[clue-tech] find a lost wireless router?

David Anselmi anselmi at anselmi.us
Fri Jun 3 17:56:39 MDT 2005 

skipworthy wrote:
> Thanks for all the suggestions...most of them I already tried...
> 
> I tried Jim's idea, and that is pretty useful and cool...couldn't find 
> my WAP that way ( the mac didnt show up in arp, but there are a number 
> of 'anonymous' entries there)

Jim said that if ping was blocked you might not see it.  But even if 
ping is blocked it will probably answer arp (it has to if it has an IP 
that you can connect to).

If the WAP is routing (the wireless NICs are on a different subnet than 
the wired side of the WAP) then any traffic from wireless on the wired 
side will have the WAP MAC address on them.  And you might try ping 
sweeping from both wired and wireless sides.

You can find the first 3 of the MAC (more or less) here:


If you can power cycle the WAP while sniffing on the hub (better to have 
an isolated connection between the WAP and sniffer) you might see 
something.  Perhaps it will ask for a DHCP address, or the time, or 
announce itself somehow.

Dave
> 
> I didn't have a chance to attach to it physically because that would 
> require taking it out of service, and that would interrupt work, which 
> is a no-no in this case...so I'll try it over the weekend, I guess.
> 
> thanks again
> 
> G
> 
> 
> Jim Ockers wrote:
> 
>> Hi Glen,
>>
>> Interesting question.
>>
>>  
>>
>>> I have a (linksys ) WAP/router on my network that I can't find 
>>> topologically...I know where it is (its plugged into a hub) 
>>> physically, but I can't get to the administrative page to secure it. 
>>> ( noone seems to know the IP address or anything) It doesn't show up 
>>> in DNS as 'linksys' or anything similar, and I don't have any 
>>> unaccounted for names as far as I can tell...
>>>   
>>
>>
>> If you can find it physically, then do this:
>>
>> 1. Disconnect it from your LAN.
>> 2. Connect a laptop to it, get an IP address with DHCP.
>> 3. The Linksys router should give out a DHCP lease with its own IP 
>> address as the "router" (default gateway).
>> 4. Examine your laptop's routing table and identify the default
>> gateway.  You should be able to connect to the default gateway IP
>> address using a web browser, and that should get you the WAP/router
>> administration page.
>>
>> If you can't find it physically, there are also options.  (See below.)
>>
>>  
>>
>>> am I thinking too hard? could this be operating just as a hub and not 
>>> have an ip address or managing interface of its own?
>>>
>>> and, as a corollary question...what if I did have the mac 
>>> address...is there an easy way to resolve that to an IP ?
>>>   
>>
>>
>> If you have the MAC address AND you have ethernet switches which
>> maintain a MAC address and IP address tables, you can examine the
>> switch tables to see if the switches have noticed any IP traffic
>> from that MAC address.  We have HP4000M procurve switches which do
>> maintain this kind of table.
>>
>> If you don't have a managed switch then you can use nmap to do
>> ping sweeps of all possible IP addresses, and see if you get any
>> replies from the MAC address you seek.  Suppose everything on your
>> internal network has a 192.168.1.x IP address.  You can do a ping
>> sweep as follows:
>>
>> nmap -sP 192.168.1.0/24
>>
>> Nmap will try to ping in sequence all IP addresses in that block,
>> with one ping.  You will get replies from every "normal" thing on
>> the network.  If something on the network is blocking pings due to
>> a firewall setting then you won't find it.  Similarly if something
>> on the network is set to NOARP then you won't find it either.
>>
>> If your Linksys device will respond to pings and its ARP is working
>> properly, then you'll find it if you ping it.
>>
>> By "find" I mean you will have to examine the /proc/net/arp table
>> to search for the MAC address you seek.  (The arp -an command will
>> also enumerate entries from the ARP cache.)  Bear in mind ARP
>> cache entries expire quickly (a few seconds usually) so you should be 
>> constantly watching your ARP cache as you ping sweep.
>>
>> If you aren't sure of the IP address that your device has, you can
>> try a huge ping sweep of the entire internet, but that could take a
>> long time.  Also I recommend disconnecting your network from the
>> internet while you are doing any nmap scans of your own network.
>>
>> Hope this helps,
>> Jim
>>
>> P.S. If you can't find the wireless accesspoint physically you can find
>> it with a spectrum analyzer or an 802.11 client running a sniffer
>> like kismet.  You should use a highly directional antenna.  We have
>> used a 14 dBi parabolic grid (handheld) antenna and a laptop running
>> kismet with the "graphical" signal strength meter to find unauthorized
>> wireless devices.  The directionality of the antenna can allow you to 
>> zero right in on the antenna of the transmitting device, once you learn
>> how to use it and interpret the signal strength information.
>>
>>  
>>
> 
> _______________________________________________
> CLUE-tech mailing list
> CLUE-tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>

More information about the clue-tech mailing list