Вы находитесь на странице: 1из 32

:

WiFi .



dryzhavs@cisco.com
1

,

.

WiFi ?


ad-hoc




Linux

TECEWN-2020

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Public

...
, ,
USB Rubber Ducky
http://hakshop.myshopify.com/

RSSI, SSID, ..

Switch Port Tracing

802.11n

802.11n - Mixed Mode


11a/g
11n
802.11a/g
11a/g
management control .
802.11n Greenfield Mode
802.11n
, management, control data
11n

8

Rogue Detector

Classify

Authorized AP

Rogue AP

Client ARP
L2
Trunk Port
Rogue Detector AP
ARP , ..

-
MAC- ARP
NAT APs

Rogue Detector

Rogue Location Discovery Protocol

Classify


Connect as
Client
Managed AP

Rogue AP

Routed/Switched Network

RLDP (Rogue Location Discovery Protocol)


AP
IP IP

Send Packet
to WLC

Controller
10

Switchport Tracing

Classify


Match
Found

3
CAM
Table

CAM
Table

WCS

1
Show CDP
Neighbors

Managed AP

Rogue AP

WCS Switchport Tracing


CDP , AP,

CAM MAC

NAT

11

WCS Switchport Tracing


Classify

Tracing



WCS

Switch port tracing started for rogue AP 00:09:5B:9C:87:68


Rogue AP 00:09:5B:9C:87:68 vendor is Netgear
Following MAC addresses will be searched:
00:09:5B:9C:87:68, 00:09:5B:9C:87:67, 00:09:5B:9C:87:69
Following rogue client MAC addresses will be searched:
00:21:5D:AC:D8:98
Following vendor OUIs will be searched:
00:0F:B5, 00:22:3F, 00:1F:33, 00:18:4D, 00:14:6C, 00:09:5B
Rogue AP 00:09:5B:9C:87:68 was reported by following APs: 1140-1
Reporting AP 1140-1 is connected to switch 172.20.226.193
Following are the Ethernet switches found at hop 0: 172.20.226.193
Started tracing the Ethernet switch 172.20.226.193 found at hop 0
Tracing is in progress for Ethernet switch 172.20.226.193
MAC entry 00:09:5B:9C:87:69 (MAC address +1/-1) found.
Ethernet Switch: 172.20.226.193, VLAN: 113, Port: GigabitEthernet1/0/33
Finished tracing all the Ethernet switches at hop 0

Cisco Rogue Management Diagram


Switchport Tracing

Si

Si

Si

Wireless Control
System (WCS)

Wireless
LAN
Controller

RLDP

Rogue
AP

RRM
Scanning

Authorized
AP

Rogue
AP

Rogue
Detector

Rogue
AP

13

Switchport
Tracing

RLDP

Rogue
Detector

Classify

1. AP

2. IP

3.

4.

Open APs
Secured APs
NAT APs

1. AP

2.
3.
RLDP
4. WLCRLDP

Open APs
NAT APs

100%

1. detector AP Open APs



Secured APs
2. -
NAT APs
MAC WLC
3. -
MACs ARP

14


WCS

Mitigate

WCS

WCS MSE

WCS
16

Mitigate

Rogue Client
Authorized AP

De-Auth
Packets

Rogue AP
AP
De-Authentication

local, monitor mode HREAP AP

17

Classify


SSID
SSID
RSSI


SSID
SSID
RSSI

Classify

Rogue Rule:
SSID: tmobile
RSSI: -80dBm


Friendly

Rogue Rule:
SSID: Corporate
RSSI: -70dBm


Malicious


Unclassified

20

Mitigate

Mitigate

WCS
WLC

00:09:5b:9c:87:68

1 4



Mitigate

Broadcast Deauth

Broadcast Unicast Deauth

Mitigate

Mitigate

100 2 de-auth (20


)
~100

3
Local Mode

6
Monitor Mode

local mode
3- 1

monitor mode
6- 1

25

Open Source
:
MadWiFi (http://madwifi-project.org/)open source
Atheros hardware
abstraction layer,
.

,
( 36 40)
.

27

WiFi Channel 36

Off-Channel Rogue

WiFi Channel 40

Center Frequency:
5.180GHz

Center Frequency:
5.189GHz

Center Frequency:
5.200GHz


WiFi .
28

CleanAir

Cisco CleanAir

.

.

29

Wi-Fi .
?
Wi-Fi -
2 :
-, = Wi-Fi
-, =


, ,
Wi-Fi

Wi-Fi

Microwave oven

BlueTooth
BlueTooth


bluetooth

Power

Microwave oven

Cisco CleanAir Wi-Fi


78 to 156 KHz

Power

Wi-Fi
. 5 MHz

!
.
.