In our company, I found that someone installed a wireless LAN access point in the office without inform our IT department. I heard that we can locate the exact location of the access point if I use the wireless LAN notebook (without GPS) with some software to walk around the floor. Does anyone know which software can do so? Thanks.
In Korea? So, how do you know that there's a rougue access point?
To the best of my knowlege, using only a single laptop or PDA to do your sniffing, you cannot locate the exact position of the rogue access point without triangulation, direction finding, interferometry, DTOA techniques, wavefront analysis, or other forms of signal analysis. In addition, using Netstumbler or other active probe type of detection software, requires that the rogue access point broadcast their SSID.
I've had to find rogue access points in the past and used various methods. Incidentally, one of them was found in the company presidents office, and installed as a present by his kids. Another was being "tested" in the IT managers cubical.
The easiest method is to use a high gain 19dBi (or bigger) dish antenna and do some direction finding with Netstumbler or some kind of signal indicating software (usually in the driver for the laptop wireless card). The trick is to make a map of the area, and move around taking a large number of bearing lines. Draw the lines on the map as you move around. Many of the lines will be reflections and will point in random directions. However, a large number will point cross at one point. That's your access point location. One problem is that this tends to attract considerable attention and may provoke the access point owner into pulling the plug.
Another method that I've used is to identify the location by where it connects to the company LAN. If the access point can be identified by its MAC address on the company network, it can be pinged (by either IP address or MAC address). If I have a managed switch, I can use the management software to determine which port has the MAC address. That will identify the location by ethernet cable. If the company is cheap and doesn't use managed switches, I then squeeze into the server closets and start pulling ethernet plugs that go to the workstations. Eventually, the pinging stops when I unplug the culprit.
I'm playing with an adaptation of a simple "homer" type of direction finder. Once upon a time, I helpd design the USCG AN/SRD-21 that worked on the same princple. I switch rapidly between two identical antennas to form a somewhat directional 2 element array. When the signal is exactly equal in strength from the two antennas, the culprit lies on a line perpendicular to the two antennas. I've rewired the diversity switch on a typical wireless card, and added a software sychronous demodulator to find the null point. So far, it mostly works, but is too slow (thanks to crappy RSSI circuitry). If I can find some time to work on it, it should eventually make a tolerable (cheap) direction finder.