the presence of some keywords.
As stated above, all this is largely discussed within Fyodor's book and I do not have the intention to copy-paste his work here. If you are not lucky enough to already have this book, I can only strongly suggest to buy a copy since it is really a good investment over a good security book which goes well beyond a "nmap manpage-like" book.
In all case, you have now the general idea over which you can build your very own solution.
WhiteWinterWolf
- 19,082
- 4
- 58
- 104
0
If you plug a switch into the wall there and plug multiple computers/devices into the switch you will be able to see multiple MAC addresses on that network port.
If you plug a NAT device (home router) into the port and plug everything into the NAT device, it will look like the NAT device is the only thing plugged in from the upstream switch's point of view (one MAC address is all it sees) but there are ways through packet analysis to determine that that device is in fact providing NAT services to other devices.
The primary method of NAT detection is through TTL. But also there is protocol analysis, watching for host names, OS fingerprinting.... So in short, yes, you can detect differences in the packets.
Rod MacPherson
- 1,057
- 7
- 11