Rouge APs at Work - How to locate them?!

"a_monk" hath wroth:

More than one? Are you sure they are *YOUR* rouge AP's? In other words, are you sure they are connected to your company network? If they are yours, you can trace them by the MAC address. The problem is that the wireless MAC address is NOT necessarily the same as the ethernet wired MAC address. However, it will almost always be numerically adjacent. For example, from my WRT54G: LAN MAC 00:13:10:8C:14:A9 WAN MAC 00:13:10:8C:14:AA Wireless MAC 00:13:10:8C:14:AB In most cases, it's not really a "rouge access point". It's really a "rogue wireless router". The clueless users buys the more common wireless router and plugs the WAN port into the company network. It has a built in DHCP client, that picks up it's IP from the corporate DHCP server. Inspecting the DHCP leases or ARP table for a MAC address that is adjacent to the wireless MAC address should yield an assigned IP address for the wireless router.

Once you have the IP address from the ARP table or DHCP lease list, you can ping the rouge wireless router. If you have a managed switch in the system, it can be traced with SNMP or various management tools (OpenView, etc). Otherwise, you can do something crude like ping continuously, and unplug cables until the pinging stops.

It is also possible to ping by MAC address using arping. |

| ftp://ftp.habets.pp.se/pub/synscan/arping-for-windows-not-compiled-by-me.exe

You can also use Netstumbler for direction finding but that's a bit tricky if you've never done it before. In an office environment, the best you can do is just walk around until the signal is really strong. Otherwise, you end up dragging around a big directional antenna which is sure to attract the attention of the rogue wireless owner.

I find it interesting that you were able to find the rouge wireless routers with Netstumbler. Most corporate hackers are sufficiently astute to turn off SSID broadcasting, which makes them almost invisible to Netstumblers active probes. I suggest you try sniffing with Kismet (using a Linux LiveCD) which will show hidden access points and wireless clients. You may find more route access points.

Jeff Liebermann hath wroth:

[arping]

Oops. Don't use this version on W2K and XP. It crashes. Now looking for one that works...

Or have your dhcpd server give that machine an address that you have no intention of routing to anything but the bit bucket. Then wait for the culprit to show up complaining that their laptop stopped working.

-wolfgang

"Wolfgang S. Rupprecht" hath wroth:

We actually did something like that on a security "sweep" of a corporate network in S.F. I was there to help with any RF related issues. IT redirected the IP calls to port 80 to point to a splash page demanding that the user call IT immediately. It only took about

5 minutes for the phone to ring. It was the presidents secretary asking what the hell we were doing. Ooops. It seems the presidents son did dad a big favor and setup a wireless access point so dad didn't have to play with the ethernet cable. Being a consultant, I missed the entertainment value of the high level yelling and screaming that followed.

A direct hit. ;-)

Hope once he calmed down he realized how foolish it was to jeopardize the security of the company's net with a rouge AP. Back in the old days industrial spies has to work hard to put a bug on a company's network. Nowadays they just have to give an AP to a foolish employee saying "I've got a spare access point, can you use it?".

-wolfgang

Er, no. This is probably vendor-dependent.

From my SMC LAN 00-04-E2-B8-79-F4 WAN 00-04-E2-00-C9-7F WLAN 00-04-E2-B6-6D-CE

All by the same maker, but not adjacent.

Also bear in mind that most routers can clone their WAN MAC, so they can masquerade as an authorised device. I'd expect this to be a feature that naughty techies would use to introduce rogue routers into the corporate network

FWIW I'd use social engineering.

"Its come to our attention that some staff have installed unauthorised wireless equipment, in breach of company policy no XXXX. We have identified the locations of the equipment. Any devices still on the premises on Friday 21st July will be confiscated, and the owners will be subject to disciplinary action. "

If you still need to track them down, a directional antenna is probably the way to go. The sight of you walking round the office with a direction finder will be enough to scare off all but the most idiotic.

Check with the girls-- they're the ones who use rouge on their cheeks ;-)

As long as the policy was in place, and signed by The Powers That Be(tm) then all should be well. Years ago, when we put into place (initially at the Research Division and Corporate Headquarters, later corporate wide) the "no visiting computers" rule, the first one we found was the CEO who had approved the policy not ten days earlier. Even more fun, the second (or third - can't remember) was a government security auditor who waltzes in to give us a lecture on network security - right past three signs roughly 2 x 4 FEET large warning at every single entrance to the facility and similar sized signs at every building entrance that visiting computers are prohibited and will be confiscated. The resulting red faces did not belong to the IT people.

