Penetration Testing mailing list archives

RE: HW/SW Rogue AP Wireless Detection

From: "Joshua Wright" <Joshua.Wright () jwu edu>
Date: Tue, 18 Mar 2003 08:12:54 -0500

It is unwise to use NetStumbler or MiniStumbler for detecting rogue AP's.  Since both of these tools use the active 
scanning mechanism described in IEEE 802.11 1997, they will be unable to detect those AP's that are using "cloaked" 
SSID's.  You are likely to find rogue's that don't know enough to hide their presence, but you will not locate rogues 
that don't want to be found.

Kismet on an iPaq has worked well for me, but it requires the Familiar or Intimate Linux distribution to be installed 
over PocketPC.  Kismet will also run on a Zaurus, but has limited battery life and no .11a support.  The Home Shopping 
Network (of all places) is selling the Zaurus for $200 
(http://www.hsn.com/cnt/prod/default.aspx?pfid=694341&club_id=694341&sz=0&sf=&dept=&cat=) - already runs Linux.  Note 
that you will also need an 802.11b CF card to use the Zaurus with Kismet.

You may also wish to check out the WinFingerprint project at http://winfingerprint.sourceforge.net/aptools.php for 
wired-side rogue AP scanning (as an added measure of precaution, not your sole solution for detecting rogues).  Of 
course, the ultimate solution is AirDefense (http://www.airdefense.net/).

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright () jwu edu 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

On Fri, Mar 14, 2003 at 03:05:28PM -0500, R. DuFresne wrote:

doesn't this  setiup though limit you to 802.11b scanning

and thus leave

you open to rogue 802.11a AP's?


kismet supports 802.11a scanning in the latest version. it uses the
vt_ar5k drivers for gnu/linux from http://team.vantronix.net/ar5k/.

but you need an atheros ar5000- based 32bit cardbus/pci card and i'm
not sure if it's possible to run it on the ipaq. nevertheless, these
cards need some more power which could be a problem on any mobile
device.


----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html

Current thread:

Re: HW/SW Rogue AP Wireless Detection, (continued)
- Re: HW/SW Rogue AP Wireless Detection David T Hollis (Mar 14)
- Re: HW/SW Rogue AP Wireless Detection Mike Forrester (Mar 14)
  - Re: HW/SW Rogue AP Wireless Detection R. DuFresne (Mar 14)
- Re: HW/SW Rogue AP Wireless Detection Keith Akins (Mar 14)
- Re: HW/SW Rogue AP Wireless Detection Dan Lynch (Mar 14)
  - RE: HW/SW Rogue AP Wireless Detection Rob Shein (Mar 14)
- RE: HW/SW Rogue AP Wireless Detection MILES John M (Mar 14)
  - RE: HW/SW Rogue AP Wireless Detection R. DuFresne (Mar 14)
    - Re: HW/SW Rogue AP Wireless Detection Reyk Floeter (Mar 16)
- RE: HW/SW Rogue AP Wireless Detection MILES John M (Mar 14)
- RE: HW/SW Rogue AP Wireless Detection Joshua Wright (Mar 18)