Slashdot Mirror
How Do You Locate That Access Point?
parp asks: "As an IT Manager I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks. How do you find the exact location of these devices? I've tried walking around the office with a laptop watching the signal, but the signal monitors that are included with most network drivers are very limited. The signal could be upstairs, downstairs or right around the corner, but I can't find it. Results of web searches I've done just tell you how to find a signal (wardrive), not the source. I'd be interested in any software or hardware device that can locate the device within a few feet."
It seems to me that you'd need to build a VERY directional antenna, and then you could triangulate the position fairly easily, and it could get you in the right area. Hopefully on the right floor ;)
Nobodies Prefect
Tidbits for Techs Technology Blog
You would probably need to build a loop antenna, they are directional and as far as I know, do not have much gain, you would just need to spin the look to find the strongest signal and take a measurement from 2 different places, then you could just draw to lines on a decent site layout map and know within about 10 feet where the signal is, google for "radio fox hunt" or "loop antenna".
Hey guys, a quick google revealed this:
_ pinpoints_location.php
http://www.airespace.com/technology/technote_rffp
Thught you might be interested.
Just monitor the traffic to see who is actually using the link. you should be able to figure it out from their IP address or their browsing habits. Chances are it is whoever set up the link. You may have to use one of the many WEP crackers, but that shouldn't present a problem.
If no one ever seems to be using it, it is possible you are picking up someones laptop with a built in 802 card that automatically enables without the user even knowing.
http://notanumber.net/
Attach to the access point and ping your router.
Then pull wires till the ping stops. Work up the wires till you find the one the access port is on the end of.
Sam
blog.sam.liddicott.com
My company recently implemented a product called "WiFi Watchdog" from Newbury Networks (http://www.newburynetworks.com/). Damned nice product, and it has the capabilities you are looking for. The latest version of their software will give you a heat map as to where a device is likely to be overlaid on top of a map of your building.
Other vendors selling a similar products include Airmagnet and AirDefense. Some of the bigger AP infrastructure guys such as Cisco even have some built in products to do similar things.
The big advantage I found with NNI is that their product helps reduce false positives by identifying APs outside our building and labeling as such - so when a Sears truck drives by with a built in AP our alarm bells don't go off. Other neat things include a cool RADIUS service that "authorizes" connections based on location. Tied together with other authentication services that would make for a really really powerful solution for securing your wireless.
Anyway, hope that helps find some good solutions for you.
-Jack Ash
PS: No, I am not an employee of NNI or anything of the sort, I'm just a guy who went through your exact problem last year and ended up finding this solution.
First, start on a floor you know has access to this access point. Then, get in the elevator and hit the top floor. Note what floor you get disconnected on. Do the same going down, and average those numbers together and you have the floor it's on.
Once you are there, gather everyone around, and tell them that you know one of them has a wireless access point around. The first person to turn around and hurry away sneakily is your guy. Pull out your gun and shoot him in the back. Find his desk and everywhere he goes, and you'll eventually find the access point. Problem solved.
Or were you wanting to do this legally? Then I would just get them in a headlock and "nugey" them until they tell you where it is.
Oregon State University's Open Source lab has a tool specifically designed to find rogue wifi access point on univerisity networks, and it's available here: rogue detect
Simple! You simply log into the access point and type 'eject' at the command prompt. Then look for the Access Point with the CD-Tray open...
:)
Hey, if it works for a maze of Linux machines
But in all hoestly, you probably want a directional antenna as the other posters are suggesting. However, I suggest you get 2-3 volunteers, each with their own directional antenna. It will be easier to triangulate the signal if you have 3 folks coming in from 3 different angles.
"Can of worms? The can is open... the worms are everywhere."
If you're so concerned about systems connecting, then perhaps you should get the MAC address of all your authorized machines, and only allow those at the router or firewall level?
You should also keep your servers secured against your internal network, only allowing services that are actually needed. There's a tendancy to trust everything internal on your network -- but really, with wifi and so many people having laptops, as well as systems infected with viruses and spyware, the internal network is just as volitaile as the internet itself.
