.

Finding who's on a WLAN...

<<

CJS

Newbie
Newbie

Posts: 8

Joined: Fri Feb 22, 2008 3:38 pm

Post Mon Feb 25, 2008 10:13 am

Finding who's on a WLAN...

Unfortunately I'm on Windows XP SP2 (wish I were on Linux!)  ;D, so I may be a bit limited in using some of the more high-power networking tools, but I would greatly appreciate advice of how to best keep track of who's using a wireless network I'm on.

For instance, I've used Angry IP Scanner as a simple ping scanning test, but much to my chagrin, it seems that it doesn't always find everyone on the WLAN. I found this out by experimenting with a program called "RogueScanner GUI" from http://www.paglo.com/opensource/roguescanner. It uses techniques like ARP scanning I think as a more comprehensive scan.

One of my questions is, sometimes RogueScanner finds Windows computers on the WLAN that Angry IP Scanner misses, and I thought that unless you go through special trouble to disable ping replies, all Windows computers (and most other computers/devices on a network) would respond to a simple ping test. Is this not true?  ???

I've also experimented with Zenmap (an Nmap GUI) from insecure.org. But I can't figure out how to get Zenmap to return Netbios computer name information. And what is the best way to set up Nmap to detect as many hosts as possible on the WLAN? (e.g. can it do ARP scanning?)

So I could use some expert advice--is there a "definitive" way to determine who's on a network (WLAN in my case), or at least what is the most comprehensive/reliable way of doing this? Thanks for any help!
<<

dean

Post Mon Feb 25, 2008 10:35 am

Re: Finding who's on a WLAN...

Simplest way would be to log into the wireless router/ap and see who is connected.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Mon Feb 25, 2008 6:56 pm

Re: Finding who's on a WLAN...

My immediate reaction was to simply agree with dean.  If it is your AP, why can't you just check the resource allocation table?  Any system with a full connection has to have registered with the AP to get an IP.  That seems to be the short and safe answer.  From a networking point of view you also need to ask yourself if the OS has any third party software that would block your ICMP requests (several software firewalls will do this).  In regards to Rogue Scanner, you need to take into account that the tools uses far more techniques than just a simple ping sweep.  It was initially created as a network mapping tool, and it uses several methods to identify devices.  When your ping sweep hits a windows box with a firewall, it probably just gets killed and you get no response.  Rogue Scanner won't stop there as it will hit open ports and read the ARP table of any reachable switches as well.  It will then try to ID the device based on the profile of open ports (similar to nmap -O), examine the format of the data packets that are returned (each OS typically makes minor changes that help in identification), or it reads the ARP table and tries to identify a manufacturer based off the MAC address.  The other level you need to consider here is that since this is a wireless AP you are going to have other problems.  I don't have to register with a network in order to simply throw my wireless card into sniffer mode and grab your radio signal out of the air.  The machines doing this are not going to get assigned an IP.  You will also have trouble if someone is performing man in the middle attacks (ie. they grab signals from valid users, run them through their box so they can read the traffic, then reroute the traffic to your AP).
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Mon Feb 25, 2008 7:11 pm

Re: Finding who's on a WLAN...

Agreed with dean and pseud0 - the AP might be the first place to start. As pseud0 alluded to, you could run wireshark or some other sniffer to see if anyone is communicating over the airwaves.
you could always run Linux in a VM if your system is powerful enough and you /really/ do want to run Linux.
CISSP, C|EH, C|HFI
<<

CJS

Newbie
Newbie

Posts: 8

Joined: Fri Feb 22, 2008 3:38 pm

Post Mon Feb 25, 2008 9:25 pm

Re: Finding who's on a WLAN...

I totally agree that logging into the router is the best idea, but it's a 2WIRE 1000HG; if I use the "view home network" function, it merely tells me the computer names (Netbios info) of all computers that have used the network at any time--not just the computers that are currently using the router. If you happen to know how I can find who is currently connected to the router for the 1000HG, please let me know!

Also, Bogwitch, when you say run Linux as a virtual machine, would you please  point me to some website that could give me step-by-step instructions of how to carry it out? Is it only possible with certain distros of Linux, or can you use any flavor of your choice? My biggest concern is my wireless card is a Trendnet TEW-423PI, and it only came with software to run it on Windows; I've read it's possible to take the Trendnet software drivers and install them in Linux to get my card working, but I don't know exactly how to do this.  :-\ Is this possible for a VM solution?
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Mon Feb 25, 2008 9:47 pm

Re: Finding who's on a WLAN...

Look on page 79 of this manual:

http://www.2wire.com/pages/pdfs/2Wire_1 ... _Guide.pdf

Hope this helps,
Don

PS - I don't have this device. I simply went to 2wire.com, support, documentation, 1000 series. Found it in less than a minute.
CISSP, MCSE, CSTA, Security+ SME
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Mon Feb 25, 2008 10:11 pm

Re: Finding who's on a WLAN...

