Slashdot Mirror
How Do You Locate That Access Point?
parp asks: "As an IT Manager I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks. How do you find the exact location of these devices? I've tried walking around the office with a laptop watching the signal, but the signal monitors that are included with most network drivers are very limited. The signal could be upstairs, downstairs or right around the corner, but I can't find it. Results of web searches I've done just tell you how to find a signal (wardrive), not the source. I'd be interested in any software or hardware device that can locate the device within a few feet."
It seems to me that you'd need to build a VERY directional antenna, and then you could triangulate the position fairly easily, and it could get you in the right area. Hopefully on the right floor ;)
Nobodies Prefect
Tidbits for Techs Technology Blog
You would probably need to build a loop antenna, they are directional and as far as I know, do not have much gain, you would just need to spin the look to find the strongest signal and take a measurement from 2 different places, then you could just draw to lines on a decent site layout map and know within about 10 feet where the signal is, google for "radio fox hunt" or "loop antenna".
Hey guys, a quick google revealed this:
_ pinpoints_location.php
http://www.airespace.com/technology/technote_rffp
Thught you might be interested.
Just monitor the traffic to see who is actually using the link. you should be able to figure it out from their IP address or their browsing habits. Chances are it is whoever set up the link. You may have to use one of the many WEP crackers, but that shouldn't present a problem.
If no one ever seems to be using it, it is possible you are picking up someones laptop with a built in 802 card that automatically enables without the user even knowing.
http://notanumber.net/
Attach to the access point and ping your router.
Then pull wires till the ping stops. Work up the wires till you find the one the access port is on the end of.
Sam
blog.sam.liddicott.com
It sounds as if these are the users own computers. If they were company computers, for instance, you could most likey remove such hardware. But since you're asking these questions, then that probably isn't the case.
As such, what exactly would you plan to do if you did happen to locate the individuals involved? Do you really think they'd let you mutilate their systems to prevent them from using wireless connectivity? I sure don't think they would. Would you yell at them? I'm sure they'd nod, and later on while having coffee call you a cockfool and then continue to use their wireless connectivity. Perhaps you could tell their manager, but then they could always deny it and claim that you're just harassing them.
Maybe you need to take another look at what the actual problem is, and what you can actually do about it. It sounds like your hands may very well be tied in this instance. This problem may be outside your jurisdiction as an IT manager.
Cyric Zndovzny at your service.
My company recently implemented a product called "WiFi Watchdog" from Newbury Networks (http://www.newburynetworks.com/). Damned nice product, and it has the capabilities you are looking for. The latest version of their software will give you a heat map as to where a device is likely to be overlaid on top of a map of your building.
Other vendors selling a similar products include Airmagnet and AirDefense. Some of the bigger AP infrastructure guys such as Cisco even have some built in products to do similar things.
The big advantage I found with NNI is that their product helps reduce false positives by identifying APs outside our building and labeling as such - so when a Sears truck drives by with a built in AP our alarm bells don't go off. Other neat things include a cool RADIUS service that "authorizes" connections based on location. Tied together with other authentication services that would make for a really really powerful solution for securing your wireless.
Anyway, hope that helps find some good solutions for you.
-Jack Ash
PS: No, I am not an employee of NNI or anything of the sort, I'm just a guy who went through your exact problem last year and ended up finding this solution.
First, start on a floor you know has access to this access point. Then, get in the elevator and hit the top floor. Note what floor you get disconnected on. Do the same going down, and average those numbers together and you have the floor it's on.
Once you are there, gather everyone around, and tell them that you know one of them has a wireless access point around. The first person to turn around and hurry away sneakily is your guy. Pull out your gun and shoot him in the back. Find his desk and everywhere he goes, and you'll eventually find the access point. Problem solved.
Or were you wanting to do this legally? Then I would just get them in a headlock and "nugey" them until they tell you where it is.
