Good rogue ap finder? or...going down the wrong path?

I'm trying to track down rogue access points in a building for a
company and its become exceedingly difficult. I just bought a Hawking
Wifi finder that I will test tomorrow but it still requires a
laptop..it has an antenna that can be moved around to find the
offending AP. We'll see but i'm definitely crossing my fingers tightly
on this purchase ($80).

I've seen software in the $5K range which apparently finds rogue
hotspots along with a laptop and some device but it seems to me there's
nothing out there that really does the job without bending over
backwards.

Is there some other logic to blocking rogue ap's? perhaps running
airsnort and blocking? ids? firewall? something like that?

I feel like I'll be playing a losing game trying to track down
everytime some jackass misconfigures his or her laptop as a p2p or an
AP.

Thanks!

In article <(E-Mail Removed) .com>, "foo" <(E-Mail Removed)> wrote:
>I'm trying to track down rogue access points in a building for a
>company and its become exceedingly difficult. I just bought a Hawking
>Wifi finder that I will test tomorrow but it still requires a
>laptop..it has an antenna that can be moved around to find the
>offending AP. We'll see but i'm definitely crossing my fingers tightly
>on this purchase ($80).
>
>I've seen software in the $5K range which apparently finds rogue
>hotspots along with a laptop and some device but it seems to me there's
>nothing out there that really does the job without bending over
>backwards.
>
>Is there some other logic to blocking rogue ap's? perhaps running
>airsnort and blocking? ids? firewall? something like that?
>
>I feel like I'll be playing a losing game trying to track down
>everytime some jackass misconfigures his or her laptop as a p2p or an
>AP.
>
>Thanks!
>

Can't help you really on a direction finder, but I am curious:
What is a rogue AP? Is there some restriction in the building where tenants
are not allowed to have wireless networks? In the US, this would be
extremely unusal at this time as the technology is new enough that it would
not have found its way into many leases. Or are you an agent for the ISP
hunting down people in violation of your user agreement?

fundamentalism, fundamentally wrong.

"foo" <(E-Mail Removed)> hath wroth:

>I'm trying to track down rogue access points in a building for a
>company and its become exceedingly difficult. I just bought a Hawking
>Wifi finder that I will test tomorrow but it still requires a
>laptop..it has an antenna that can be moved around to find the
>offending AP. We'll see but i'm definitely crossing my fingers tightly
>on this purchase ($80).
>
>I've seen software in the $5K range which apparently finds rogue
>hotspots along with a laptop and some device but it seems to me there's
>nothing out there that really does the job without bending over
>backwards.
>
>Is there some other logic to blocking rogue ap's? perhaps running
>airsnort and blocking? ids? firewall? something like that?
>
>I feel like I'll be playing a losing game trying to track down
>everytime some jackass misconfigures his or her laptop as a p2p or an
>AP.

The "rogue" AP or spoofed AP client radio will always show up on the
network. If you're lucky, it can be pinged. Dive into the company
wired switch closet and start pulling CAT5 cables. When the traffic
stops, you've found the cable and the general location. If there are
multiple switches in series, then repeat the plug pulling exercise
until the culprit is found. (I've done this all to many times).

If you can't ping the culprit, then you can sniff their traffic. I
have a 10/100 switchable hub (not a switch) that I drag around with
me. I plant it in between switch backbones and sniff the traffic. If
there's anything with the culprits MAC address or IP address moving on
that cable, Ethereal will log it. The proceedure is the same as
pulling the plug, but a bit more tedious.

If you have managed switches, use SNMP or whatever management software
comes with the switch, to track down the source of the traffic.

I don't think you have any chance of finding the culprit with a
keychain Wi-Fi finder. If you're going to play direction finder, then
you'll need a directional antenna and a sniffer that can detect both
clients and access points. I use Kismet under Linux run from a
Live-CD such as Knoppix or Wireless Security Auditor. The card is any
PCMCIA card with an external antenna. I use various antennas, but
mostly a 19dBi dish antenna. You don't need much gain, but you do
need substantial directionality. Direction finding with a 30 degree
wide beamwidth is possible, but not easy. A 12degree, 19dBi dish is
much better. Be prepared to explain to nervous police and security
personel what you're doing.

The technique is not obvious. You don't just stand at one or two
places, draw a line, and declare the crossing point to be the
location. There are far too many reflections at 2.4Ghz to make that a
workable method. You use a map. You get away from the general area
and start walking. When you're in the clear, you take a bearing and
draw a line on the map. Do it as many times as possible. Eventually,
you'll have most of the lines crossing at one point. There will be
plenty of others that do not, are reflections, and can be disgarded.
It's fairly difficult to do this inside an office building, but the
general principle still applies. Take LOTS of bearings and look for
coincidence.

