Rouge APs at Work - How to locate them?!

At work, we found a number of rouge APs. NetStumber reported their MAC
addresses and SSIDs. How can we effectively locate them?

I am thinking to ask the network team to "sniff" the MAC and locate the
ports which they are attaching to. Is it a correct way to do it? Are
there other ways to locate these rouge APs?

Any suggestions are appreciated.

Thanks,

A Monk

"a_monk" <(E-Mail Removed)> hath wroth:

>At work, we found a number of rouge APs. NetStumber reported their MAC
>addresses and SSIDs. How can we effectively locate them?
>
>I am thinking to ask the network team to "sniff" the MAC and locate the
>ports which they are attaching to. Is it a correct way to do it? Are
>there other ways to locate these rouge APs?

More than one? Are you sure they are *YOUR* rouge AP's? In other
words, are you sure they are connected to your company network? If
they are yours, you can trace them by the MAC address. The problem is
that the wireless MAC address is NOT necessarily the same as the
ethernet wired MAC address. However, it will almost always be
numerically adjacent. For example, from my WRT54G:
LAN MAC 00:13:10:8C:14:A9
WAN MAC 00:13:10:8C:14:AA
Wireless MAC 00:13:10:8C:14:AB
In most cases, it's not really a "rouge access point". It's really a
"rogue wireless router". The clueless users buys the more common
wireless router and plugs the WAN port into the company network. It
has a built in DHCP client, that picks up it's IP from the corporate
DHCP server. Inspecting the DHCP leases or ARP table for a MAC
address that is adjacent to the wireless MAC address should yield an
assigned IP address for the wireless router.

Once you have the IP address from the ARP table or DHCP lease list,
you can ping the rouge wireless router. If you have a managed switch
in the system, it can be traced with SNMP or various management tools
(OpenView, etc). Otherwise, you can do something crude like ping
continuously, and unplug cables until the pinging stops.

It is also possible to ping by MAC address using arping.
| http://www.habets.pp.se/synscan/prog...hp?prog=arping
| ftp://ftp.habets.pp.se/pub/synscan/a...iled-by-me.exe

You can also use Netstumbler for direction finding but that's a bit
tricky if you've never done it before. In an office environment, the
best you can do is just walk around until the signal is really strong.
Otherwise, you end up dragging around a big directional antenna which
is sure to attract the attention of the rogue wireless owner.

I find it interesting that you were able to find the rouge wireless
routers with Netstumbler. Most corporate hackers are sufficiently
astute to turn off SSID broadcasting, which makes them almost
invisible to Netstumblers active probes. I suggest you try sniffing
with Kismet (using a Linux LiveCD) which will show hidden access
points and wireless clients. You may find more route access points.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> hath wroth:

[arping]
>| ftp://ftp.habets.pp.se/pub/synscan/a...iled-by-me.exe

Oops. Don't use this version on W2K and XP. It crashes. Now looking
for one that works...

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> writes:
> Once you have the IP address from the ARP table or DHCP lease list,
> you can ping the rouge wireless router. If you have a managed switch
> in the system, it can be traced with SNMP or various management tools
> (OpenView, etc). Otherwise, you can do something crude like ping
> continuously, and unplug cables until the pinging stops.

Or have your dhcpd server give that machine an address that you have
no intention of routing to anything but the bit bucket. Then wait for
the culprit to show up complaining that their laptop stopped working.

-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/

"Wolfgang S. Rupprecht"
<wolfgang+(E-Mail Removed) .wsrcc.com> hath
wroth:

>Jeff Liebermann <(E-Mail Removed)> writes:
>> Once you have the IP address from the ARP table or DHCP lease list,
>> you can ping the rouge wireless router. If you have a managed switch
>> in the system, it can be traced with SNMP or various management tools
>> (OpenView, etc). Otherwise, you can do something crude like ping
>> continuously, and unplug cables until the pinging stops.

>Or have your dhcpd server give that machine an address that you have
>no intention of routing to anything but the bit bucket. Then wait for
>the culprit to show up complaining that their laptop stopped working.
>-wolfgang

We actually did something like that on a security "sweep" of a
corporate network in S.F. I was there to help with any RF related
issues. IT redirected the IP calls to port 80 to point to a splash
page demanding that the user call IT immediately. It only took about
5 minutes for the phone to ring. It was the presidents secretary
asking what the hell we were doing. Ooops. It seems the presidents
son did dad a big favor and setup a wireless access point so dad
didn't have to play with the ethernet cable. Being a consultant, I
missed the entertainment value of the high level yelling and screaming
that followed.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> writes:
> It seems the presidents son did dad a big favor and setup a wireless
> access point so dad didn't have to play with the ethernet cable.

A direct hit. ;-)

Hope once he calmed down he realized how foolish it was to jeopardize
the security of the company's net with a rouge AP. Back in the old
days industrial spies has to work hard to put a bug on a company's
network. Nowadays they just have to give an AP to a foolish employee
saying "I've got a spare access point, can you use it?".

