Detecting hosts bridging your network to a wireless network

by Justin Clarke

Update: Ron Gula corrected me on this - this is available on the free registered feed.

A little while back I spotted this article on the Tenable Blog in reading my morning RSS feeds - Tenable have added a plugin with the ability to interrogate Windows machines for the wireless SSID that they are currently associated to. Why would this be handy? How about to identify clients on your network that are bypassing network controls through using the local Starbucks' wireless network, and therefore providing a possible entry point back into your network.

This does of course have a few prerequisites:

  • You need the Direct Feed (commercial) of Nessus plugins, or Security Center, to get this functionality. If you're a security professional using Nessus as a core tool you of course have this, don't you? Because then you get all sorts of useful stuff like SCADA plugins, and configuration/compliance auditing.
  • You need to be doing a credentialed scan for the plugin to be able to use WMI to extract this information.

This should be able to give you a point in time view of whether hosts that you are scanning are connected to a wireless network when they are scanned. You can then match this against the list of known/authorised SSID's to identify where clients are associated to unauthorised access points (i.e. the local Starbucks).

Does this solve the problem of identifying clients bridging to a wireless network? Well, no - it has a couple of weaknesses:

  • It is at a point in time, so you only have the view of what wireless networks your clients connect to when you're scanning them.
  • This just identifies the SSID, not the access point itself (i.e. the access point's MAC address), so it's still possible it's a rogue access point.

However, it is certainly handy to have this kind of functionality for those who don't necessarily have a full blown wireless security solution in place.