As for blocking rogue AP's, it all starts with detecting them in the
first place. I use various forms of arpwatch to detect new MAC
addresses on the LAN. However, this won't do any good for softAP's
and spoofed access points using authorized clients. Details when you
disclose what you have to work with.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Mon, 09 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in article
<vFswf.124799$(E-Mail Removed)>, Rico wrote:
> "foo" <(E-Mail Removed)> wrote:

>> I'm trying to track down rogue access points in a building for a
>> company and its become exceedingly difficult. I just bought a
>> Hawking Wifi finder that I will test tomorrow but it still requires
>> a laptop..it has an antenna that can be moved around to find the
>> offending AP.

If you don't/can't control access to the facility, that's probably
the best tool you can have. I've seen audits done using a 20 kilo / 45
pound spectrum analyzer on a cart with an antenna the size of an
umbrella.

>We'll see but i'm definitely crossing my fingers tightly
>>on this purchase ($80).

See the thread 'Wi-Spy Spectrum Analyzer' - I'm the guy who was using
a unit that cost over US$12000. Anyway, your company should be paying
for the hardware.

>>I feel like I'll be playing a losing game trying to track down
>>everytime some jackass misconfigures his or her laptop as a p2p or an
>>AP.

Are they company owned hardware? If so, why are the users allowed to
mess with this? Auditing the hardware when it comes in can usually
provide enough information to identify the box involved. One would
hope that the company boxes don't do walkies all the time, and thus
should be findable.

>What is a rogue AP?

Unauthorized access point

>Is there some restriction in the building where tenants are not allowed
>to have wireless networks? In the US, this would be extremely unusal at
>this time as the technology is new enough that it would not have found
>its way into many leases.

If it's a residential setup, you're probably right. A _FAR_ more common
problem is users screwing up the configuration of company supplied
hardware at work. I'm sure you wouldn't want the jerks at your bank
broadcasting all your account information or allowing a rogue AP to
bypass the firewall as examples of why this might be frowned upon.

>Or are you an agent for the ISP hunting down people in violation of
>your user agreement?

If you look at the headers, he's posting from comcast in the DC metro
area, which smells a lot more like a company computer problem. We
completely ban any non-company systems in our facilities for security
reasons. Our users do not have 'root' (same concept as 'administrator'
in windoze) permissions, and so can't screw up the systems. It's been
that way for about 26 years now.

Old guy

(E-Mail Removed) (Moe Trin) hath wroth:

>If you don't/can't control access to the facility, that's probably
>the best tool you can have. I've seen audits done using a 20 kilo / 45
>pound spectrum analyzer on a cart with an antenna the size of an
>umbrella.

Cart? What a luxury. I'm the idiot that got volunteered to do a Part
15 emissions "field" test with an HP140T, a mess of plug-ins, and a
spare HP180 with an HP8558B spectrum analyzers. This was in the late
1970's, before the FCC certified test labs to do all this. The
biconical antenna was about the size of TWO umbrellas.

We dragged the test equipment, a generator, and a huge box of
connectors and adapters to an allegedly empty field in East San Jose.
The grass was knee high which made avoiding the gopher holes and cow
pies difficult. The test radio sat on a home made wooden table (no
metal parts) and was powered by a big heavy car battery.

The highlight of the trip was when the sun started to set, the cows
decided to migrate back to the barn. Unfortunately, we were directly
in their path. I have a photo (somewhere) of me trying to discourage
a curious cow from licking the spectrum analyzers. I'll post it if I
find it.

The test was completed with no fatalities, minimal damage, and only a
few lost adapters and cables. My boss managed to twist his ankle by
stepping in a gopher hole. I tripped over something and dropped the
test radio. It took a full day to clean up the mess when we got back
to the lab.

>Our users do not have 'root' (same concept as 'administrator'
>in windoze) permissions, and so can't screw up the systems. It's been
>that way for about 26 years now.