-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/

On Fri, 14 Jul 2006 08:52:52 -0700, in alt.internet.wireless , Jeff
Liebermann <(E-Mail Removed)> wrote:

>"a_monk" <(E-Mail Removed)> hath wroth:
>
>>At work, we found a number of rouge APs. NetStumber reported their MAC
>>addresses and SSIDs. How can we effectively locate them?
>>
>>I am thinking to ask the network team to "sniff" the MAC and locate the
>>ports which they are attaching to. Is it a correct way to do it? Are
>>there other ways to locate these rouge APs?
>
>More than one? Are you sure they are *YOUR* rouge AP's? In other
>words, are you sure they are connected to your company network? If
>they are yours, you can trace them by the MAC address. The problem is
>that the wireless MAC address is NOT necessarily the same as the
>ethernet wired MAC address. However, it will almost always be
>numerically adjacent.

Er, no. This is probably vendor-dependent.

> For example, from my WRT54G:
> LAN MAC 00:13:10:8C:14:A9
> WAN MAC 00:13:10:8C:14:AA
> Wireless MAC 00:13:10:8C:14:AB

From my SMC
LAN 00-04-E2-B8-79-F4
WAN 00-04-E2-00-C9-7F
WLAN 00-04-E2-B6-6D-CE

All by the same maker, but not adjacent.

Also bear in mind that most routers can clone their WAN MAC, so they
can masquerade as an authorised device. I'd expect this to be a
feature that naughty techies would use to introduce rogue routers into
the corporate network

FWIW I'd use social engineering.

"Its come to our attention that some staff have installed unauthorised
wireless equipment, in breach of company policy no XXXX. We have
identified the locations of the equipment. Any devices still on the
premises on Friday 21st July will be confiscated, and the owners will
be subject to disciplinary action. "

If you still need to track them down, a directional antenna is
probably the way to go. The sight of you walking round the office with
a direction finder will be enough to scare off all but the most
idiotic.
--
Mark McIntyre

"a_monk" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> At work, we found a number of rouge APs. NetStumber reported their MAC
> addresses and SSIDs. How can we effectively locate them?
>
> I am thinking to ask the network team to "sniff" the MAC and locate the
> ports which they are attaching to. Is it a correct way to do it? Are
> there other ways to locate these rouge APs?
>
> Any suggestions are appreciated.
>
> Thanks,
>
> A Monk
>

Check with the girls-- they're the ones who use rouge on their cheeks ;-)

On Fri, 14 Jul 2006, in the Usenet newsgroup alt.internet.wireless, in article
<(E-Mail Removed)>, Jeff Liebermann wrote:

>It only took about 5 minutes for the phone to ring. It was the presidents
>secretary asking what the hell we were doing. Ooops.

As long as the policy was in place, and signed by The Powers That Be(tm)
then all should be well. Years ago, when we put into place (initially at
the Research Division and Corporate Headquarters, later corporate wide)
the "no visiting computers" rule, the first one we found was the CEO who
had approved the policy not ten days earlier. Even more fun, the second
(or third - can't remember) was a government security auditor who waltzes
in to give us a lecture on network security - right past three signs
roughly 2 x 4 FEET large warning at every single entrance to the facility
and similar sized signs at every building entrance that visiting computers
are prohibited and will be confiscated. The resulting red faces did not
belong to the IT people.

>It seems the presidents son did dad a big favor and setup a wireless
>access point so dad didn't have to play with the ethernet cable.

Our systems tend to be locked boxes (though I'm sure there are a lot of
extra keys out there), and there is another corporate policy that
prohibits the user from installing hardware/software period, no exceptions.
Also, our regular users don't have 'root' ('administrator' for you windoze
jockies), and that makes it difficult to mess up the operating system.

On the soap box end of things, that action should be criminal misconduct
as far as the Securities and Exchange Commission are concerned. At the
very least, it is gross stupidity.

>Being a consultant, I missed the entertainment value of the high level
>yelling and screaming that followed.

Shouldn't be that much. There should be a policy signed by said president
and the corporate legal types. One points out that the policy is there for
a reason, explains in two syllable words (or less) why this policy was
created, facts of life about radio intercept, and then replaces his access
point with a cable. If the policy doesn't exist, then IT was at fault
for doing the sweep without getting the policy in place ahead of times.

Old guy

On Fri, 14 Jul 2006, in the Usenet newsgroup alt.internet.wireless, in article
<(E-Mail Removed)>, Wolfgang S. Rupprecht wrote:

>Back in the old days industrial spies has to work hard to put a bug on a
>company's network. Nowadays they just have to give an AP to a foolish
>employee saying "I've got a spare access point, can you use it?".

Boy is that ever true! We caught one person with an access point with
our network monitoring tools (monitors switches, routers and some key
servers - sends pop-up message to _every_ workstation in the NOC as well
as a few in security, generally resulting in a race between the network
admins and the guards to see who can get there first). It was a gift from
her boyfriend. I think she only got a written warning, but she left within
three months. The incident was published in company bulletins (though
not naming her or where the she worked) as a warning.

Old guy