Hi Geeks, TCP ways to Detect Rogue Access Points(AP)
If rogue APs are plugged into your network, they will decrease the TTL value in all packets by one that traverse through the access point. This can make it easy to detect the presence of those by using p0f/ tcpdump/snort to look for packets that have TTL values that are lower than expected. This also works for unauthorized routers, virtual images, bad network stack configurations, etc. It won't detect APs that aren't plugged into your network and has some gaps (for instance, a savvy individual could modify the TTL they use before sending packets out), but again it is a "dirty" method of detection. The advantage of looking for bad "TTLs" is that you will also have advance detection of network problems as well. You can profile your network and find legitimate TTL values by running tcpdump -v and verifying the information with a network diagram (each router, NAT device, etc will lower TTL by 1). @ SANS Cheers, 0xN41K -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
