When assessing a building’s network security from an adversarial perspective, it can often be helpful to look for open network ports that are easily accessible. These ports can provide a means for an adversary to plug in a convert network device and may also provide the means by which further network compromise may be possible. However, locating an appropriate port without triggering port security can sometimes be problematic.
Mr. Radar is a device that can be used to assess network port. It not only has the ability to assess the presence of a network switch at the end of the cable run, it can also provide intelligence regarding the presence of Power over Ethernet (PoE). All this can be accomplished without setting off port security and in an assessment time of just a couple of seconds.
Transformers
Key to understanding how Mr. Radar works is the knowledge that all CAT5 ethernet based systems terminate into one side of a transformer (Figure 1). Inside every RJ-45 port that resides within a network device, there is a coil of wire that connects to each terminating pair. This coil is one side of an electrical transformer. These transformers are used isolate the line from the circuitry inside the network device. The bit stream that travels down the line will pass from one side of the transformer to the other via the magic of a magnetic field.
To someone at the far end of a wire connected to the switch, each pair of wires would look like a giant loop. For example, the striped blue wire would have a return path on the solid blue wire. The striped orange wire would have a return path on the solid orange wire. This extends to each color of wire.
If we take a pair of these wires and place a voltage across across a single pair, a current will be induced across the line if a switch is present. If this pair of wires is not connected to a switch, then no current would result because there would not be a coil at the end of the wire run to connect the two wires.
A multimeter obtaining a resistance measurement works similarly by providing a small voltage to a pair of wires. If there is a connection between the two wires, the meter will tell the user how much resistance there is between the red and black multimeter lead. The multimeter calculates this resistance measurement using the parameters it knows (supply voltage, current, internal resistance) to solve for the unknown resistance of the line.
The Simple Solution of Switch Detection
The simple way to tell if a switch is present further down an ethernet drop is to use the resistance measurement function on a multimeter. If you place the meter leads across pair 2 or pair 3 of a CAT5 cable (the orange or green pair), it should always return a reading of less than 10Ω. How do you get access to those wires? This is accomplished by using a modular adapter, aka banjo, to break out the individual conductors of the cable (Figure 3).
As discussed previously, the ohm measurement accomplishes its reading by applying a small DC voltage to the line under test. If there is a network switch at the end of the line, a current will be present allowing the multimeter to calculate the resistance of the line. If the network switch is not present, no current will be present and the meter will most likely indicate a super high resistance or indicate an open circuit.
Detecting Power over Ethernet
PoE comes in three modes: Mode A, Mode B, and 4-wire mode. Four wire mode will not be discussed as the mode is rarely used in desktop applications. In Mode A (Figure 4), typically used by network switches, DC voltage is provided to the client device on pairs 2 and 3. Mode B (Figure 5), used by PoE injectors that inject power mid-line, utilizes pairs 1 and 4. The illustrations below have been greatly simplified to give a rough idea of the connection and flow of power. PD stands for powered device and PSE stands for power sourcing equipment. Both are industry terms.
It’s important to note that current flows down a balanced pair in one direction and return path is on the remaining pair. For instance, in Figure 5, if current flows to the PD on both the White/Blue and Blue wires in the same direction, the return current flow path would be on White/Brown and Brown in the opposite direction. This gives two conductors for a forward path and two conductors for a return path.
During operational use, the voltage provided is in the neighborhood of 48VDC. If a client device is not connected to the line, a polling voltage is present that is different depending on the manufacturer of the switch or injector. The polling voltage is used to help detect when a client connects to the switch and if that device is PoE capable. This is a detectable voltage that can range from 1V to 20V or higher. In addition, this voltage may be negative in respect to your measurement device as polarity is not standardized across the industry. The trick in detecting if a switch has PoE present is to look for the polling voltages.
Mr. Radar
Mr. Radar (Figure 6) is a device used to simplify the multimeter setup above to detect if a network switch is present. It can accomplish the following tasks:
- Detects the presence of an end device or switch
- Determines if the device my be exclusively 10/100 Mbit/s capable
- Determines if PoE is present
- Determines the mode of PoE if present
- Determines all of this in a second
The primary brains behind the device is the Trinket M0 sold by Adafruit. The resistors are present to control the current so a network switch or any end device will not be harmed during the Mr. Radar’s use. The resistors are in some respects quite large and are probably overkill for the application. The schematic below (Figure 7) shows the arrangement of these resistors.
Switch Detection
The switch detection mechanism takes its inspiration from DIY resistance meters that use Arduinos as their base. An example of such a device can be found here. During the operation of Mr. Radar, a small voltage is provided from one of the digital output pins (Figure 8).
When this voltage is applied it induces a current flow down the Orange and Brown wire pairs if the connection is complete, i.e. both pairs are connected to a transformer coil at the end of the line. This will provide a voltage reading at both inputs. The fact that both readings returned a measurable result will cause the onboard LED to light green. If only the Orange pair sees a measurement, indicating the brown pair is not connected, then the LED will glow orange to indicate that the network connection is only capable of 10/100 Mbit/s speeds as not all pairs are present for gigabit speeds. If neither connection returns a value, then no switch is connected to the end of the line, and the LED will remain off.
PoE Detection
After being powered on, Mr. Radar looks to see if PoE is present on the line (Figure 9 and 10). In both cases the input of the Trinket M0 is set to a particular voltage level, roughly 290mV, using it’s own 3.3V output. Upon connecting Mr. Radar, if this input reads a great voltage, then PoE is present. If this reading goes down significantly, then negative PoE voltage is present and will also score a detection. Because the user doesn’t know whether or not the polarity of the PoE device will be positive or negative, Mr. Radar ensures the input starts at a higher voltage than zero. If negative voltage is detected, and it’s significant, the input will be driven to zero volts.
Two separate inputs are used on the Trinket M0 to detect Mode A or B compliance. Each are setup identically except for the pairs of wires to which the input is connected as seen above. If Mode A PoE is detected, a red LED at the bottom of the Trinket will blink rapidly. If Mode B is detected, the same LED will blink slowly.
Build Instructions
Follow the link to GitHub for the build instructions and the code: Mr. Radar Build Instructions
All code was written in the Arduino IDE.