I'm trying to track down rogue access points in a building for a company and its become exceedingly difficult. I just bought a Hawking Wifi finder that I will test tomorrow but it still requires a laptop..it has an antenna that can be moved around to find the offending AP. We'll see but i'm definitely crossing my fingers tightly on this purchase ($80).
I've seen software in the $5K range which apparently finds rogue hotspots along with a laptop and some device but it seems to me there's nothing out there that really does the job without bending over backwards.
Is there some other logic to blocking rogue ap's? perhaps running airsnort and blocking? ids? firewall? something like that?
I feel like I'll be playing a losing game trying to track down everytime some jackass misconfigures his or her laptop as a p2p or an AP.
The "rogue" AP or spoofed AP client radio will always show up on the network. If you're lucky, it can be pinged. Dive into the company wired switch closet and start pulling CAT5 cables. When the traffic stops, you've found the cable and the general location. If there are multiple switches in series, then repeat the plug pulling exercise until the culprit is found. (I've done this all to many times).
If you can't ping the culprit, then you can sniff their traffic. I have a 10/100 switchable hub (not a switch) that I drag around with me. I plant it in between switch backbones and sniff the traffic. If there's anything with the culprits MAC address or IP address moving on that cable, Ethereal will log it. The proceedure is the same as pulling the plug, but a bit more tedious.
If you have managed switches, use SNMP or whatever management software comes with the switch, to track down the source of the traffic.
I don't think you have any chance of finding the culprit with a keychain Wi-Fi finder. If you're going to play direction finder, then you'll need a directional antenna and a sniffer that can detect both clients and access points. I use Kismet under Linux run from a Live-CD such as Knoppix or Wireless Security Auditor. The card is any PCMCIA card with an external antenna. I use various antennas, but mostly a 19dBi dish antenna. You don't need much gain, but you do need substantial directionality. Direction finding with a 30 degree wide beamwidth is possible, but not easy. A 12degree, 19dBi dish is much better. Be prepared to explain to nervous police and security personel what you're doing.
The technique is not obvious. You don't just stand at one or two places, draw a line, and declare the crossing point to be the location. There are far too many reflections at 2.4Ghz to make that a workable method. You use a map. You get away from the general area and start walking. When you're in the clear, you take a bearing and draw a line on the map. Do it as many times as possible. Eventually, you'll have most of the lines crossing at one point. There will be plenty of others that do not, are reflections, and can be disgarded. It's fairly difficult to do this inside an office building, but the general principle still applies. Take LOTS of bearings and look for coincidence.
As for blocking rogue AP's, it all starts with detecting them in the first place. I use various forms of arpwatch to detect new MAC addresses on the LAN. However, this won't do any good for softAP's and spoofed access points using authorized clients. Details when you disclose what you have to work with.
Can't help you really on a direction finder, but I am curious: What is a rogue AP? Is there some restriction in the building where tenants are not allowed to have wireless networks? In the US, this would be extremely unusal at this time as the technology is new enough that it would not have found its way into many leases. Or are you an agent for the ISP hunting down people in violation of your user agreement?
If you don't/can't control access to the facility, that's probably the best tool you can have. I've seen audits done using a 20 kilo / 45 pound spectrum analyzer on a cart with an antenna the size of an umbrella.
See the thread 'Wi-Spy Spectrum Analyzer' - I'm the guy who was using a unit that cost over US$12000. Anyway, your company should be paying for the hardware.
Are they company owned hardware? If so, why are the users allowed to mess with this? Auditing the hardware when it comes in can usually provide enough information to identify the box involved. One would hope that the company boxes don't do walkies all the time, and thus should be findable.
Unauthorized access point
If it's a residential setup, you're probably right. A _FAR_ more common problem is users screwing up the configuration of company supplied hardware at work. I'm sure you wouldn't want the jerks at your bank broadcasting all your account information or allowing a rogue AP to bypass the firewall as examples of why this might be frowned upon.
If you look at the headers, he's posting from comcast in the DC metro area, which smells a lot more like a company computer problem. We completely ban any non-company systems in our facilities for security reasons. Our users do not have 'root' (same concept as 'administrator' in windoze) permissions, and so can't screw up the systems. It's been that way for about 26 years now.
Cart? What a luxury. I'm the idiot that got volunteered to do a Part
15 emissions "field" test with an HP140T, a mess of plug-ins, and a spare HP180 with an HP8558B spectrum analyzers. This was in the late
1970's, before the FCC certified test labs to do all this. The biconical antenna was about the size of TWO umbrellas.
We dragged the test equipment, a generator, and a huge box of connectors and adapters to an allegedly empty field in East San Jose. The grass was knee high which made avoiding the gopher holes and cow pies difficult. The test radio sat on a home made wooden table (no metal parts) and was powered by a big heavy car battery.
The highlight of the trip was when the sun started to set, the cows decided to migrate back to the barn. Unfortunately, we were directly in their path. I have a photo (somewhere) of me trying to discourage a curious cow from licking the spectrum analyzers. I'll post it if I find it.
The test was completed with no fatalities, minimal damage, and only a few lost adapters and cables. My boss managed to twist his ankle by stepping in a gopher hole. I tripped over something and dropped the test radio. It took a full day to clean up the mess when we got back to the lab.
