RE: Wireless blocking

["Beauford, Jason" <jbeauford () EightInOnePet com>]

My thought is that this Wireless device, MUST be pretty close to a
switch of some sort.  I doubt Joe Hacker is going to try to run Cat5
cable througout your building.  More likely he/she probably ran a short
store-bought cable behind a cabinet or in the ceiling directly above
some available cubicle port or switch.  Once you connect to the device
via Netstumbler or Kismet, you can simply get its MAC address, then
(provided your switch is managed) look at the MAC table on your switch.
Identify the port and trace it or unplug it, or even better...leave it
in place, Tap the port and capture all the traffic going through the
wireless and ultimately your switch.  This will give you a better idea
as to who is your insider hacker.

-JMB

        |   -----Original Message-----
        |   From: Tom Van de Wiele [mailto:tom.vandewiele () gmail com] 
        |   Sent: Wednesday, October 05, 2005 12:30 PM
        |   To: Hayes, Ian
        |   Cc: security-basics () securityfocus com
        |   Subject: Re: Wireless blocking
        |   
        |   You could try and find out its location with kismet 
        |   and judging from the signal strength more or less 
        |   guess its location.  Far from waterproof though, 
        |   especially if you have large objects that might 
        |   bounce the signal (like walls :).  If you don't 
        |   have something like airdefense/aruba you can use 
        |   void11 or aircrack to send deauthentication frames 
        |   to stop the rogue AP from interferring with your network.
        |   
        |   Tom
        |   
        |   
        |   
        |   On 10/5/05, Hayes, Ian <Ian.Hayes () wynnlasvegas com> wrote:
        |   > > -----Original Message-----
        |   > > From: Daryl Davis [mailto:daryl () ultbingo com]
        |   > > Sent: Tuesday, October 04, 2005 9:56 AM
        |   > > To: security-basics () securityfocus com
        |   > > Subject: Wireless blocking
        |   > >
        |   > > I believe I have an unauthorized wireless 
        |   router on my network.  I
        |   > have
        |   > > been
        |   > > unable to physically find it as of yet.
        |   > >
        |   > > Does anyone know how to find the hidden SSID 
        |   and then Jam it?
        |   >
        |   > Hard to find the SSID until a device connects to 
        |   it. Then something 
        |   > like a laptop running Kismet or NetStumbler will 
        |   reveal what the SSID 
        |   > is. If you want to get fancy, an AirMagnet is a 
        |   really neat tool and 
        |   > you can find the rogue by following the signal strength.
        |   >
        |   > As for jamming, it's a bit more difficult to do. 
        |   If you have an Aruba 
        |   > or Airtight network, they would not only pick up 
        |   the rogue and degrade 
        |   > it to the point of uselessness, they can also 
        |   give you a rough 
        |   > indication of where the rogue is placed.
        |   >
        |   >
        |   >
        |   > Ian Hayes | Senior Systems Engineer
        |   > Wynn Las Vegas
        |   > 3131 South Las Vegas Blvd, Las Vegas, NV 89109 Ph 
        |   (702) 770-3252 | 
        |   > Cell (702) 266-6002 Ian.hayes () wynnlasvegas com
        |   >
        |   >
        |   >
        |