[55827] in North American Network Operators' Group
Re: Locating rogue APs
daemon@ATHENA.MIT.EDU (Martin Hannigan)
Tue Feb 11 17:51:51 2003
Date: Tue, 11 Feb 2003 17:45:08 -0500
From: Martin Hannigan <hannigan@fugawi.net>
To: Tony Rall <trall@almaden.ibm.com>
Cc: nanog@merit.edu
In-Reply-To: <OFB9114580.B7B03131-ON88256CCA.006D1044-88256CCA.006E19C9@us.ibm.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote:
>
> On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy"
> <poptix@techmonkeys.org> wrote:
> > On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote:
> > > In general, MAC OUI designations may indicate a particular AP. IP
> > > multicast group participation may also be used by some APs. Some
> > > APs have a few unique ports open. Lastly, APs may be found with
> > > a radio on a particular default channel. All of these potentially
> > > identifying characteristics may be used to help audit the network
> > > for rogue IPs.
> >
> > Why are you posting this here? The information is somewhat
> incomplete/incorrect
> > as well. Persons interested in finding rogue AP's would be much better
> > off with a tool such as kismet that already identifies model/make of
> > access points based on various datapoints (including the types you
> posted),
> > as well as the ability to determine in where the AP is (pysically) with
> > the use of a GPS unit.
>
> It appears that kismet requires either someone to walk around the facility
> while running the program or that you have you have it installed on
> machines all over your site. Neither of those options interest me as a
> long term solution to rogue AP monitoring.
Most solutions are going to require some walking around. How else
would you find them?
[ snip ]
You could setup a laptop, a GPS with a data cable, NetStumbler[free],
and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly
for a half a mile without walking around. I've just acquired this
setup myself. Google on "war driving +F150" and you'll see a setup
to help for < $55
A network IDS will most definately detect odd MAC addrs or manufacturer
octets, but you'll have to maintain the signatures. It's much easier
using the 'war driving' setup.
