mailing list archives
Re: Locating rogue APs
From: Martin Hannigan <hannigan () fugawi net>
Date: Tue, 11 Feb 2003 17:45:08 -0500
On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy"
<poptix () techmonkeys org> wrote:
On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
In general, MAC OUI designations may indicate a particular AP. IP
multicast group participation may also be used by some APs. Some
APs have a few unique ports open. Lastly, APs may be found with
a radio on a particular default channel. All of these potentially
identifying characteristics may be used to help audit the network
for rogue IPs.
Why are you posting this here? The information is somewhat
as well. Persons interested in finding rogue AP's would be much better
off with a tool such as kismet that already identifies model/make of
access points based on various datapoints (including the types you
as well as the ability to determine in where the AP is (pysically) with
the use of a GPS unit.
It appears that kismet requires either someone to walk around the facility
while running the program or that you have you have it installed on
machines all over your site. Neither of those options interest me as a
long term solution to rogue AP monitoring.
Most solutions are going to require some walking around. How else
would you find them?
[ snip ]
You could setup a laptop, a GPS with a data cable, NetStumbler[free],
and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly
for a half a mile without walking around. I've just acquired this
setup myself. Google on "war driving +F150" and you'll see a setup
to help for < $55
A network IDS will most definately detect odd MAC addrs or manufacturer
octets, but you'll have to maintain the signatures. It's much easier
using the 'war driving' setup.