Oregon State University's Open Source lab has a tool specifically designed to find rogue wifi access point on univerisity networks, and it's available here: rogue detect
Sorry about that, that was my access point. I didn't realize I wasn't allowed to use it. I'll be taking it down now.
Simple! You simply log into the access point and type 'eject' at the command prompt. Then look for the Access Point with the CD-Tray open...
:)
Hey, if it works for a maze of Linux machines
But in all hoestly, you probably want a directional antenna as the other posters are suggesting. However, I suggest you get 2-3 volunteers, each with their own directional antenna. It will be easier to triangulate the signal if you have 3 folks coming in from 3 different angles.
"Can of worms? The can is open... the worms are everywhere."
If you're so concerned about systems connecting, then perhaps you should get the MAC address of all your authorized machines, and only allow those at the router or firewall level?
You should also keep your servers secured against your internal network, only allowing services that are actually needed. There's a tendancy to trust everything internal on your network -- but really, with wifi and so many people having laptops, as well as systems infected with viruses and spyware, the internal network is just as volitaile as the internet itself.
Speak before you think
Grab a Pringles can or buy/make a yagi antenna. Get a laptop with netstumbler or kismet on it, and watch the signal strength graph as you point the antenna around.
I'm sure you've heard of Dowsing Rods
Install Ubuntu in Android
First, in most office buildings signals reflect and bounce in non obvious ways. I'd start with a directional antenna with the tightest beamwidth you can find (90 degrees, 60 degrees, etc). Choose 5 or 10 spread out locations and look at the netstumbler reported dB as you sweep in a 360 degree circle. Mark which channels have strong signals and in what direction they are coming from. Plot several lines on an office map for each channel in each spot - the strongest signal, and a few weaker signals to help reduce problems with signal reflections.
If you are attempting to do this for a multi story building then you may choose to sweep in a sphere, or simply do the single floor sweep with multiple locations on each floor.
This will give you a good general location to search more closely.
If this doesn't help or work very well, or you are interested in the armchair approach, try searching from the network.
You know the IP address of the access point. If you don't, connect to it and find out. This may require breaking a WEP key, and setting up and internal website that shows the AP's WAN IP address when you view the page if the AP is set up to route and NAT.
Now that you have the IP address, you should also have the MAC. Set up the DHCP server to deny that MAC an IP address if you don't want to worry about it and think the person isn't very bright.
Use your routers to find the port or hub the AP is connected to, and use various network tools to locate the actual connection. You could flood the network with ARPs or pings for the IP and pull plugs until it stops responding.
If you're certain it is the only device on that wire you could 'disable' it with an etherkiller. Of course, you may also set the building on fire, but either way the AP will stop.
You could also setup a rogue machine that listened to the wireless signal and spoofed TCP/IP responses for webpages and images. If the people can't use the AP, then it's effectively dead.
There are a variety of ways to further shut down APs, but this ought to get you started.
-Adam
Set up your own access point with the same SSID and see who tries to connect.
parent is offtopic
Here is an idea for people who bring in an off-the-shelf wireless router. If they are dumb enough to leave SSID visible, perhaps they left it at the defaults. See if you can join it and then try a default password. There you can find the MAC address on the WAN side. If you have at least layer 2 managed switches on you network, you can log into them and look at the tables to determine which port it is comming in to. Hopefully you have a current map of your network (i.e. jack #23 in the wiring closet goes to the General Managers office.) The last place I worked for had no such map, I had to make it myself. If someone cries foul that I suggest they "hack" into someones personal property, tough. The culprit is using Company resources and leaving a door open into the network, possibly affecting others. Hope this helps
"Build something idiot proof, and someone will build a better idiot" - Samuel Clemens
The problem here is not that there's an unauthorized access point. The problem here is that an employee has gone against written, publicized (you did publish this "no unauthorized access points" policy, right?) policy, and placed company security, intellectual property, and their job at risk.
So turn the matter over to the Human Resources department. The person who put up the access point needs to be fired, or at the very least demoted and had their pay reduced along with a nasty note in their record so that it affects their prospects for promotion, etc.
