[clue-tech] find a lost wireless router?

[Jim Ockers]

Hi Glen,

Interesting question.

> I have a (linksys ) WAP/router on my network that I can't find 
> topologically...I know where it is (its plugged into a hub) physically, 
> but I can't get to the administrative page to secure it. ( noone seems 
> to know the IP address or anything) It doesn't show up in DNS as 
> 'linksys' or anything similar, and I don't have any unaccounted for 
> names as far as I can tell...

If you can find it physically, then do this:

1. Disconnect it from your LAN.
2. Connect a laptop to it, get an IP address with DHCP.
3. The Linksys router should give out a DHCP lease with its own IP address as the 
"router" (default gateway).
4. Examine your laptop's routing table and identify the default
gateway.  You should be able to connect to the default gateway IP
address using a web browser, and that should get you the WAP/router
administration page.

If you can't find it physically, there are also options.  (See below.)

> am I thinking too hard? could this be operating just as a hub and not 
> have an ip address or managing interface of its own?
> 
> and, as a corollary question...what if I did have the mac address...is 
> there an easy way to resolve that to an IP ?

If you have the MAC address AND you have ethernet switches which
maintain a MAC address and IP address tables, you can examine the
switch tables to see if the switches have noticed any IP traffic
from that MAC address.  We have HP4000M procurve switches which do
maintain this kind of table.

If you don't have a managed switch then you can use nmap to do
ping sweeps of all possible IP addresses, and see if you get any
replies from the MAC address you seek.  Suppose everything on your
internal network has a 192.168.1.x IP address.  You can do a ping
sweep as follows:

nmap -sP 192.168.1.0/24

Nmap will try to ping in sequence all IP addresses in that block,
with one ping.  You will get replies from every "normal" thing on
the network.  If something on the network is blocking pings due to
a firewall setting then you won't find it.  Similarly if something
on the network is set to NOARP then you won't find it either.

If your Linksys device will respond to pings and its ARP is working
properly, then you'll find it if you ping it.

By "find" I mean you will have to examine the /proc/net/arp table
to search for the MAC address you seek.  (The arp -an command will
also enumerate entries from the ARP cache.)  Bear in mind ARP
cache entries expire quickly (a few seconds usually) so you should 
be constantly watching your ARP cache as you ping sweep.

If you aren't sure of the IP address that your device has, you can
try a huge ping sweep of the entire internet, but that could take a
long time.  Also I recommend disconnecting your network from the
internet while you are doing any nmap scans of your own network.

Hope this helps,
Jim

P.S. If you can't find the wireless accesspoint physically you can find
it with a spectrum analyzer or an 802.11 client running a sniffer
like kismet.  You should use a highly directional antenna.  We have
used a 14 dBi parabolic grid (handheld) antenna and a laptop running
kismet with the "graphical" signal strength meter to find unauthorized
wireless devices.  The directionality of the antenna can allow you to 
zero right in on the antenna of the transmitting device, once you learn
how to use it and interpret the signal strength information.

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/