This is Cristian Kit Paul, graphic designer, photographer and traveller.
Also, founding partner of Brandient. Hello and welcome to Kitblog.
Let’s keep in touch: I am @Kitone on Twitter, Flickr, Instagram and Tumblr.
I am Cristian Kit Paul on Facebook. Here's my RSS feed. Search:
Navigate this site: Home, Notes, Archives, Articles, About, Colophon, and Contact.

Entry no.: 760

4 Jun 2009, 1:26 PM

Tags: , , ,

Comments: 2

Apple Monitoring AirPort access

Who's there?

As Macintosh computers proliferate and AirPort Wi-Fi base stations are no longer the esoteric boxes they used to be 7 years ago, I hear more and more often the question "How can I monitor my AirPort for intruder access?". Luckily, Mac OS X is built upon UNIX, so all the tools are there, waiting to be used.

Here is a little one-liner, a shell script I wrote a number of years ago and used ever since to monitor the access on different generations of Apple AirPort base stations:

snmpwalk -v 2c -c [SNMP Community String] -Oq [Airport IP] RFC1213-MIB::atPhysAddress | grep -Eo "([0-9a-fA-F]{2} ){5}([0-9a-fA-F]{2})" | tr "[:lower:]" "[:upper:]" | sed -e 's/[\. ]/:/g' -e 's/[MAC address 1]/[Station name 1]/' -e 's/[MAC address n]/[Station name n]/' | sort | awk '{print FNR "\t" $0}'

SNMP access

Before using it, though, you need to prepare your AirPort base station to respond to this script.

In order for the AirPort to allow such inquiry, the SNMP access has to be enabled (to find more about SNMP, you can start with Simple Network Management Protocol's Wikipedia entry).

For this, open AirPort Utility.app, go Advanced → Statistics, check Allow SNMP, also check Allow SNMP over WAN if you need to check the access list remotely; fill in the SNMP Community String — which acts like a password for SNMP inquiries, so try and make it strong, in order to be able to withstand dictionary attacks. Update the configuration, and after the AirPort restarts, use the UNIX snmpwalk command in terminal:

snmpwalk -v 2c -c [SNMP Community String] -Oq [Airport IP] RFC1213-MIB::atPhysAddress

Where you substitute [SNMP Community String] with the SNMP password (without square brackets) and [Airport IP] with AirPort's IP (without square brackets) and 'atPhysAddress' is the OID specifying which portion of the object identifier space will be searched—physical address allocation subtree in this case.

The AirPort should reply with a list of MIB values containing the MAC address to IP allocation tables, one string per line.

One MAC address is the internet provider's router you're connected to, the others are the equipment connected—wireless or via Ethernet cable—to your AirPort.

Prettification

You can further isolate the MAC addresses with UNIX grep

grep -Eo "([0-9a-fA-F]{2} ){5}([0-9a-fA-F]{2})"

and then prettify them with tr and sed

tr "[:lower:]" "[:upper:]" | sed -e 's/[\. ]/:/g'

And, if you don't want to remember the MAC addresses (especially if there are loads of them in your network) you can write your own MAC address to station name conversion table with sed again

sed 's/[MAC address n]/[Station name n]/'

where [MAC address 1] is the MAC address of the wireless card of the first computer you want on the table in canonical form and upper case (without square brackets) and [Station name n] is the name you want that MAC address to be substituted with (without square brackets).

If you need to permanently keep an eye on this, you can place the output straight on your desktop with the wonderful GeekTool utility. Just make a new Shell entry, paste the script in there and you're all set.

Red flag

Please note that the script above should not replace the basic security measures, like Wi-Fi protected access via WPA or WPA2, MAC address access control etc.

Comments

Reply no.: 1

21 Jul 2009, 11:02 PM

joe:

heya, I had a bit of trouble getting this to work... first, the community string for SNMP on newer devices is the access password for the base station. Second, I don't have that OID (...::atPhysAddress) so it was helpful to first pipe to less and then I used the IP-MIB::ipNetToMediaPhysAddress OID (although it doesn't get through the rest of your prettification pipes and such).

thanks for this post.

Reply no.: 2

19 Jul 2010, 3:29 AM

stef:

noob here.

please explain or provide example for the comment
"so it was helpful to first pipe to less and then I used the IP-MIB::ipNetToMediaPhysAddress OID"

Follow the comments to this entry via Subscribe to this post's comments RSS feed. XML feed.


Or follow all comments via Subscribe to global comments RSS feed. XML feed.

Post a comment (in English, please)

Rules: Allowed HTML tags: a href,b,i,br/,p,strong,em,ul,ol,li,blockquote. Textile 2 text formatting is enabled. Please use English for comments. Be responsible. Flames, trolling or bad language will get your response deleted and your IP possibly banned.