Re: Locating rogue APs

[Martin Hannigan <hannigan () fugawi net>]

On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
> On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy" 
> <poptix () techmonkeys org> wrote:
> > On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
> > > In general, MAC OUI designations may indicate a particular AP.  IP
> > > multicast group participation may also be used by some APs. Some
> > > APs have a few unique ports open.  Lastly, APs may be found with
> > > a radio on a particular default channel.  All of these potentially
> > > identifying characteristics may be used to help audit the network
> > > for rogue IPs.
> >
> > Why are you posting this here? The information is somewhat 
> incomplete/incorrect
> > as well. Persons interested in finding rogue AP's would be much better
> > off with a tool such as kismet that already identifies model/make of
> > access points based on various datapoints (including the types you 
> posted),
> > as well as the ability to determine in where the AP is (pysically) with
> > the use of a GPS unit.
>
> It appears that kismet requires either someone to walk around the facility 
> while running the program or that you have you have it installed on 
> machines all over your site.  Neither of those options interest me as a 
> long term solution to rogue AP monitoring.

Most solutions are going to require some walking around. How else
would you find them?

[ snip ]

You could setup a laptop, a GPS with a data cable, NetStumbler[free],
and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly 
for a half a mile without walking around. I've just acquired this
setup myself. Google on "war driving +F150" and you'll see a setup
to help for < $55

A network IDS will most definately detect odd MAC addrs or manufacturer
octets, but you'll have to maintain the signatures. It's much easier
using the 'war driving' setup.