I am an IT/Networking student doing a work placement in IT Security. I've been asked to help out with a WiFi pilot project. They have implemented Cisco Prime NCS to monitor the network and are getting a lot of "NetStumbler Detected" alarms. I'm thinking that most, if not all, are false-positive.
How is this software deciding that these devices are running NetStumbler? The help file suggests that it's detecting anonymous association requests "using the NetStumbler tool." Could these alarms be triggered by ANY client station that is configured to search for open WiFi hotspots? Could this just be default behaviour of some smartphones or tablets?
The alarm description goes something like this:
"It has been determined that <MAC> [Channel: <#>, SSID: <list of various hotspots>] is potentially running NetStumbler.
Ironically, I'm actually running NetStumbler on a laptop right beside an AP and it hasn't been detected.
Also, what would be the difference between "NetStumbler Detected" and "NetStumbler Victim Detected?" I know that "Device Probing For Access Point" is supposed to be the new version of NetStumbler, but I haven't seen that alarm.
That thread would seem to indicate that we ARE picking up NetStumbler signatures...maybe. That would mean that stations are actually associated and authenticated and then sending a data packet with a NetStumbler signature, right?
It doesn't look like the NCS software gives the same alarms as the WCS software. The NCS alarm doesn't say anything about which particular signature it picked up, only that a client is "potentially" running NetStumbler. The help file indicates that the NetStumbler Detected message comes from old versions and that "Device probing for access point" is for recent versions. I'm guessing that the NetStumbler Generic signature is for the "old" versions and the 3.2.0, 3.2.3, 3.3.0 signatures are the "recent" versions. It could be the other way around - there's no explaination one way or the other.
I'm running the most recent NetStumbler, which calls itself 0.4.0. I couldn't find a signature for it, which I assume would be called 4.0.0. It has a copyright date of 2004, so it's 8 years old. It's been running for 6 hours and hasn't been detected.
It turns out we didn't have "Device probing for access point" enabled in the profile. Now that it is enabled, we're getting lots of those alerts as well. That alert looks a lot more generic than "NetStumbler Detected", in that NetStumbler is looking for a data packet with a certain signature, while Device Probing is just looking for authentication requests with no SSID. If that is true, it's going to be a pretty useless alarm, as there are likely dozens of apps out there that "auto-connect" to open WiFi APs.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...