Our systems tend to be locked boxes (though I'm sure there are a lot of extra keys out there), and there is another corporate policy that prohibits the user from installing hardware/software period, no exceptions. Also, our regular users don't have 'root' ('administrator' for you windoze jockies), and that makes it difficult to mess up the operating system.

On the soap box end of things, that action should be criminal misconduct as far as the Securities and Exchange Commission are concerned. At the very least, it is gross stupidity.

Shouldn't be that much. There should be a policy signed by said president and the corporate legal types. One points out that the policy is there for a reason, explains in two syllable words (or less) why this policy was created, facts of life about radio intercept, and then replaces his access point with a cable. If the policy doesn't exist, then IT was at fault for doing the sweep without getting the policy in place ahead of times.

Old guy

Boy is that ever true! We caught one person with an access point with our network monitoring tools (monitors switches, routers and some key servers - sends pop-up message to _every_ workstation in the NOC as well as a few in security, generally resulting in a race between the network admins and the guards to see who can get there first). It was a gift from her boyfriend. I think she only got a written warning, but she left within three months. The incident was published in company bulletins (though not naming her or where the she worked) as a warning.

Old guy

Come to think of it, it probably would be easy enough to do a correlation between packets snarfed from the airwaves and the packets found on the net. Even if the data is encrypted the packet lengths and timings should still stick out like a sore thumb. I wonder if any of the tools do that yet.

-wolfgang

snipped-for-privacy@painkiller.example.tld (Moe Trin) hath wroth:

It was in the employee policy manual (that nobody reads). IT gave it personnel, who added the necessary boiler plate text stolen from somewhere. I don't think anyone really knew about the policy exept for IT's regular monthly insert in the company newsletter (that nobody reads). There were allegedly some mention at employee general meetings (I wasn't there), but I don't think that management ever pays attention to talks.

How do you handle PDA's, smart-phones, and embedded systems? I won't ask about game consoles in the board room.

It's "sysadmin" in Novell land.

Sure. Execute a few random violators to underscore the point. As I've found, the typical clueful employee is generally aware of the problem and avoids complications by leaving their toys at home. It's upper management and clueless new employees that are the problem.

Actually, the sweep was instigated by the same company president because he read about the problem of rouge access points in some CEO magazine. He gave IT about 1 week to organize a security sweep. Meanwhile he apparently forgot about the sweep and his son installed the wireless router. Unfortunately, many of the techy IT types were on vacation at the time, so I was called in to help. I brought a portable spectrum analyzer, dish antenna, pipes, poles, maps, laptop with sniffer/site-survey software, and a portable printer. Security had been informed that there was going to be a security sweep, but nobody bothered to tell them that I was involved. 30 minutes in the lobby arguing with security finally convinced them that I wasn't the target of the security sweep or a potential terrorist. I don't know how many access points or security problems were eventually found. I personally found 2 additional wireless routers and 3 wide open Bluetooth machines. I also found 3 desktops (all in one department) connected to the neighborhood pizza joint free wireless AP so they could bypass the company internet content filters. There was a report written, but I haven't seen a copy.

If you have the MAC address and you have ethernet switches that are smart enough you could lookup which ports on the switches are serving them. As in, doing an arp table dump on the switches will tell you on which port that address is being served. So you track it back, switch-by-switch to the end place the device is connected. So you run netstumbler or kismet and get a MAC address, then you lookup that MAc address on the switches until you find the hardware port. Cross-reference that with the physical network map and you should be able to find out where the device is connected. Now, if you don't have smart switches that can do arp table dumps then it'll be a lot more work. As has been suggested you could setup your DHCP server to provide a bogus address to that MAC address, that'd at least make it stop functioning properly, perhaps enough to have the users on it call in for help.

So don't depend on MAC address comparisons. Most WiFi devices have a masquerade mode that lets them take the MAc address of the computer whose wired-link they'd used. So someone on a given port with, say, a 3com network card in the PC could unplug the computer, plug in the wifi router and tell the router to use the PC's MAC address. So if you looked at the vendor id bytes in the MAC address it wouldn't help you narrow it down. Just keep that in mind. If someone wants to put a WiFi router on your network there's not a lot you can do to "prevent" it network-wise. You can only be vigilant in detecting SSIDs and keeping a close watch on arp tables. Should a previously considered valid MAc address suddenly show up related to an SSID you'd have to be keeping track of them to notice. Few places will expend this effort, at their peril.

Anyway, using arp tables on the switches is probably the most effective way to track down ROGUE (proper spelling) access points.

--Bill Kearney

Awww, who would be so nasty as to do that?