If I were root for a day,
I'd change everything in some way.
T'was working so well,
but boring as hell,
So watch the results in dismay.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

In article <(E-Mail Removed)>, (E-Mail Removed) (Moe Trin) wrote:
>On Mon, 09 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in article
><vFswf.124799$(E-Mail Removed)> , Rico wrote:
>> "foo" <(E-Mail Removed)> wrote:
>
>>> I'm trying to track down rogue access points in a building for a
>>> company and its become exceedingly difficult. I just bought a
>>> Hawking Wifi finder that I will test tomorrow but it still requires
>>> a laptop..it has an antenna that can be moved around to find the
>>> offending AP.
>
>If you don't/can't control access to the facility, that's probably
>the best tool you can have. I've seen audits done using a 20 kilo / 45
>pound spectrum analyzer on a cart with an antenna the size of an
>umbrella.
>
>>We'll see but i'm definitely crossing my fingers tightly
>>>on this purchase ($80).
>
>See the thread 'Wi-Spy Spectrum Analyzer' - I'm the guy who was using
>a unit that cost over US$12000. Anyway, your company should be paying
>for the hardware.
>
>>>I feel like I'll be playing a losing game trying to track down
>>>everytime some jackass misconfigures his or her laptop as a p2p or an
>>>AP.
>
>Are they company owned hardware? If so, why are the users allowed to
>mess with this? Auditing the hardware when it comes in can usually
>provide enough information to identify the box involved. One would
>hope that the company boxes don't do walkies all the time, and thus
>should be findable.
>
>>What is a rogue AP?
>
>Unauthorized access point
>
>>Is there some restriction in the building where tenants are not allowed
>>to have wireless networks? In the US, this would be extremely unusal at
>>this time as the technology is new enough that it would not have found
>>its way into many leases.
>
>If it's a residential setup, you're probably right. A _FAR_ more common
>problem is users screwing up the configuration of company supplied
>hardware at work. I'm sure you wouldn't want the jerks at your bank
>broadcasting all your account information or allowing a rogue AP to
>bypass the firewall as examples of why this might be frowned upon.
>
>>Or are you an agent for the ISP hunting down people in violation of
>>your user agreement?
>
>If you look at the headers, he's posting from comcast in the DC metro
>area, which smells a lot more like a company computer problem. We
>completely ban any non-company systems in our facilities for security
>reasons. Our users do not have 'root' (same concept as 'administrator'
>in windoze) permissions, and so can't screw up the systems. It's been
>that way for about 26 years now.
>
> Old guy

Is there no way within your LAN to tell if someone has added a 'new' router
to your network regardless of being wireless? I'm relatively new to the *ix
world so please bear with what may seem a stupid question. I would think
the logs on the server(s) would show a new IP on the net. Also in normal
support for the network wouldn't such a device as it were turn up in what
ever cube as you were say in the given room working on the printer or
someone's blurry monitor?
I just from my limited experience (small business back ground -fewer the 50
people) can't imagine such going undiscovered for any length of time at
all. But again I'm asking because of an admitted ignorance here.
Thanks

fundamentalism, fundamentally wrong.

"Rico" <(E-Mail Removed)> wrote in message
news:8SPwf.30455$(E-Mail Removed). ..
> In article <(E-Mail Removed)>,
(E-Mail Removed) (Moe Trin) wrote:
> >On Mon, 09 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in
article
> ><vFswf.124799$(E-Mail Removed)> , Rico wrote:
> >> "foo" <(E-Mail Removed)> wrote:
> >
> >>> I'm trying to track down rogue access points in a building for a
> >>> company and its become exceedingly difficult. I just bought a
> >>> Hawking Wifi finder that I will test tomorrow but it still requires
> >>> a laptop..it has an antenna that can be moved around to find the
> >>> offending AP.
> >
> >If you don't/can't control access to the facility, that's probably
> >the best tool you can have. I've seen audits done using a 20 kilo / 45
> >pound spectrum analyzer on a cart with an antenna the size of an
> >umbrella.
> >
> >>We'll see but i'm definitely crossing my fingers tightly
> >>>on this purchase ($80).
> >
> >See the thread 'Wi-Spy Spectrum Analyzer' - I'm the guy who was using
> >a unit that cost over US$12000. Anyway, your company should be paying
> >for the hardware.
> >
> >>>I feel like I'll be playing a losing game trying to track down
> >>>everytime some jackass misconfigures his or her laptop as a p2p or an
> >>>AP.
> >
> >Are they company owned hardware? If so, why are the users allowed to
> >mess with this? Auditing the hardware when it comes in can usually
> >provide enough information to identify the box involved. One would
> >hope that the company boxes don't do walkies all the time, and thus
> >should be findable.
> >
> >>What is a rogue AP?
> >
> >Unauthorized access point
> >
> >>Is there some restriction in the building where tenants are not allowed
> >>to have wireless networks? In the US, this would be extremely unusal at
> >>this time as the technology is new enough that it would not have found
> >>its way into many leases.
> >
> >If it's a residential setup, you're probably right. A _FAR_ more common
> >problem is users screwing up the configuration of company supplied
> >hardware at work. I'm sure you wouldn't want the jerks at your bank
> >broadcasting all your account information or allowing a rogue AP to
> >bypass the firewall as examples of why this might be frowned upon.
> >
> >>Or are you an agent for the ISP hunting down people in violation of
> >>your user agreement?
> >
> >If you look at the headers, he's posting from comcast in the DC metro
> >area, which smells a lot more like a company computer problem. We
> >completely ban any non-company systems in our facilities for security
> >reasons. Our users do not have 'root' (same concept as 'administrator'
> >in windoze) permissions, and so can't screw up the systems. It's been
> >that way for about 26 years now.
> >
> > Old guy
>
> Is there no way within your LAN to tell if someone has added a 'new'
router
> to your network regardless of being wireless? I'm relatively new to the
*ix
> world so please bear with what may seem a stupid question. I would think
> the logs on the server(s) would show a new IP on the net.

