|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Locating rogue APs
On Tue, Feb 11, 2003 at 01:02:34PM -0700, Tony Rall wrote: > > On Tuesday, 2003-02-11 at 13:42 CST, "Matthew S. Hallacy" > <[email protected]> wrote: > > On Tue, Feb 11, 2003 at 11:27:28AM -0600, John Kristoff wrote: > > > In general, MAC OUI designations may indicate a particular AP. IP > > > multicast group participation may also be used by some APs. Some > > > APs have a few unique ports open. Lastly, APs may be found with > > > a radio on a particular default channel. All of these potentially > > > identifying characteristics may be used to help audit the network > > > for rogue IPs. > > > > Why are you posting this here? The information is somewhat > incomplete/incorrect > > as well. Persons interested in finding rogue AP's would be much better > > off with a tool such as kismet that already identifies model/make of > > access points based on various datapoints (including the types you > posted), > > as well as the ability to determine in where the AP is (pysically) with > > the use of a GPS unit. > > It appears that kismet requires either someone to walk around the facility > while running the program or that you have you have it installed on > machines all over your site. Neither of those options interest me as a > long term solution to rogue AP monitoring. Most solutions are going to require some walking around. How else would you find them? [ snip ] You could setup a laptop, a GPS with a data cable, NetStumbler[free], and a 8dbi 2.5ghz <802.11b> antenna and pickup everything clearly for a half a mile without walking around. I've just acquired this setup myself. Google on "war driving +F150" and you'll see a setup to help for < $55 A network IDS will most definately detect odd MAC addrs or manufacturer octets, but you'll have to maintain the signatures. It's much easier using the 'war driving' setup.
|