Human Resources just needs to send out a reminder that they've found some unauthorized access points, and that the owners have 24 hours to take it down, or else the owner of that access point will be fired.
As for finding the access point, that's easy, if it's connected to the corporate network. Flip on your laptop, connect to the AP, then start pinging some external host. Start unplugging ports at the network hub for each floor one at a time. When the ping dies, you found which connection it's on. Trace that wire, and you'll be at the desk of the responsible party.
Try browsing through your LAN switch's MAC address tables.. The manufacturer ID on the WAP will probably be different than most of your other computers' network cards.
Sniff and figure out the MAC address of it, and then view the CAM or MAC table in your switches to find out what port it's in. Simple, and it works great.
Need Free Juniper/NetScreen Support? JuniperForum
If your network is good enough, there wouldn't be a need for rogue WAPs.
Supply your users with a better wireless network! Make sure there is connectivity EVERYWHERE & then lock your own network down (through VPN, WPA+Radius, or whatever).
If even facility-provided wireless is absolutely verboten everywhere, just put up jammers & be done with it.
Or change your AUP and internal network security so that you wouldn't care about WAPs.
If you decide to go hunting for them, you'll have to do it more than once. There is employee turnover & machine turnover & anyone can bring in a new WAP.
Just ask Frink:
"I have captured the signal and am presently triangulating the vectors and compressing the data down in order to express it as a function of my hand... They're over there!"
What you really need to do for the medium-long term is prevent the access points from working at all (something like only allowing registered MAC addresses to get DHCP leases, for one example).
Send out a company-wide email reminding employees about the corporate policy against bringing wireless access points from home. Ask anyone who has one to please disconnect it and remove it from the premises thank you for your cooperation etc etc.
Worker bees will comply almost instantly. If it's still on the air by that evening, start looking in manager offices. If you can at least isolate it to one floor you should be able to just LOOK for it. It's connected to the network, right? Follow some ethernet cables and you'll eventually find it. It's not like they would hide it in a metal filing cabinet.
And when you do find it, don't be an @$$ about it. Just remind the misguided soul that this is against corporate IT policy and we'll be happy to extend a supported AP into the ceiling near you on monday.
Why isn't there a product available that allows one to "view" RF like a camcorder.. or at least still photos? Could something like a CCD sensor be built that would be tuned to radio frequencies instead of light frequencies? This sort of device would be extremely useful for locating RF signals, helping to find sources of interference, verifying whether antenae are active or not, looking for someone using a radio while hiding behind a bush with a gun, you know.. things like that.
Ouch! The truth hurts!
People will generally do the right thing.
After a week or so, just walk around with something running Kismet to alert you to the obvious, but more importantly simply LOOK in peoples cubies: If you try to hide an AP/Router, its coverage will be so pathetic it's not a credible risk to begin with. Most all of them will be sitting in plain sight.
For anything you do find, and I suspect you'll find nothing because people will generally do the right thing when their job is on the line, just deal with it: if the AP is locked down to specific MAC addys and using 128b WEP and isn't close to public areas, just don't worry about it. After all, think about all the LAN jacks that are sitting around unguarded.
Equipment sensitive enough for you to determine direction is expensive. Triangulation even more so.
1) Attach to the access point (assuming it's not using WPA)
2) Traceroute back to find out the access point's IP
3) Look up in your manuals (you *do* have manuals, don't you) to find out where that IP block is assigned
4) Invade the sales department.
Alternatively, after you connect, try the usual addresses to access the admin interface of the AP. Change it to some settings that will never work, then change the password. When they complain to you/helpdesk, you have them.
by nicely asking the people in the cat detector van perhaps?...
Loop antennas have a nice wide range of angles where they receive well, and a sharp narrow range in which they don't. Radio direction finding means turning the loop until the signal cuts off and then following the direction of the plane of the loop.
Real-world reflections make this much harder.
