How to detect rogue wireless access points

This is a basic, rough outline of how to detect rogue wireless access points on your network. It’s how I’ve done it before. If you’re not technical enough to understand what switches, routers, and APs do, you may not get it. But, like many of my other articles, I’m posting this one as a reminder on how network security professionals do rogue AP hunts.

And heck, maybe it will be useful to you if you want to run a rogue access point…

On a mailing list I subscribe to, one subscriber suggested that you simply turn off SSID broadcasting to hide your rogue access point. I disabused him of the notion that merely hiding your SSID would protect you from rogue AP hunters…

I’m a UNIX and network admin for a living. SSID scanning is only the first thing you do in finding rogue access points.

With the right software (well, the right network adapter in your laptop), you will see the wireless networks that are not advertising their SSID, too. Then you do some basic triangulation, or as I liked to call it, “hot/cold” checks. Buildings frequently reflect signals weirdly, but you can normally figure out what floor a rogue AP is on, which wing of that floor, and the location within 10-30 meters or so.

The next step for checking for a rogue access point is to do some log analysis at your switch(es) for that wing. Look at the MAC addresses connecting. Most access points have well-publicized MAC ranges they use. You can also do this at your DHCP server, if you have access to it. Just grep through the MAC log and look for the octets which likely indicate an access point. They are very easily recognizable, and since most people just plug their rogue AP into a wall jack, they’re about as obvious in the logs as an elephant in your living room.

OK, so you know the wing. You know the floor. You know which switch they are connected to (maybe). Hit your port wiring diagrams, and you’ll find the cube (or room) they’re coming from. Walk over and have a quiet chat with them, if possible. Discuss it with their manager (if corporate; I’d guess their RA if it’s a college) if that is what your security policies require. Go on with life, and keep a close eye on that infringer for a few months.

People can be sneaky, though. For instance, they can hide their access point behind a legitimate computer acting as a proxy gateway for their wireless network (usually, Windows connection sharing). Well, at that point, WEP-cracking becomes kind of important. Crack their WEP key.

I’m not entirely sure how to crack a WEP key and sniff traffic when I lack the SSID for the network. However, I’m pretty certain I could Google up an answer in short order.

See if you can sniff the traffic. Hop onto your firewall or intrusion-detection system, and grep through the log for some keywords from the traffic log you got from cracking the WEP key and sniffing the traffic. Normally, this will net you some positives; you can see the IP, run an “nmblookup -A” (if using SAMBA) to see the hostname and currently logged-in user of the Windows box, and then track down via DHCP logs or the username (if recognizable) where the machine lives.

Of course, you can also just block that IP from going through the firewall, and wait for the support call, too…

If they’re really savvy, it will be a Linux or BSD box. That could be more interesting 🙂

Now, the really sneaky people would use WPA behind a proxy legitimate box. Can’t crack WPA yet, and you can’t tell by the MAC that there’s an access point there since it’s either being proxied or NAT’d. So you’re stuck with only being able to roughly triangulate the location of the rogue access point to within about 100 square meters or so. At that point, it comes down to hunting and figuring out whether it’s worth your time. You might be able to find it, or you might not. Signal strengths indoors are not a reliable triangulation method, because strength drops off irregularly due to structural blocks. But you can sometimes find it.

It’s even more frustrating when they’re a person who only turns on their access point when they’re using it, and they turn it off when they’re done. You can’t hunt late at night, and you don’t have unlimited time to figure out where the rogue AP is. However, if a user is using WPA, proxies behind a legit box, and shuts it off when they’re not using it, then I just chalk up a victory for the security-mindedness of the individual who set up the AP. Because that’s the same way I’d use it if I wanted to run an AP on a network that didn’t allow it, and it’s an exercise in frustration trying to track it down.

It’s basically professional courtesy at that point. I tip my hat, think “good jeaorb Homer”, and move on to the next project. Unless they get lazy and leave it running for a few days…

As far as locking down my personal access point in my home in suburbia? I just did 40-bit WEP and a MAC address filter. I monitor everything that happens on my network, so I’d know if someone happens to connect and push some data through. Most folks aren’t tech-savvy enough to try to crack a WEP key. If they are, well, I know all my neighbors and know who the one guy is that would be savvy enough to try it. Yeah, I know that some potential malicious person could sniff my traffic. Fact is, we run anything important that could be sniffed through SSL. My family doesn’t use file-sharing and any copying I need to do is done through SSH.

Of course, my printer is kind of hanging out there. That’s sometimes a worry, that someone would connect and send a few thousand pages to my printer. With its high-capacity bins, that could cost me some money 🙂

Or maybe they’d sniff my traffic to my printer, which frequently includes receipts. Really, people digging through my garbage bins for destroyed credit card applications is a bigger worry.

In this kind of low-security-environment, though, I think it’s all that’s needed. People respect WEP like they respect windows and door locks. Sure, they can get in if they want to by breaking a window or knocking down a door, but that’s not neighborly.

At work, it’s another story. WPA, dynamic key assignment, registered computers only, set up behind a firewall from the rest of the network, fascist logging, you name it. And you can also detect NAT being used on your network if you analyze packets closely enough. But who has that kind of time for a casual or school campus LAN?