How to find out client physical location?

Hi,

We have a public wlan for visitors in our company. Now our admin guy
says someone is downloading clearly illegal stuff and it seems this has
been going on for some time now. He says he can easily block out this
guy, but I would like to call cops (guess what he is up/downloading?).

The problem is, where is this guy? We are located in a office building
and we can see see networks from other companies and from another
building on the other side of the street. (Our admin says there is very
little he can do without mapping the whole area first, including the
other building)

Thanks,
Joonas


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=36233
http://www.wirelessforums.org

Jammu <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

> We have a public wlan for visitors in our company. Now our admin guy
> says someone is downloading clearly illegal stuff and it seems this has
> been going on for some time now. He says he can easily block out this
> guy, but I would like to call cops (guess what he is up/downloading?).

What is he/she d/l'g ? And why do you want to call the cops ? Do you and
your companies' IT department want to take the time and effort to do what
would be required to (possibly) ID the location, and then take part in a
court case as well ?

> The problem is, where is this guy? We are located in a office building
> and we can see see networks from other companies and from another
> building on the other side of the street. (Our admin says there is very
> little he can do without mapping the whole area first, including the
> other building)

There's not too much you can do to pinpoint his location w/o using some
kind of triangulation method with (very) directional antenna's. The
problem is, in an indoor environment, even triangulation may not work
properly, due to RF reflections. If it's an easy straight path, then
ballparking the location (which is all you would be able to do anyway)
_may_ be possible.

But now maybe the strongest signal to this client is working off of a
reflection. This could totally kill any triangulation efforts, since when
sniffing from one location, which may or may not be a straight path, and
then sniffing from the second location, which may or may not be a
straight path, could result in coming up with 2 RF path's that never
intersect.

I'd just shut 'em down and move on, which begs the question, why didn't
IT shut it down immediately when it was first noticed ? That would have
been the smart thing to do. What would have happened was either 1) the
person would have went away or 2)someone inside your company may have
come to IT claiming that their wireless connection may have stopped
working, IT could have very easily identified this as the offender and
taken whatever steps according to it's computer use policy.

Jammu wrote:
> We have a public wlan for visitors in our company. Now our admin guy
> says someone is downloading clearly illegal stuff and it seems this has
> been going on for some time now. He says he can easily block out this
> guy, but I would like to call cops (guess what he is up/downloading?).

Several things to consider...

Since its a public WLAN and if a visitor is using it, its not an
employee issue that HR can deal with.

If its been going on for some time, that would point to an employee
or regular visitor.

It appears that IT knows enough about it to be able to lock out the
wireless client MAC address, so if its an employee that person will
ask what the problem is with his/her connection. But on the other
hand, the employee may have a wired connection for company biz and
just using the wireless for the inappropriate stuff, so killing the
wireless MAC may not be reported.

Sniffing around for the wireless client? I'm sure that if you
wal around with a laptop in one hand and Yagi antenna in the other,
it might tip off someone what you're looking for.

Call the cops? Good question. Some states (there might even be a
federal law also) that obligates you to report certain activity,
i.e. if you repair someone's computer and discover certain files,
you have to report it. With the confusing language of so many
statutes, a wireless client could very well be considered part of a
computing system and therefore you might be obligated to report it.

DTC wrote:
> Jammu wrote:
>> We have a public wlan for visitors in our company. Now our admin guy
>> says someone is downloading clearly illegal stuff and it seems this has
>> been going on for some time now. He says he can easily block out this
>> guy, but I would like to call cops (guess what he is up/downloading?).
>
> If its been going on for some time, that would point to an employee
> or regular visitor.

Or someone in a nearby building who has noticed they can pick up your
free wlan. Really, a company ought to know better than have an open wlan
- its a magnet for abuse.

> It appears that IT knows enough about it to be able to lock out the
> wireless client MAC address,

Might work temporarily - but anyone savvy enough to access it will be
able to change their MAC and get back in.

> Sniffing around for the wireless client? I'm sure that if you
> wal around with a laptop in one hand and Yagi antenna in the other,
> it might tip off someone what you're looking for.

That might be good enough to scare them off, if its an employee or
regular visitor. You could also redistribute your company IT policy, and
create / distribute one to visitors, perhaps with an accompanying note
saying that someone was recently caught abusing the free wlan, and that
future transgressors will face disciplinary and possibly police action.

> Call the cops? Good question. Some states (there might even be a
> federal law also) that obligates you to report certain activity,
> i.e. if you repair someone's computer and discover certain files,
> you have to report it. With the confusing language of so many
> statutes, a wireless client could very well be considered part of a
> computing system and therefore you might be obligated to report it.

It is, and you would be .

Social engineering is the solution probably. If its someone actually in
the building - whether staff or visitor - then the above suggestions
ought to scare them off.

In message <(E-Mail Removed)> Mark McIntyre
<(E-Mail Removed)> wrote:

>Social engineering is the solution probably. If its someone actually in
>the building - whether staff or visitor - then the above suggestions
>ought to scare them off.

It doesn't sound like the goal is to scare him off, there are easy ways
of doing that, especially if someone is doing something illegal.

Finding the person could be far more fun.

> We have a public wlan for visitors in our company.

Public, as in not running any security like WPA or WEP? That's a mistake.
It'd be somewhat easier if you had security setup for it, even one that just
use a placard at the door entrance reading the current day/week/month
password. You could at least then use that to cross-reference a username
login on something to the MAC hardware.

> The problem is, where is this guy? We are located in a office building
> and we can see see networks from other companies and from another
> building on the other side of the street. (Our admin says there is very
> little he can do without mapping the whole area first, including the
> other building)

If you're dealing with more than one access point then you could use
something like Ethereal (now called Wireshark) to sniff the packets. You'd
have to setup a hub between the access point being (ab)used and put a
computer on it to capture the packets. Configure the filters to capture
only the packets from that questionable MAC address. Then sift through the
packets looking for additional identifying information. A POP mailbox
login, website, etc. If they're abusing your network they have no
reasonable expectation of privacy.

You could also use something simple like a windows "net view
\\mystery.computer.ip.address" with the hopes they've done something stupid
like left windows filesharing running. And then used an identifiable PC
name (heh, like Joe's Dell Inspiron or the like).

You could get really devious and setup a transparent proxy that would
re-write their download requests, and return different content. Like an AVI
movie of a REALLY LOUD SOUND and have folks listening for it. Or web pages
that unleashed pop-ups that redirected to other internal web pages and track
those via log files.

I'd start with collected packets from the abusive machine. Let it collect
for a while, like a week or more. Then look through them to see if you can
find any sort of identifiable destinations. At some point this idiot is
likely to use something that'll trip him (or her) up. An instant messenger
login, checking a mailbox, etc.

There is also the "problem with the network, call us for help ploy".
Redirect web traffic to a web page explaining there's a problem and put a
phone number on there for them to call asking for help. Make it come up
randomly. Enough that they'll think you're idiots and call demanding you
get your sorry act together. Be busy and get a call back number, be surly
and rude so they'll call your boss to complain about you. You're looking to
bait them into providing as much identifiable info as possible. Making
yourself look stupid and pissing them off works in your favor.

There's lots of things you can try, but none of them will guarantee results.

-Bill Kearney