No offense, but unauthorized access points should not be a problem. People connecting to this unauthorized access point should not be able to get anything that they shouldn't be able to get -- and shouldn't be able to talk to / infect anything they aren't authorized for. Set the network up right, and you shouldn't give a rat's ass.
On a similar note, there is probably a very good reason someone went to the trouble of bringing the access point in. Perhaps you should just look for the most obvious area requiring wireless access that don't have it already, and check the surrounding jacks. Conference rooms, lunch rooms, etc.
If it's in one person's cubicle for their own use (for their laptop sitting on their desk), it's probably someone in the IT department. Or a department head / manager's office that frequently gets visitors that would like to have network access while they're discussing XYZ project -- again, something you should be providing.
If they really connect to your network, you may not really need to physically locate them to get them off your network.
;) ). If it appears to be connected to your corporate network, you can visit a website under your control and gather more info (e.g. if there's NAT/firewall involved what IP address it is), and then figure out the relevant IPs and MACs.
What you could do is attach to the wireless network (don't try this in Florida
Next look for the MACs in all your switches (easily automated queries to your switches should do the trick). Once you've located the edge port they are on, and gathered a list of who's on that port, you can go figure out what to do next - like block them, and/or have a nice chat with the relevant culprit.
Highwall Technologies mnufactures a solution for WiFi and Bluetooth which covers a 5 story building with one sensor. The system uses a patented phased array antenna to provide location of the rogue access point or rogue client.
I've seen lots of solutions posted, the simplest probably being triangulation with a directional antenna.
Another solution is to combine a GPS unit (Or just a map of your office since you know where you are in it) with the detailed signal strength that apps like netstumbler can produce. As you walk around the office you're plotting signal strength points on a map. It would shortly become quite clear. Given enough points you don't even need to do any math or draw any lines. With very few points you can still work it out.
Let me get this straight...you're out to find "unauthorized" network activity between computers? As stated in previous posts, who owns these computers? Who owns the network?
If it's your network, then you need to record the MAC address of the unauthorized machines and use security measures to lock network. More securely, you can even configure the network to provide service *only* to authorized network adapters. That's how they do it here, and this is a public school (if THEY can do it, then you certainly can ;) The IT administration here is a bunch of boneheads).
But what happens if they're not on your network? Well, then we start to cross into a gray area of sorts. More variables need to be considered where none are given, such as who owns the machines and what restrictions the employees have agreed to previously.
If they own the computers, are running the network themselves, and are not violating any agreement with their employer, then finding/squashing the networks is really none of your business.
This one is highly directional.
These might be easier to aim.
- Preferences: Solaris 10 (servers), Ubuntu (desktops), Solaris 11 (personal servers) -
Why not announce an outage for your company's WiFi, then it would be much easier to figure out where the other access points are.
it's a sig, wtf?
I don't know if anyone else had the thought, but when I read the question I had visions of the film Independance day where they pull up the car next to the White house, he sets up an antenna and determines the exact point in the building his ex-wife is.
I'm no network security expert, but you could scan all machines for those with abnormal ports open. You could look for 80 or 8080. I think XP machines do not listen on port 113 while off the shelf wireless routers do. Then just cut off that user. Obviously it won't help you FIND the person, but the user might call in wondering why he/she can't connect anymore.
You could try one of thesee t/yellowjacket.htm
http://www.bvsystems.com/Products/WLAN/Yellowjack
We use them in my research lab and they prove to work very well in locating any radio device in a specified band. It comes with directional and omni antennea and dont simply decode an 802.11 packet and read the RSSI. It will actually measure the RF of every packet (included disgarded or hidden ones) from a given host and give you a very accurate power measurement that you can use to locate your offending device.
They tend to mess up the office and Phil from accouning got burned at the stake last time. But they do a good job, we think. It's an office tradition. Besides, I didn't like Phil that much anyway.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Trying to stop people who obviously are setting up workarounds to serious shortcomings in your companies IT department is not useful. Make them go away by making them unnecessary.
Each access point that exists is an employees time and money your IT department wasted. Now you are wasting more time and money hunting them down and if you succeed you will waste even more by forcing the employee to find another workaround.