You noticed that? Actually, packet lengths _might_ run into a problem with MTU fragmentation, and there will be some timing jitter, but it's still going to be rather obvious.

I dunno about OBSD, but if you can get your switch into monitor mode, and install a pair of packet sniffers - one on Ethernet connected to the net, one to your wireless sniffer, I imagine it should take you less than 8 lines of shell scripting[1] (or likely, something less in perl). There are to many sniffers with different log outputs for there to be a pre-made tool.

Old guy

[1] About 15 or so years ago, the 'Introduction to UNIX' (CIS-82A) instructor at De Anza over in Cupertino was he11 on wheels when it came to "one-liners". By the end of that class, he had his students writing command lines with 6 to 10 pipes, through 'tr', 'sed', 'awk' and maybe the kitchen sink too. It really was downright scary, but it demonstrated 'simple tools solving parts of a problem, piped together is better'. I don't see John listed on the current catalog, but that doesn't surprise me - I think he was a sys-admin at SGI.

Yeah I'm aware of that mode of thinking. Having certain government contracts back in the old days helps. We got bit a long time ago, and the security auditors were able to show the pointy-haired crowd that this made the customer unhappy, cost the company an interesting chunk of change, and this somehow got translated into lost bonus income and a large (though thankfully temporary) loss in the stock values. It's amazing what happens to even the Haaavaaad Business major when you can show him _his_ actual dollar losses.

The PDAs are not all that common, and are company property anyway. They don't leave the building that often. Cell phones are also on the prohibited list, though what is actually happening now is that you can check it at the door. We also don't have good reception inside. Game consoles??? No, I don't think so.

Great idea. I like the idea of the severed head on a pike at the employee entrance to improve the communications.

I'd certainly agree about the average employee. On the other hand, upper management is upper management. They don't like getting their hands smacked, but if you can get the proper level of fear (or understanding) waaayy up there, it's the uber-bosses that are the ones cracking down. That eliminates a lot of problems.

New employees get an indoctrination series, and they're on probation for six months. They tend to get the message fairly quick.

I'm told that electro-shock therapy improves memory. 45KV at a few mils sounds about right, especially if applied to the correct points.

The last time I did a survey, I recall finding one really weak access point, which seemed to be in residential area, and yes, that was with a 3 foot dish on my end. On the other hand, facilities has had a couple of cases where some idiot has brought in an external modem - which for some reason doesn't work worth a d4mn on our Nortel digital phone system. It doesn't hurt the equipment, but that line goes dead until the mux can be reset. They learn fairly quick not to pull that one again.

Old guy

Take bearings.

Duh... much easier way. Send a broacast packet onto the wired part of the LAN. All the access points and switches will dutifully transmit the packet to everything else. This broadcast can easily be sniffed and compared with the one sent on the LAN. While the sniffed broadcast packets will not have a destination MAC address, the source MAC address will be there.

On Thu, 20 Jul 2006 04:38:51 GMT Jeff Liebermann wrote: | On Sat, 15 Jul 2006 20:02:24 -0700, "Wolfgang S. Rupprecht" | wrote: | |>

|> snipped-for-privacy@painkiller.example.tld (Moe Trin) writes: |>> We caught one person with an access point with our network |>> monitoring tools (monitors switches, routers and some key servers |>> ... | |>Come to think of it, it probably would be easy enough to do a |>correlation between packets snarfed from the airwaves and the packets |>found on the net. Even if the data is encrypted the packet lengths |>and timings should still stick out like a sore thumb. I wonder if any |>of the tools do that yet. | | Duh... much easier way. Send a broacast packet onto the wired part of | the LAN. All the access points and switches will dutifully transmit | the packet to everything else. This broadcast can easily be sniffed | and compared with the one sent on the LAN. While the sniffed | broadcast packets will not have a destination MAC address, the source | MAC address will be there.

Hint: if you want to run your own rogue AP, isolate it into its own broadcast segment and do routing into it :-)

Seriously, it would mean less trashing the air waves, too.

I wish off the shelf devices could do that, have IP routing isolation between the wired and wireless parts (apparently broadband routers only do this between the WAN part and the LAN/wired/wireless combined part. But not without giving up the ability to configure it as one segment.

On Sun, 16 Jul 2006 19:14:38 -0400, "Bill Kearney" wrote in :

Actually the Forwarding Database (not ARP per se).

On 20 Jul 2006 15:37:54 GMT, snipped-for-privacy@ipal.net wrote in :

Some wireless routers and access points can isolate wireless and wired segments, sometimes even between different wireless clients.