ZeteMkaa Posted January 10, 2013 Share Posted January 10, 2013 (edited) Hi All, I've done some test at our clients and it seems that Aruba and Cisco devices are unable to detect a rogue Jasager in there network. We first added a Sitecom router to their network which was detected in about 5 minutes. After that we planted the Jasager in there network but they where unable to detect this rogue accesspoint. Are there any techniques in place that prevents Cisco/Aruba devices from detecting the Jasager ? Thanks in advance. Niels Edited January 10, 2013 by ZeteMkaa Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted January 10, 2013 Share Posted January 10, 2013 Hi All,I've done some test at our clients and it seems that Aruba and Cisco devices are unable to detect a rogue Jasager in there network. We first added a Sitecom router to their network which was detected in about 5 minutes. After that we planted the Jasager in there network but they where unable to detect this rogue accesspoint. Are there any techniques in place that prevents Cisco/Aruba devices from detecting the Jasager ? Thanks in advance. Niels Just to clarify, are you asking of we have taken direct steps to hide the Jasager from Cisco/Aruba devices? In that case, the answer is no. We haven't targeted those companies to "hide" from their detection. My guess is that it is how Karma responds to probe requests. The Cisco/Aruba systems simply don't check for the right things to verify the AP -- or so it seems. I have never tried. Quote Link to comment Share on other sites More sharing options...
LinuxDad Posted January 10, 2013 Share Posted January 10, 2013 Nice, this is a great test for WIPS devices in the secure network boundaries. Thank you for posting this. Quote Link to comment Share on other sites More sharing options...
ZeteMkaa Posted January 10, 2013 Author Share Posted January 10, 2013 Thx for your reply. So the lack of detection is because they do not check for different MAC adresses outside their vendor pool but have them check on SSID and attack options. Found it strange that both vendors were uncapable of detecting such a rogue device, but i love it :D So setting up a whitelist and detecting the rest would be a solution to prevent Jasagers ? Quote Link to comment Share on other sites More sharing options...
telot Posted January 11, 2013 Share Posted January 11, 2013 I am receiving my (completely free!) meraki access point today. It has a featured called "Air Marshal" which is their WIPS (zomg what an awesome name for it right?!). I will be testing karma on the raspberry pi along with the mark3 and mark4 pineapples extensively this weekend and in the coming weeks. Stay tuned! telot Quote Link to comment Share on other sites More sharing options...
kjtw73 Posted January 13, 2013 Share Posted January 13, 2013 Hi All,I've done some test at our clients and it seems that Aruba and Cisco devices are unable to detect a rogue Jasager in there network. We first added a Sitecom router to their network which was detected in about 5 minutes. After that we planted the Jasager in there network but they where unable to detect this rogue accesspoint. Are there any techniques in place that prevents Cisco/Aruba devices from detecting the Jasager ? Thanks in advance. Niels This is actually something that I have been working on over the last week or two (specifically the Aruba Networks side). There were a few things that I came across, this included, that I have started digging into further. Let me ask you this, with the Aruba equipment, what version of AOS are you seeing this in and are you specifically talking about the controller not finding the device or are you also using Airwave? I have been testing on 6.1.3.x as well as some testing on the early release of 6.2.0.2. Jeremy Quote Link to comment Share on other sites More sharing options...
infektiv Posted January 20, 2013 Share Posted January 20, 2013 Can intrusion detection systems pick up deauths from aircrack-ng? Or does admin have to monitor packets on wireshark? Quote Link to comment Share on other sites More sharing options...
kjtw73 Posted January 20, 2013 Share Posted January 20, 2013 Can intrusion detection systems pick up deauths from aircrack-ng? Or does admin have to monitor packets on wireshark? Yes, they can see deauths. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.