Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Locating rogue APs

  • From: Martin Hannigan
  • Date: Tue Feb 11 17:53:43 2003

On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
> 
> On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy" 
> <poptix@techmonkeys.org> wrote:
> > On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
> > > In general, MAC OUI designations may indicate a particular AP.  IP
> > > multicast group participation may also be used by some APs. Some
> > > APs have a few unique ports open.  Lastly, APs may be found with
> > > a radio on a particular default channel.  All of these potentially
> > > identifying characteristics may be used to help audit the network
> > > for rogue IPs.
> > 
> > Why are you posting this here? The information is somewhat 
> incomplete/incorrect
> > as well. Persons interested in finding rogue AP's would be much better
> > off with a tool such as kismet that already identifies model/make of
> > access points based on various datapoints (including the types you 
> posted),
> > as well as the ability to determine in where the AP is (pysically) with
> > the use of a GPS unit.
> 
> It appears that kismet requires either someone to walk around the facility 
> while running the program or that you have you have it installed on 
> machines all over your site.  Neither of those options interest me as a 
> long term solution to rogue AP monitoring.

Most solutions are going to require some walking around. How else
would you find them?

[ snip ]

You could setup a laptop, a GPS with a data cable, NetStumbler[free],
and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly 
for a half a mile without walking around. I've just acquired this
setup myself. Google on "war driving +F150" and you'll see a setup
to help for < $55

A network IDS will most definately detect odd MAC addrs or manufacturer
octets, but you'll have to maintain the signatures. It's much easier
using the 'war driving' setup.






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.