If I were root for a day, I'd change everything in some way. T'was working so well, but boring as hell, So watch the results in dismay.
Is there no way within your LAN to tell if someone has added a 'new' router to your network regardless of being wireless? I'm relatively new to the *ix world so please bear with what may seem a stupid question. I would think the logs on the server(s) would show a new IP on the net. Also in normal support for the network wouldn't such a device as it were turn up in what ever cube as you were say in the given room working on the printer or someone's blurry monitor? I just from my limited experience (small business back ground -fewer the 50 people) can't imagine such going undiscovered for any length of time at all. But again I'm asking because of an admitted ignorance here. Thanks
851B with 8551B - can you spell boat anchor? Actually, I remember an even older test with a AN/APR that ran on DC and 400 cycle, so there was a honking great DC supply and a rotary converter screaming away, and three guys dragging a hundred foot extension cable behind the cart... really innocent looking don'cha think?
Yeah, I remember those - and the log periodics
You knew it was time to go for Plan B when bystanders would be looking around, and finally come up and ask where the camera was hidden and Alan Funt hiding.
Doing a test on a dock, with a backpack radio. Helicopter comes in with
6 55 gallon drums in a cargo net as a sling load, and is going to put this on a boat tied up along side. Pilot realizes he's overshooting slightly, and hauls up hard on the collective - rotor downwash like no tomorrow, and the poor sod wearing the backpack (and four or five others) is blown off the dock into the water - a nice mix of oil slick, brackish water, and who dares to think what else. But it's military gear, so it's been waterproofed, right? (No, it was the one and only prototype.) Someone threw a life ring at the guy, which turned out to be pretty good thing because he couldn't swim, and the water is fifteen plus feet deep, and he can't get out of the darn pack harness... The jarheads who were escorting us had a few constructive suggestions (the guy who was wearing the pack had a suggestion too, but it was physically impossible).
And that's why we don't hand out root, though I've known plenty of users who managed to so totally fsck their dot-files without knowing what they were doing, then come whining about how the system is b0rked, and "they didn't change/touch _anything_".
Generally speaking, LANs are (or act as it they were) Ethernet, with packets flying about using RFC0894. Briefly, this is a 14 byte header (6 bytes destination MAC, 6 bytes source MAC, 2 byte type) and 4 byte CRC wrapped around an IP packet. The packets are actually steered using the MAC address which you can see on your system using the '/sbin/ifconfig
-a' command. In the old days of coax (10Base5 or 10Base2), everyone was on the same wire, so you could hear all systems. This was also true of the original twisted pair (10BaseT) setup using hubs. Later implementations of twisted pair, (10BaseT and the faster 100BaseT and 1000BaseT) use switches to isolate sections, and now all you'd hear is broadcasts such are ARP requests and those packets destined to "you". (Yes, switches can be set to monitor all ports.)
That's a handy tool. But we simply monitor all of the switches and the ARP caches on routers and servers. When something appears that isn't on our list, a message is sent to Network Operations and the Security Desk. This brings the thundering herd along with the "People Who Do Not Smile"(tm). We are helped by having an exact list of where every port on every switch goes. There are about 1500 offices in this building, but someone will arrive within 4 minutes and be asking questions. For the other building on the facility, add a minute or so for running between the buildings.
Yup - and we log all the details when the systems first arrive. (We're an R&D facility, so we're a bit more paranoid than others might be, but the whole company uses the same po;icies.)
If you don't control access to your facility, yes this is a common giveaway - all the company hardware has property tags prominently displayed, and as a courtesy to the users (and to allow support to figure out which of these identical systems is named $FOO), we also put Dymo labels (embossed tape) with the system name on the monitor and CPU.
You're basically right. Also, there is written policy (signed by each employee) explaining that non-company hardware is a major no-no, and there are signs at all building entrances, yada, yada, yada.
Even if the hidden systems are using the exact same patch level of the same operating system, they're relatively easy to detect. There are some pretty obvious things in the TCP and IP headers. A passive fingerprinting program will even flag this for you. If the patch level or O/S are not the same, it becomes child's play. I know of several ways to make it much harder to detect, but people get terminated for that, and so far (15 years) no one has tried that we know about. Not impossible, but...
Heck, we know which drop in which room to go to.
4 to 6 kilometers would normally be on separate subnets, but a lot depends on the switches used, and the deviousness of the network police.
Yes, we're paranoid, but unused drops are deactivated at the most by the next business day. HR wishing to avoid worker's comp (worker injury insurance claims) problems also has another written policy that users don't move furniture or computers.
yes - it would. But SOHO routers are designed to use NAT to "hide" multiple devices behind a single IP, so it wont be that obvious.
APs may be easier to detect - one possible way is to use managed Ethernet switches, and limit them to 1 MAC address per port - at least then you know which cable from wiring closet on which floor in which building to look.
Also in normal
it might do - but imagine a site like an airport. one I worked on had well over 200 wiring closets, and the site was 4 to 6 Km across...
or just think of looking in the tangle of wires around some desks - someone found an "official" one that way a couple of months (mainly because the movers were in, stepped on it at which point the warranty expired, and the "Internet dirty WLAN" for visitors stopped working)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.