Some people's job is to get stuff done. Other people's is to stop people from getting stuff done. Most companies would be better off if they fired everyone of the second type.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
If you are a true BOFH.
:-) The best part is once you have that list you really do have full control of the network (No, you can't hook the laptop up to the network jacks in the bathroom stalls, the MAC isn't permitted unless it's MY laptop). Well, again, assuming you're not battling another BOFH...
Assuming you have a list of all permitted MAC addresses for the company (you have them, right?) then, also assuming the employee is "dumb" enough not to fake the MAC address on his WAP to be a permitted one (exceedingly likely), just find the rouge one.
If you don't have this list, I suggest you make it. It's an excellent make work project that's not only easy but will give you lots of opportunity to kiss ass with management and get some promotions happening.
Yup. Reflections are going to be a big problem.
I'm a rank amateur when it comes to T-hunting (a sport among ham radio operators that consists of trying to find a hidden transmitter with directional antennas), but after a couple excursions I can guarantee that hunting for a few GHz signal inside an office building is going to be tough. Even with equipment that will let you look at only the offending signal and dedicated df'ing antenna (whether nulling loops or something that chops between multiple antennas and actively compared phase from each), you'll spend a long time chasing reflections.
That's not to say it wouldn't be a fun thing to try, of course.
An alternative might be to attenuate the signal - by replacing the antenna on your wireless card with a badly tuned little stub of wire or sticking it in a metal biscuit tin grounded to the laptop chasis - and then walk the building floors looking for a peak.
Chances are you can cover all the floor space in your building in less time than it will take you to chase reflections around with a directional antenna.
You want the Auditor Collection CD and a decent directional antenna, such as a Cantenna or, if you have some cash, something by Huber & Suhner. Auditor is, by a far stretch, the best wireless security tools collection out there--it's a great complement to something like Knoppix-STD.
A Fluke Can help regarding signal strength, but the built-in antennas generally aren't great for spotting directions. They can help you start delimiting a general area without having you look like an idiot walking around with a laptop, though.
Also you may want to consider a Bumblebee -- I've seen one of these in use at PacSecWest, and it did a pretty good job finding transmitters. It's also a lot smaller than either a Fluke or a laptop.
If you're on a budget, try something like a Digital Hotspotter, although I wouldn't recommend this particular company due to delivery problems.
Cole's Law: Thinly sliced cabbage
What aout using a laptop logging GPS position and wifi signal strength at 2 second intervals. You'd possibly need to make the range of the wifi card smaller. Get whoever pushes the post troilley around to take it with them. From the logged data, it should be possible to locate each AP on a GPS map...
They can train dogs to find bodies, drugs, people, people's cancer.
Next..the amazing WAP smelling dog.
-- www.globaltics.net
Political discussion for a new world
A while back, I'd posted on my blog that it might be possible, if you knew the location of several managed WinXP laptops within the building, to use WMI/WDM scripts to locate SSIDs and signal strength, as "seen" by those systems. That way, you could get an idea of where the rogue WAPs may be. For example if you have an SSID with a low signal strength for a system on the third floor, query some other nearby systems, even ones on the second and fourth floors...it won't be exact but it will give you an idea. You can even get on the phone and have someone walk over there for you! H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com/ http://windowsir.blogspot.com/
Just watch arp traffic, and you should be able to see when a new device is plugged in, and the vendor of that device. It should be easy enought to deny that device an ip address, using the mac address, in your dhcp server.
A wireless access point with no internet connect isn't much of a threat.
You could also run a program like jffnms that probes your switches for ports. When a new port comes active, you should see it pop up on the interface. You can then match that up with arpwatch to see if that's a valid host that should be on the network. If not, boot them off.
walking around with a laptop and wlan card seems like the hard way to do things, when you could be just sitting at your desk running the correct software. work smart, not hard.
Why read the article when I can just make up a snap judgement?
Do you have a closed network or an open network?
