Detect Rogue Devices on your Network with CAMScan Tool

CAMScan is a tool that was developed by SecureState’s Research and Innovation department.  CAMScan was designed to help detect rogue devices that may exist on a network.  The Content Addressable Memory (CAM) table is designed to allow information routed through the switch to be sent to a single computer on a network instead of all networked systems.  A CAM table in essence is what makes a switch a switch instead of a hub.

The CAM table keeps an inventory of all devices by Media Access Control (MAC) addresses currently attached to the switch, much like a post office keeps track of Funky_Routerwhich mail box belongs to which individual.  When information is sent across the network, it has a MAC address attached to it.  Once the CAM table receives this information, it is sorted by MAC address and then shipped to the system it was intended for, much like a mailman would receive a letter and place the letter within the corresponding mailbox.  Think of the MAC address as the sending and receive address.

SecureState’s CAMScan is used to compare a known list of CAMs to the current CAM table residing on the switch to determine discrepancies.  SecureState also designed CAMScan to support wild cards.  This can be used to whitelist/blacklist all Intel cards, for example with a prefix of “de:ad:*:*:*:*”.  A list of prefixes can be found here.  CAMScan is relatively simple to use, but in order to use it, python 2.7 must be installed or python with the package python-argparse installed.  Below are the switches used when running CAMScan:

Usage: camscan.py [--help] [-v] [-L {DEBUG,INFO,WARNING,ERROR,CRITICAL}]

[-u SSH_USER] [-p SSH_PASS] -h HOST_FILE -m MAC_FILE

[-r REPORT_FILE]

Optional Arguments:

–help                show this help message and exit

-v, –version

-L {DEBUG,INFO,WARNING,ERROR,CRITICAL}, –log {DEBUG,INFO,WARNING,ERROR,CRITICAL}

set the logging level

-u SSH_USER, –user SSH_USER

default user to authenticate as

-p SSH_PASS, –pass SSH_PASS

default password to authenticate with

-h HOST_FILE, –hosts HOST_FILE

list of switches to scan

-m MAC_FILE, –macs MAC_FILE

list of MAC addresses to ignore

-r REPORT_FILE, –report REPORT_FILE

report CSV file

In order to run the tool, the user will have to log into the switch with proper credentials.  Also, if the user wants to investigate the entire enterprise for rogue devices, CAMScan would need to be ran against every switch in the environment. A basic usage of the command can be found below:

camscan.py –u “username” –p “password” –h “host file” –m “Known good mac address file list” –r “reportname”

Leave a Comment...

Your email address will not be published. Required fields are marked *


*