[clue-tech] find a lost wireless router?

[skipworthy]

Thanks for all the suggestions...most of them I already tried...

I tried Jim's idea, and that is pretty useful and cool...couldn't find 
my WAP that way ( the mac didnt show up in arp, but there are a number 
of 'anonymous' entries there)

I didn't have a chance to attach to it physically because that would 
require taking it out of service, and that would interrupt work, which 
is a no-no in this case...so I'll try it over the weekend, I guess.

thanks again

G


Jim Ockers wrote:

>Hi Glen,
>
>Interesting question.
>
>  
>
>>I have a (linksys ) WAP/router on my network that I can't find 
>>topologically...I know where it is (its plugged into a hub) physically, 
>>but I can't get to the administrative page to secure it. ( noone seems 
>>to know the IP address or anything) It doesn't show up in DNS as 
>>'linksys' or anything similar, and I don't have any unaccounted for 
>>names as far as I can tell...
>>    
>>
>
>If you can find it physically, then do this:
>
>1. Disconnect it from your LAN.
>2. Connect a laptop to it, get an IP address with DHCP.
>3. The Linksys router should give out a DHCP lease with its own IP address as the 
>"router" (default gateway).
>4. Examine your laptop's routing table and identify the default
>gateway.  You should be able to connect to the default gateway IP
>address using a web browser, and that should get you the WAP/router
>administration page.
>
>If you can't find it physically, there are also options.  (See below.)
>
>  
>
>>am I thinking too hard? could this be operating just as a hub and not 
>>have an ip address or managing interface of its own?
>>
>>and, as a corollary question...what if I did have the mac address...is 
>>there an easy way to resolve that to an IP ?
>>    
>>
>
>If you have the MAC address AND you have ethernet switches which
>maintain a MAC address and IP address tables, you can examine the
>switch tables to see if the switches have noticed any IP traffic
>from that MAC address.  We have HP4000M procurve switches which do
>maintain this kind of table.
>
>If you don't have a managed switch then you can use nmap to do
>ping sweeps of all possible IP addresses, and see if you get any
>replies from the MAC address you seek.  Suppose everything on your
>internal network has a 192.168.1.x IP address.  You can do a ping
>sweep as follows:
>
>nmap -sP 192.168.1.0/24
>
>Nmap will try to ping in sequence all IP addresses in that block,
>with one ping.  You will get replies from every "normal" thing on
>the network.  If something on the network is blocking pings due to
>a firewall setting then you won't find it.  Similarly if something
>on the network is set to NOARP then you won't find it either.
>
>If your Linksys device will respond to pings and its ARP is working
>properly, then you'll find it if you ping it.
>
>By "find" I mean you will have to examine the /proc/net/arp table
>to search for the MAC address you seek.  (The arp -an command will
>also enumerate entries from the ARP cache.)  Bear in mind ARP
>cache entries expire quickly (a few seconds usually) so you should 
>be constantly watching your ARP cache as you ping sweep.
>
>If you aren't sure of the IP address that your device has, you can
>try a huge ping sweep of the entire internet, but that could take a
>long time.  Also I recommend disconnecting your network from the
>internet while you are doing any nmap scans of your own network.
>
>Hope this helps,
>Jim
>
>P.S. If you can't find the wireless accesspoint physically you can find
>it with a spectrum analyzer or an 802.11 client running a sniffer
>like kismet.  You should use a highly directional antenna.  We have
>used a 14 dBi parabolic grid (handheld) antenna and a laptop running
>kismet with the "graphical" signal strength meter to find unauthorized
>wireless devices.  The directionality of the antenna can allow you to 
>zero right in on the antenna of the transmitting device, once you learn
>how to use it and interpret the signal strength information.
>
>  
>