Speak before you think
Remember that the network it is plugged into is the businesses, not the individuals, and the business dictates what is done with it. They have every right to disconnect it. They might not be able to confiscate it, and keep it, but they can certainly disconnect it, unplug it, and tell the employee to never, ever bring it back in.
What are we going to do tonight Brain?
First, in most office buildings signals reflect and bounce in non obvious ways. I'd start with a directional antenna with the tightest beamwidth you can find (90 degrees, 60 degrees, etc). Choose 5 or 10 spread out locations and look at the netstumbler reported dB as you sweep in a 360 degree circle. Mark which channels have strong signals and in what direction they are coming from. Plot several lines on an office map for each channel in each spot - the strongest signal, and a few weaker signals to help reduce problems with signal reflections.
If you are attempting to do this for a multi story building then you may choose to sweep in a sphere, or simply do the single floor sweep with multiple locations on each floor.
This will give you a good general location to search more closely.
If this doesn't help or work very well, or you are interested in the armchair approach, try searching from the network.
You know the IP address of the access point. If you don't, connect to it and find out. This may require breaking a WEP key, and setting up and internal website that shows the AP's WAN IP address when you view the page if the AP is set up to route and NAT.
Now that you have the IP address, you should also have the MAC. Set up the DHCP server to deny that MAC an IP address if you don't want to worry about it and think the person isn't very bright.
Use your routers to find the port or hub the AP is connected to, and use various network tools to locate the actual connection. You could flood the network with ARPs or pings for the IP and pull plugs until it stops responding.
If you're certain it is the only device on that wire you could 'disable' it with an etherkiller. Of course, you may also set the building on fire, but either way the AP will stop.
You could also setup a rogue machine that listened to the wireless signal and spoofed TCP/IP responses for webpages and images. If the people can't use the AP, then it's effectively dead.
There are a variety of ways to further shut down APs, but this ought to get you started.
-Adam
Set up your own access point with the same SSID and see who tries to connect.
Here is an idea for people who bring in an off-the-shelf wireless router. If they are dumb enough to leave SSID visible, perhaps they left it at the defaults. See if you can join it and then try a default password. There you can find the MAC address on the WAN side. If you have at least layer 2 managed switches on you network, you can log into them and look at the tables to determine which port it is comming in to. Hopefully you have a current map of your network (i.e. jack #23 in the wiring closet goes to the General Managers office.) The last place I worked for had no such map, I had to make it myself. If someone cries foul that I suggest they "hack" into someones personal property, tough. The culprit is using Company resources and leaving a door open into the network, possibly affecting others. Hope this helps
"Build something idiot proof, and someone will build a better idiot" - Samuel Clemens
Try browsing through your LAN switch's MAC address tables.. The manufacturer ID on the WAP will probably be different than most of your other computers' network cards.
If your network is good enough, there wouldn't be a need for rogue WAPs.
Supply your users with a better wireless network! Make sure there is connectivity EVERYWHERE & then lock your own network down (through VPN, WPA+Radius, or whatever).
If even facility-provided wireless is absolutely verboten everywhere, just put up jammers & be done with it.
Or change your AUP and internal network security so that you wouldn't care about WAPs.
If you decide to go hunting for them, you'll have to do it more than once. There is employee turnover & machine turnover & anyone can bring in a new WAP.
Just ask Frink:
"I have captured the signal and am presently triangulating the vectors and compressing the data down in order to express it as a function of my hand... They're over there!"
Send out a company-wide email reminding employees about the corporate policy against bringing wireless access points from home. Ask anyone who has one to please disconnect it and remove it from the premises thank you for your cooperation etc etc.
Worker bees will comply almost instantly. If it's still on the air by that evening, start looking in manager offices. If you can at least isolate it to one floor you should be able to just LOOK for it. It's connected to the network, right? Follow some ethernet cables and you'll eventually find it. It's not like they would hide it in a metal filing cabinet.
And when you do find it, don't be an @$$ about it. Just remind the misguided soul that this is against corporate IT policy and we'll be happy to extend a supported AP into the ceiling near you on monday.
Why isn't there a product available that allows one to "view" RF like a camcorder.. or at least still photos? Could something like a CCD sensor be built that would be tuned to radio frequencies instead of light frequencies? This sort of device would be extremely useful for locating RF signals, helping to find sources of interference, verifying whether antenae are active or not, looking for someone using a radio while hiding behind a bush with a gun, you know.. things like that.