If it is closed, finish closing it, don't let your routers even talk to unauthorized devices that might get plugged in (so you don't talk to the wifi box), and ring alarms if unauthorized MAC addresses appear. Certainly don't have your DHCP server issue IP addresses to just any device that gets plugged in.
If your network is open (because you secure your traffic and machines), then maybe there is no harm in having wifi on it. Install access points for your workers.
-kb, the Kent who thinks you should step back and figure out what your security goals are.
If you must do this the hard way, find a directional antenna (try the pringles can, and in at least three different spots, try and find the direction of the AP... this won't rely on cutting someone's network access, and should work.
If you can get the company to establish a no WLAN policy, you can then remind everyone that WLANs are not allowed, and will take appropriate measure to make it so. There are devices out there that would prevent rogue wireless stations, and probably rogue wireless APs. They're not all that sophisticated (ie a hacker can figure it's an device deliberately stopping wireless), but your point seems to prevent insiders from putting up an wireless AP.
Is often banned in the office. So that is easy to deal with. And if you are on my network, you are either approved or you get your connection pulled. Good admins dont have 'live' connections just laying around.
For case #2, if you are improperly using company equipment you get written up or fired. Besides, unless you are an admin you wouldnt have rights to install the drivers in the first place..
Sounds like the original poster needs to crack down a bit in general.. If he can..
---- Booth was a patriot ----
All the posts I see here talk about loop antennae and such, ignoring the fact that it is HIS network.
If you can connect to the AP and the AP will route you onto your network you can determine the AP's IP. From there you can 1. temporarily disable it and 2. presumably discover the Ethernet drop it is attached to.
If you can't connect to it you can probably use something like nmap do find its IP through the process of elimination. (For example, if there is exactly one device on an IP from your DHCP pool that isn't a windows box.) From there the same steps apply.
-Peter
(a synopsis of the above post)
FINDING A ROGUE ACCESS POINT
Simple step-by-step instructions for PHBs
1. Break WEP key on access point
2. Turn on routing and NAT on the AP
3. Set up an internal website to long its WAN IP address
4. Given the IP address, find the MAC
5. Set up DHCP server to deny the MAC and IP address
6. Flood the network with ARPs.
7. Set up a honeypot that spoofs TCP/IP responses.
8. ???
9. Now that you have found the AP, unplug it. (The black cable with two prongs at the end)
bp
Use the force Luke!
"Or change your AUP and internal network security so that you wouldn't care about WAPs.
If you decide to go hunting for them, you'll have to do it more than once. There is employee turnover & machine turnover & anyone can bring in a new WAP."
Or this could be a company with ties either to the government, or defense. Trying to be a "Rebel without a clue" could be more painful than a simple job termination. Maybe the "disease" is that everyone wants to be some kind of "you can't tell me what to do". The cure isn't some uber security system, but a much tougher hiring process.*
*Let's pretend that we have a high unemployment rate.
-Obtain the APs MAC address.
-Find the interface which has learned this MAC address.
-Identify the cabling port that connect to that interface.
-Consult your cabling schedule to determine the location of that port.
Or next time save yourself the headache of unathortized devices plugging into your network and implement some type of network authentication scheme. That, or, shut down all unused ports and set your switches to only learn one mac address per port.
"If it ain't broke, it doesn't have enough features yet"
If you wanted to go for "fancy", I'd suggest the following:
Card that supports external antennas
Pigtail adapter to a commmon connector such as N
Variable attenuator (You can probably find junky units suitable for your purpose very cheap - calibrated ones are MUCH more expensive.)
Antenna that uses the same connectors as the attenuator
Procedure:
Find signal
Turn attenuator up slowly until signal disappears
Move around to pick up signal again
Turn attenuator up even more
Rinse and repeat
retrorocket.o not found, launch anyway?
Build a homemade small directional antennae, point and walk the direction of the strongest signal, signal goes weak then your getting cold.
I am Bennett Haselton! I am Bennett Haselton!