Network Chemistry has released a tool to help find rogue Wireless Access Points on your network, called RogueScanner. It’s a Windows only tool available as source code, command line or GUI based. Below is a screen shot of the GUI.
I tried it out and it’s not a bad tool for free. It has the ability to query Cisco, Juniper, Extreme and other switches to get their MAC tables. This is useful if you are on a switched network. The one thing I do not like about it is that it does not have a local database of vendor MAC codes, like the IEEE OUI list. Instead it has a SOAP interface that phones home to classify the MAC address. If I don’t agree with the classification I can click the “No, I know better” button and override the Vendor name. It apparently overrides the master database. The tool identified the Intel Pro 1000 adapter in my Dell workstation as manufactured by Dell. The NIC vendor and PC vendor are getting mixed up. Also, I can’t tell if Rogue Scanner only transmits enough of the MAC to identify it (you only need first 3 hex pairs) or if it transmits the whole MAC. Yes, I am paranoid…thank Uncle Sam for that.
Overall it is a good idea and something I would like to see in more commercial Security / IPS products. It’s not that hard to implement. There is an excellent Perl module just for this task, Net::MAC::Vendor by Brian Foy. You could probably extend ArpWatch to include this type of check.
I used to download the AP_Manuf list from Kismet (when it was updated) and used the MAC’s with In-line Snort. Then I would add something like this to IPtables:
iptables -t mangle -F apfilter
iptables -t mangle -X apfilter
iptables -t mangle -N apfilter
iptables -t mangle -I PREROUTING -i eth0 -p tcp -j apfilter
iptables -A apfilter -m mac –mac-source 00:11:22:33:44:55 -j RETURN
iptables -A apfilter -m mac –mac-source 11:22:33:44:55:AA -j RETURN
iptables -A apfilter -m mac –mac-source 22:33:44:55:AA:11 -j RETURN
iptables -A apfilter -m mac –mac-source 33:44:55:00:11:22 -j RETURN
iptables -A apfilter -m mac –mac-source 44:55:00:11:22:33 -j RETURN
iptables -A apfilter -j LOG –log-prefix “AP Mac Filter:” –log-level 7
It’s been a long time since I did that. Those commands are probably not production ready…examples only. I am sure there was a more efficient way to do it as well. I’ll be the first to say I am no IPtables guru.
–Chris
Technorati Tags: MAC, rogue wireless, access point, iptables
August 2nd, 2006 at 12:24 am
Yet another great find!
Just another one to add to my toolkit.
Thanks, Chris!
Tony