yes - it would. But SOHO routers are designed to use NAT to "hide" multiple
devices behind a single IP, so it wont be that obvious.

APs may be easier to detect - one possible way is to use managed Ethernet
switches, and limit them to 1 MAC address per port - at least then you know
which cable from wiring closet on which floor in which building to look.

Also in normal
> support for the network wouldn't such a device as it were turn up in what
> ever cube as you were say in the given room working on the printer or
> someone's blurry monitor

it might do - but imagine a site like an airport. one I worked on had well
over 200 wiring closets, and the site was 4 to 6 Km across...

or just think of looking in the tangle of wires around some desks - someone
found an "official" one that way a couple of months (mainly because the
movers were in, stepped on it at which point the warranty expired, and the
"Internet dirty WLAN" for visitors stopped working)

> I just from my limited experience (small business back ground -fewer the
50
> people) can't imagine such going undiscovered for any length of time at
> all. But again I'm asking because of an admitted ignorance here.
> Thanks
>
> fundamentalism, fundamentally wrong.
--
Regards

(E-Mail Removed) - replace xyz with ntl

On Mon, 09 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in article
<(E-Mail Removed)>, Jeff Liebermann wrote:

>> I've seen audits done using a 20 kilo / 45 pound spectrum analyzer
>> on a cart with an antenna the size of an umbrella.
>
>Cart? What a luxury. I'm the idiot that got volunteered to do a Part
>15 emissions "field" test with an HP140T, a mess of plug-ins, and a
>spare HP180 with an HP8558B spectrum analyzers.

851B with 8551B - can you spell boat anchor? Actually, I remember an
even older test with a AN/APR<mumble> that ran on DC and 400 cycle,
so there was a honking great DC supply and a rotary converter screaming
away, and three guys dragging a hundred foot extension cable behind the
cart... really innocent looking don'cha think?

>The biconical antenna was about the size of TWO umbrellas.

Yeah, I remember those - and the log periodics

>We dragged the test equipment, a generator, and a huge box of
>connectors and adapters to an allegedly empty field in East San Jose.
>The grass was knee high which made avoiding the gopher holes and cow
>pies difficult. The test radio sat on a home made wooden table (no
>metal parts) and was powered by a big heavy car battery.

You knew it was time to go for Plan B when bystanders would be looking
around, and finally come up and ask where the camera was hidden and
Alan Funt hiding.

>The test was completed with no fatalities, minimal damage, and only a
>few lost adapters and cables. My boss managed to twist his ankle by
>stepping in a gopher hole. I tripped over something and dropped the
>test radio. It took a full day to clean up the mess when we got back
>to the lab.

Doing a test on a dock, with a backpack radio. Helicopter comes in with
6 55 gallon drums in a cargo net as a sling load, and is going to put this
on a boat tied up along side. Pilot realizes he's overshooting slightly,
and hauls up hard on the collective - rotor downwash like no tomorrow, and
the poor sod wearing the backpack (and four or five others) is blown off
the dock into the water - a nice mix of oil slick, brackish water, and who
dares to think what else. But it's military gear, so it's been waterproofed,
right? (No, it was the one and only prototype.) Someone threw a life ring
at the guy, which turned out to be pretty good thing because he couldn't
swim, and the water is fifteen plus feet deep, and he can't get out of the
darn pack harness... The jarheads who were escorting us had a few
constructive suggestions (the guy who was wearing the pack had a suggestion
too, but it was physically impossible).

>> Our users do not have 'root' (same concept as 'administrator'
>> in windoze) permissions, and so can't screw up the systems. It's been
>> that way for about 26 years now.
>
> If I were root for a day,
> I'd change everything in some way.
> T'was working so well,
> but boring as hell,
> So watch the results in dismay.