I would recommend trying Airsnare

http://anti-hacker.info/video/Airsnare/Airsnare.html

is a video I made on it and I feel it does a basic job for finding out how is on the WIFI.

Regards,

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

Bogwitch

Jr. Member
Jr. Member

Posts: 51

Joined: Wed Aug 16, 2006 3:29 am

Post Tue Feb 26, 2008 3:21 am

Re: Finding who's on a WLAN...

CJS wrote:
Also, Bogwitch, when you say run Linux as a virtual machine, would you please  point me to some website that could give me step-by-step instructions of how to carry it out? Is it only possible with certain distros of Linux, or can you use any flavor of your choice? My biggest concern is my wireless card is a Trendnet TEW-423PI, and it only came with software to run it on Windows; I've read it's possible to take the Trendnet software drivers and install them in Linux to get my card working, but I don't know exactly how to do this.  :-\ Is this possible for a VM solution?


You should be able to use any distro you like, live CDs, pretty much anything. Doesn't event have to be Linux - any Intel based OS will do.

I use VMware but I run server so I get the free version, you could try Microsoft VirtualPC but be warned, it is awful (in comparison)

Once you have the virtualisation software, it's all downhill from there.

As for the network drivers - I spent a long time trying several different cards under Linux until I found one that I was truly happy with, but I run natively under Linux, not inside a VM. When I was using a card that was unsupported, I used NDISWrapper which is the scheme you alluded to of using the Microsoft drivers under Linux. I have not tried this within a virtual machine but logic dictates that it should work. I defer to anyone with first hand experience or more of a clue than me! ;D
CISSP, C|EH, C|HFI
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Tue Feb 26, 2008 8:55 am

Re: Finding who's on a WLAN...

For actually running the VM, look at VMWare Server. Its free and offers USB and better support for Linux than MS Virtual PC. Good luck.
Mike Conway
CISSP
CompTia Security +
C|EH
<<

CJS

Newbie
Newbie

Posts: 8

Joined: Fri Feb 22, 2008 3:38 pm

Post Tue Feb 26, 2008 10:08 am

Re: Finding who's on a WLAN...

Thanks for your patience, don, you were right--I totally missed that in the manual! Of course getting a list from the router of the computers currently connected should be the best way to find who's on my WLAN.

But just as a sidenote, yesterday I was at my friend's place (he has a Linksys WRT54G), and he was showing me how he can list the people (MAC/Netbios info) connected to his router. But in doing so we found out that for some reason his WRT54G was NOT listing one particular Windows computer that we knew was connected to the WLAN! Anybody else have this happen?  ??? We could even ping the computer and get a response. I hope my 1000HG is more accurate than his router.

Brian, I tried using Airsnare, but it only lists a <1> as the number and name under the network adapters. From the forums, it seems that Airsnare is not compatible with Winpcap 4.x:
http://z3.invisionfree.com/AirSnare/ind ... wtopic=442
Any ideas of how I could get it to work?

So, if I can actually get my wireless card to work on Linux, what programs are you guys alluding to that are best for finding who's on my WLAN?
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Tue Feb 26, 2008 10:12 am

Re: Finding who's on a WLAN...

As Brian mentioned, Airsnare is a decent way to see who's on your wlan. Identifying connected clients from their mac address still produces good results. Just dont trust it to alert you, you should always manually review the logs. Reason being is if someone spoofs a trusted mac, the alarm wont go off, but you should see to identical macs with two different  IPs in the log. Unfortunately, you will find many routers allow 2 identical macs to connect but will assign to different IPs if dhcp is being used.

While mac filtering is a very poor form of security, its still a reliable way to identify hosts on a wlan. To be connected on a network, you have to give up your mac address and its visible to everyone. Firewalls dont hide it. With tools like Kismet, you can often see clients and their mac address  on a wlan even when you are outside of that wlan.  Kismet and Nmap for linux are still my favorite host discovery.
Last edited by Kev on Tue Feb 26, 2008 10:15 am, edited 1 time in total.
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Thu Feb 28, 2008 10:26 am

Re: Finding who's on a WLAN...

The only problem with logging into your AP would be if you are using a separate DHCP server, or if any users have static IP addresses.

If you have a separate DHCP server you should check that instead of the AP.  ;)

If anyone has static IPs, then I would probably go with Nmap (which is available for Windows) or some other IP/port scanner.

You could also use something like Kismet or the aircrack-ng suite to find out who is actively on your WLAN.
Last edited by eth3real on Thu Feb 28, 2008 10:28 am, edited 1 time in total.
Put that in your pipe and grep it!

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software