North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Locating rogue APs
- From: Martin Hannigan
- Date: Tue Feb 11 17:53:43 2003
On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
> On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy"
> <firstname.lastname@example.org> wrote:
> > On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
> > > In general, MAC OUI designations may indicate a particular AP. IP
> > > multicast group participation may also be used by some APs. Some
> > > APs have a few unique ports open. Lastly, APs may be found with
> > > a radio on a particular default channel. All of these potentially
> > > identifying characteristics may be used to help audit the network
> > > for rogue IPs.
> > Why are you posting this here? The information is somewhat
> > as well. Persons interested in finding rogue AP's would be much better
> > off with a tool such as kismet that already identifies model/make of
> > access points based on various datapoints (including the types you
> > as well as the ability to determine in where the AP is (pysically) with
> > the use of a GPS unit.
> It appears that kismet requires either someone to walk around the facility
> while running the program or that you have you have it installed on
> machines all over your site. Neither of those options interest me as a
> long term solution to rogue AP monitoring.
Most solutions are going to require some walking around. How else
would you find them?
[ snip ]
You could setup a laptop, a GPS with a data cable, NetStumbler[free],
and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly
for a half a mile without walking around. I've just acquired this
setup myself. Google on "war driving +F150" and you'll see a setup
to help for < $55
A network IDS will most definately detect odd MAC addrs or manufacturer
octets, but you'll have to maintain the signatures. It's much easier
using the 'war driving' setup.