An obvious idea that was not directly mentioned is to attempt to connect to the management ports (Cisco Aironet AP can have telnet and http enabled, as well as snmp) of the various AP's and banner grab (of course, if access control mechanisms are in place, this could skew your results). In light of this idea, it would be nice to see the default services, banners, unique ICMP, TCP, UDP responses of the different AP's centrally documented so our fellow professionals could learn to recognize these devices faster. Also, certainly some type of sniffing on the wired LAN could be used to gather AP MAC addresses as well as clear-text HTTP management of the AP through strings such as (assuming Aironet) GET /SetWEP_Keys.shm and others. If the AP environment is using a RADIUS server for authentication such as Ciscos LEAP or EAP, EAP-TTLS, etc you could sniff the RADIUS access request and obtain info about the AP that way (I don't have a trace handy at the moment, so can't give any more info). Of course, the usual issues related to sniffing apply, but these are a few additional ideas.
Curt Wilson Security Engineer __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
