Adventures in Hunting Rogue Wireless Access Points

Published: 2005-10-07
Last Updated: 2005-10-07 19:46:04 UTC
by Kevin Liston (Version: 1)
0 comment(s)

This week I had to opportunity to hunt down some rogue WAPs at a client's campus.  It was a very target-rich environment.  Out of the 62 talker's that I spotted on the hunt, 39 of them were not the main, accepted infrastructure.  Out of these 39, we were looking for only one.  Not quite a needle-in-a-haystack problem, but more like something-under-a-desk-in-a-sea-of-cubicles problem.

The Playing Field
The search area consisted of an extremely large low-rise facility with cubicles reminiscent of poultry factory farming.

The Players
Myself, with my trusty combat-laptop running Debian and Kismet 2005.04.R1 with an Orinoco Gold PCMCIA card, and an external directional antenna.


The engineer who designed the wireless infrastructure with his Windows XP laptop, Cisco Aironet card, and AiroPeek from WildPackets.

Well, it was more of a team effort.

The Strategy
Based on the results that we were seeing from the Engineer's WLSE ( interface we knew that two of his WAPs could see the target, and we knew approximately where these WAPs were installed.

He went with the back-pack, cary-the-laptop around method, while I appropriated a cart to wheel around.

We went down to the area and wandering ensued.  Eventually, kismet detected the beacon packets.  The best way to use Kismet in hunting a single WAP is to bring up the details (the 'i' key in this version,) and keep an eye on the power rating.  The 14dBi gain antenna wasn't as much use in the environment as I had hoped it would.  It did help in determining if we were on the right floor, and which WAP is was most likely close to.  It got us into the general area.  Eventually you get too close to the transmitter for the antenna to be helpful.

Attenuation is Your Friend
As you get closer to the transmitter, the signal is hot enough that you can't see the subtle changes in intensity to help guide you in the correct direction efficiently.  You need to "knock the signal down" a bit so that it fits better on your meter, so that you can read the changes.

My first step was to pull out the directional antenna.  In what turned out to be good luck, the only cart that was available for me was a high walled metal cart used to transport hanging-files.  This held my laptop and it's PCMCIA card in the bottom of a metal box.  So it was shielded from the signal rather well.

Once I was in the right area, I would effectively worm my way around the cubes until I spotted the blinky box that we were after.

My initial plan to solve the rogue access point problem was to buy some prizes and have a few "Fox and Hound" contests on the weekend where some of the appropriately-minded employees could "compete."  I still like that plan, but any time that you have people looking through cubes, you have to operate in teams so they can both keep-an-eye-on and vouch-for each other.

For more information on general transmitter hunting, I recommend Moell and Curlee's Transmitter Hunting: Radio Direction Finding Simplified.  Although their focus is on a different frequency range, the general concepts apply.

kliston -AT- isc sans org
0 comment(s)


Diary Archives