And that's why we don't hand out root, though I've known plenty of users
who managed to so totally fsck their dot-files without knowing what they
were doing, then come whining about how the system is b0rked, and "they
didn't change/touch _anything_".

Old guy

On Tue, 10 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in article
<8SPwf.30455$(E-Mail Removed)>, Rico wrote:

>Is there no way within your LAN to tell if someone has added a 'new' router
>to your network regardless of being wireless? I'm relatively new to the *ix
>world so please bear with what may seem a stupid question.

Generally speaking, LANs are (or act as it they were) Ethernet, with
packets flying about using RFC0894. Briefly, this is a 14 byte header
(6 bytes destination MAC, 6 bytes source MAC, 2 byte type) and 4 byte
CRC wrapped around an IP packet. The packets are actually steered using
the MAC address which you can see on your system using the '/sbin/ifconfig
-a' command. In the old days of coax (10Base5 or 10Base2), everyone was
on the same wire, so you could hear all systems. This was also true of
the original twisted pair (10BaseT) setup using hubs. Later implementations
of twisted pair, (10BaseT and the faster 100BaseT and 1000BaseT) use
switches to isolate sections, and now all you'd hear is broadcasts such
are ARP requests and those packets destined to "you". (Yes, switches
can be set to monitor all ports.)

[compton ~]$ whatis arpwatch
arpwatch (8) - keep track of ethernet/ip address pairings
[compton ~]$

That's a handy tool. But we simply monitor all of the switches and the ARP
caches on routers and servers. When something appears that isn't on our
list, a message is sent to Network Operations and the Security Desk. This
brings the thundering herd along with the "People Who Do Not Smile"(tm).
We are helped by having an exact list of where every port on every switch
goes. There are about 1500 offices in this building, but someone will
arrive within 4 minutes and be asking questions. For the other building
on the facility, add a minute or so for running between the buildings.

>I would think the logs on the server(s) would show a new IP on the net.

Yup - and we log all the details when the systems first arrive. (We're
an R&D facility, so we're a bit more paranoid than others might be, but
the whole company uses the same po;icies.)

>Also in normal support for the network wouldn't such a device as it were
>turn up in what ever cube as you were say in the given room working on
>the printer or someone's blurry monitor?

If you don't control access to your facility, yes this is a common
giveaway - all the company hardware has property tags prominently
displayed, and as a courtesy to the users (and to allow support to
figure out which of these identical systems is named $FOO), we also
put Dymo labels (embossed tape) with the system name on the monitor
and CPU.

>I just from my limited experience (small business back ground -fewer the 50
>people) can't imagine such going undiscovered for any length of time at
>all. But again I'm asking because of an admitted ignorance here.

You're basically right. Also, there is written policy (signed by each
employee) explaining that non-company hardware is a major no-no, and there
are signs at all building entrances, yada, yada, yada.

Old guy

On Tue, 10 Jan 2006, in the Usenet newsgroup alt.internet.wireless, in article
<SYWwf.86101$(E-Mail Removed)>, stephen wrote:

>"Rico" <(E-Mail Removed)> wrote

>> I would think the logs on the server(s) would show a new IP on the net.
>
>yes - it would. But SOHO routers are designed to use NAT to "hide" multiple
>devices behind a single IP, so it wont be that obvious.

Even if the hidden systems are using the exact same patch level of the
same operating system, they're relatively easy to detect. There are some
pretty obvious things in the TCP and IP headers. A passive fingerprinting
program will even flag this for you. If the patch level or O/S are not
the same, it becomes child's play. I know of several ways to make it much
harder to detect, but people get terminated for that, and so far (15 years)
no one has tried that we know about. Not impossible, but...

>APs may be easier to detect - one possible way is to use managed Ethernet
>switches, and limit them to 1 MAC address per port - at least then you know
>which cable from wiring closet on which floor in which building to look.

Heck, we know which drop in which room to go to.

>it might do - but imagine a site like an airport. one I worked on had well
>over 200 wiring closets, and the site was 4 to 6 Km across...

4 to 6 kilometers would normally be on separate subnets, but a lot depends
on the switches used, and the deviousness of the network police.

>or just think of looking in the tangle of wires around some desks - someone
>found an "official" one that way a couple of months (mainly because the
>movers were in, stepped on it at which point the warranty expired, and the
>"Internet dirty WLAN" for visitors stopped working)

Yes, we're paranoid, but unused drops are deactivated at the most by the
next business day. HR wishing to avoid worker's comp (worker injury
insurance claims) problems also has another written policy that users don't
move furniture or computers.

Old guy