Ouch! The truth hurts!
Loop antennas have a nice wide range of angles where they receive well, and a sharp narrow range in which they don't. Radio direction finding means turning the loop until the signal cuts off and then following the direction of the plane of the loop.
Real-world reflections make this much harder.
(Though if you didn't like your IT department, you certainly could set up an AP in your office -- not plugged into the network at all -- just to mess with them. Power it with a battery if you really want to make sure it doesn't violate any company policies. Howver, if you're going to do this, it may really piss them off when they find it, and it could very well still get you fired. And perhaps rightfully so, since obviously you'd be a schmuck with too much time on his hands.)
It can be made reasonably secure easily enough. WEP helps a lot, but by itself it doesn't make it completely secure, and that's probably what you're referring to. But there are other ways to secure wireless networks, and some of them work pretty good. The NSA probably doesn't use them (on their uber-secure networks anyways), but for many companies they're good enough.But really, the `wireless isn't secure' mantra is getting quite old. There's some truth to it, but it can be made secure. Secure enough, anyways. (After all, IT is always balancing security with usability. Security is not a black or white thing -- it's a huge spectrum.)
True, but unauthorized access points give one more point of entry that someone outside the company can use to find a weakness; no network can be 100% secure, and preventing physical access is yet another tool in securing it.
If you have a wireless AP around then someone can get in from outside the building, after hours, when nobody is around to notice the intrusion...
I drink to make other people interesting!
Let me get this straight...you're out to find "unauthorized" network activity between computers? As stated in previous posts, who owns these computers? Who owns the network?
If it's your network, then you need to record the MAC address of the unauthorized machines and use security measures to lock network. More securely, you can even configure the network to provide service *only* to authorized network adapters. That's how they do it here, and this is a public school (if THEY can do it, then you certainly can ;) The IT administration here is a bunch of boneheads).
But what happens if they're not on your network? Well, then we start to cross into a gray area of sorts. More variables need to be considered where none are given, such as who owns the machines and what restrictions the employees have agreed to previously.
If they own the computers, are running the network themselves, and are not violating any agreement with their employer, then finding/squashing the networks is really none of your business.
Why not announce an outage for your company's WiFi, then it would be much easier to figure out where the other access points are.
it's a sig, wtf?
Trying to stop people who obviously are setting up workarounds to serious shortcomings in your companies IT department is not useful. Make them go away by making them unnecessary.
Each access point that exists is an employees time and money your IT department wasted. Now you are wasting more time and money hunting them down and if you succeed you will waste even more by forcing the employee to find another workaround.
Some people's job is to get stuff done. Other people's is to stop people from getting stuff done. Most companies would be better off if they fired everyone of the second type.
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
Yup. Reflections are going to be a big problem.
I'm a rank amateur when it comes to T-hunting (a sport among ham radio operators that consists of trying to find a hidden transmitter with directional antennas), but after a couple excursions I can guarantee that hunting for a few GHz signal inside an office building is going to be tough. Even with equipment that will let you look at only the offending signal and dedicated df'ing antenna (whether nulling loops or something that chops between multiple antennas and actively compared phase from each), you'll spend a long time chasing reflections.
That's not to say it wouldn't be a fun thing to try, of course.
An alternative might be to attenuate the signal - by replacing the antenna on your wireless card with a badly tuned little stub of wire or sticking it in a metal biscuit tin grounded to the laptop chasis - and then walk the building floors looking for a peak.
Chances are you can cover all the floor space in your building in less time than it will take you to chase reflections around with a directional antenna.
They can train dogs to find bodies, drugs, people, people's cancer.
Next..the amazing WAP smelling dog.
-- www.globaltics.net
Political discussion for a new world
-Obtain the APs MAC address.
-Find the interface which has learned this MAC address.
-Identify the cabling port that connect to that interface.
-Consult your cabling schedule to determine the location of that port.
Or next time save yourself the headache of unathortized devices plugging into your network and implement some type of network authentication scheme. That, or, shut down all unused ports and set your switches to only learn one mac address per port.
"If it ain't broke, it doesn't have enough features yet"