How Do You Locate That Access Point?

parp asks: "As an IT Manager I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks. How do you find the exact location of these devices? I've tried walking around the office with a laptop watching the signal, but the signal monitors that are included with most network drivers are very limited. The signal could be upstairs, downstairs or right around the corner, but I can't find it. Results of web searches I've done just tell you how to find a signal (wardrive), not the source. I'd be interested in any software or hardware device that can locate the device within a few feet."

Radio Direction Finding

[toygeek]

It seems to me that you'd need to build a VERY directional antenna, and then you could triangulate the position fairly easily, and it could get you in the right area. Hopefully on the right floor ;)

loop antenna

[chinakow]

You would probably need to build a loop antenna, they are directional and as far as I know, do not have much gain, you would just need to spin the look to find the strongest signal and take a measurement from 2 different places, then you could just draw to lines on a decent site layout map and know within about 10 feet where the signal is, google for "radio fox hunt" or "loop antenna".

Something to check out...

[Mercury2k]

Hey guys, a quick google revealed this:

http://www.airespace.com/technology/technote_rffp_ pinpoints_location.php

Thught you might be interested.

netsnoop

[John+Meacham]

Just monitor the traffic to see who is actually using the link. you should be able to figure it out from their IP address or their browsing habits. Chances are it is whoever set up the link. You may have to use one of the many WEP crackers, but that shouldn't present a problem.

If no one ever seems to be using it, it is possible you are picking up someones laptop with a built in 802 card that automatically enables without the user even knowing.

Commercial Solutions

[JackAsh]

My company recently implemented a product called "WiFi Watchdog" from Newbury Networks (http://www.newburynetworks.com/). Damned nice product, and it has the capabilities you are looking for. The latest version of their software will give you a heat map as to where a device is likely to be overlaid on top of a map of your building.

Other vendors selling a similar products include Airmagnet and AirDefense. Some of the bigger AP infrastructure guys such as Cisco even have some built in products to do similar things.

The big advantage I found with NNI is that their product helps reduce false positives by identifying APs outside our building and labeling as such - so when a Sears truck drives by with a built in AP our alarm bells don't go off. Other neat things include a cool RADIUS service that "authorizes" connections based on location. Tied together with other authentication services that would make for a really really powerful solution for securing your wireless.

Anyway, hope that helps find some good solutions for you.

-Jack Ash

PS: No, I am not an employee of NNI or anything of the sort, I'm just a guy who went through your exact problem last year and ended up finding this solution.

Re:Commercial Solutions

[marcgul]

Lots of the companies in this space OEM a hardware RF sensor from Network Chemistry . They recently released a Mobile version - allowing you to triangulate AP positioning by taking readings at different points on a floorplan with your laptop.

Roguedetect from the OSU open source lab

[imsmith]

Oregon State University's Open Source lab has a tool specifically designed to find rogue wifi access point on univerisity networks, and it's available here: rogue detect

Re:Roguedetect from the OSU open source lab

[DShard]

That hunts for DHCP servers. While it's real nice (especially knowing that you could have it log into a managed switch and disable a port), it's not really capable of finding wireless access points at all. you _could_ do something close to this by fingerprinting all the devices on the network and reporting the switch it's plugged into and which port. The downsides of that approach is you would be dependent on your fingerprinting applications database and a good plug to plug map of your network.

In my experience, that map will never reflect reality and may cause many wild goose chases.

Use several methods.

[stienman]

First, in most office buildings signals reflect and bounce in non obvious ways. I'd start with a directional antenna with the tightest beamwidth you can find (90 degrees, 60 degrees, etc). Choose 5 or 10 spread out locations and look at the netstumbler reported dB as you sweep in a 360 degree circle. Mark which channels have strong signals and in what direction they are coming from. Plot several lines on an office map for each channel in each spot - the strongest signal, and a few weaker signals to help reduce problems with signal reflections.

If you are attempting to do this for a multi story building then you may choose to sweep in a sphere, or simply do the single floor sweep with multiple locations on each floor.

This will give you a good general location to search more closely.

If this doesn't help or work very well, or you are interested in the armchair approach, try searching from the network.

You know the IP address of the access point. If you don't, connect to it and find out. This may require breaking a WEP key, and setting up and internal website that shows the AP's WAN IP address when you view the page if the AP is set up to route and NAT.

Now that you have the IP address, you should also have the MAC. Set up the DHCP server to deny that MAC an IP address if you don't want to worry about it and think the person isn't very bright.

Use your routers to find the port or hub the AP is connected to, and use various network tools to locate the actual connection. You could flood the network with ARPs or pings for the IP and pull plugs until it stops responding.

If you're certain it is the only device on that wire you could 'disable' it with an etherkiller. Of course, you may also set the building on fire, but either way the AP will stop.

You could also setup a rogue machine that listened to the wireless signal and spoofed TCP/IP responses for webpages and images. If the people can't use the AP, then it's effectively dead.

There are a variety of ways to further shut down APs, but this ought to get you started.

-Adam

No, look for the *weakest* signal

[Beryllium+Sphere(tm)]

Loop antennas have a nice wide range of angles where they receive well, and a sharp narrow range in which they don't. Radio direction finding means turning the loop until the signal cuts off and then following the direction of the plane of the loop.

Real-world reflections make this much harder.

Re:Pull wires

[itwerx]

I've always used a 4-second rule and gotten away with it. I've replaced entire 48-port switches one wire at a time with the users non the wiser.
(Well, okay, maybe that last could be interpreted in more than one way, but you know what I mean! :).

Follow the cabling...

[LeonPierre]

-Obtain the APs MAC address.
-Find the interface which has learned this MAC address.
-Identify the cabling port that connect to that interface.
-Consult your cabling schedule to determine the location of that port.

Or next time save yourself the headache of unathortized devices plugging into your network and implement some type of network authentication scheme. That, or, shut down all unused ports and set your switches to only learn one mac address per port.