How Do You Locate That Access Point? 159
parp asks: "As an IT Manager I'm concerned about unauthorized Access Points being installed, or users who setup wireless computer to computer networks. How do you find the exact location of these devices? I've tried walking around the office with a laptop watching the signal, but the signal monitors that are included with most network drivers are very limited. The signal could be upstairs, downstairs or right around the corner, but I can't find it. Results of web searches I've done just tell you how to find a signal (wardrive), not the source. I'd be interested in any software or hardware device that can locate the device within a few feet."
Radio Direction Finding (Score:4, Informative)
Re:Radio Direction Finding (Score:5, Funny)
Re:Radio Direction Finding (Score:3, Interesting)
(Ok, two directions, but one direction contains your laptop, so it should be discernable in the signal strength when you move around)
Dare I say consulting an expert on the judicious use of tinfoil might be appropriate? Call the tinfoil hat brigade! Actually, no need to call, they'll reply below soon enough.
Re:Radio Direction Finding (Score:2)
Re:Radio Direction Finding (Score:2)
IF you use a directional antenna (aka beam) you will usually also need/want an attenuator, so you can cut down on signals that are TOO strong
There are also "time of arrival" RDF units - take 2 antennas, put them say, less than 1/2 wavelength apart, and a fairly simple circuit that generates FM, plus a radio tuned to the frequency in question - if the signal gets to both antennas at the same time
Re:Radio Direction Finding (Score:2)
Re:Radio Direction Finding (Score:3, Insightful)
He's trying to prevent unauthorized Access Points from being installed, you fucking moron.
And how do you know he's not on a University Campus, trying to prevent students from peering?
Re:Radio Direction Finding (Score:2)
The idea being that if they already had an official solution, there would be no need to bring in their own, unauthorized, access points.
Re:Radio Direction Finding (Score:2)
The idea being that they may pose a level of security risk that might not be acceptable in their situation.
Re:Radio Direction Finding (Score:2)
So, I figured he just didn't catch the drift of the other guy.
Re:Radio Direction Finding (Score:2)
loop antenna (Score:5, Informative)
No, look for the *weakest* signal (Score:3, Informative)
Real-world reflections make this much harder.
Re: reflections (Score:3, Interesting)
I'm a rank amateur when it comes to T-hunting (a sport among ham radio operators that consists of trying to find a hidden transmitter with directional antennas), but after a couple excursions I can guarantee that hunting for a few GHz signal inside an office building is going to be tough. Even with equipment that will let you look at only the offending signal and dedicated df'ing antenna (whether nulling loops or something that chops between multiple antenna
Re: reflections (Score:2)
Card that supports external antennas
Pigtail adapter to a commmon connector such as N
Variable attenuator (You can probably find junky units suitable for your purpose very cheap - calibrated ones are MUCH more expensive.)
Antenna that uses the same connectors as the attenuator
Procedure:
Find signal
Turn attenuator up slowly until signal disappears
Move around to pick up signal again
Turn attenuator up even more
Rinse and repeat
Re:loop antenna (Score:3, Interesting)
Watch it to get a how-to
Something to check out... (Score:3, Informative)
http://www.airespace.com/technology/technote_rffp
Thught you might be interested.
Re:Something to check out... (Score:5, Insightful)
By default it tells you that AP X detects an access Point. It tries to connect as a client, and ping spots on your network. This tells you if its on your network or not.. If you feel mean, you can flood it and shut it down.. (DOS attack built in!) However, if you want the precision mapping, you have to pay a very, very large chunk of change.. I have seen a demo, and it is pretty sweet to watch it pinpoint the exact location of a rouge AP. Keep in mind that this uses triangulation. You need more than one of your Cisco AP's to be able to see this rouge to get it pinpointed.
(Poor/Evil BOFH Fix) I would connect through the access point, note my IP, see if I could Ping the network.. Then, check the IP/Mac address, and find what port on my switches it is coming from. Disable the port. (if you have a nicely labeled patch panel, you could walk to the switch, and see exactly where the port is..) Wait for someone to complain about no network activity...
Re:Something to check out... (Score:3, Funny)
Mebbe it's just because it was written by Marketing Droids, but this doesn't give me much confidence:
I've never known anything to radiate in a square before...
Re:Something to check out... (Score:2)
netsnoop (Score:5, Informative)
If no one ever seems to be using it, it is possible you are picking up someones laptop with a built in 802 card that automatically enables without the user even knowing.
Pull wires (Score:3, Insightful)
Then pull wires till the ping stops. Work up the wires till you find the one the access port is on the end of.
Sam
Re:Pull wires (Score:2, Funny)
or, more likely, pull wires until your employment stops which wont be long in many companies if you pull that kind of trick.
Re:Pull wires (Score:2, Interesting)
Such activies are allowed, if not encouraged, from IT people.
At least every place I've ever worked... boggled my mind the things that no one seemed to think was inappropriate or a problem.
As long as you sent out an email saying "We apologizze for the network trouble earlier this morning" -- it wasn't a problem that the network went down because you shut down the wrong server because you logged into the wrong IP.
Re:Pull wires (Score:4, Insightful)
There's a lot of talk about fancy switches, but we don't know if this guy has any managed switches.
When I said "pull the wires till the ping stops" I didn't expect him to end up with a load of wires on the floor, I expected him to plug eachone back in after 2 seconds.
Ethernet can cope with a brief unplug without difficulty.
If *I* was doing it and I had fancy switches I would stull pull wires. How many places have a map of the wiring and mac addresses on switch ports and so forth? And if folk are able to plug in wireless access points where they like, do you think such maps and charts would be up-to-date?
Maybe I'd try it that way for fun, but networks grow and breed in weird ways, hence the wire-pull suggestion: "it will work"
Sam
Re:Pull wires (Score:2)
Does it really kill that fast/ I thought it at least gave a few seconds before ripping out all the sockets?
Sam
Re:Pull wires (Score:3, Informative)
(Well, okay, maybe that last could be interpreted in more than one way, but you know what I mean!
Re:Pull wires (Score:2)
Of course most of the ideas i've read don't help with non-broadcast/non-open [e]ssid. You could always just do mac address security on your switch (if possible) and lock it down to existing hosts (except for your conf room lans where you may have g
Commercial Solutions (Score:5, Informative)
Other vendors selling a similar products include Airmagnet and AirDefense. Some of the bigger AP infrastructure guys such as Cisco even have some built in products to do similar things.
The big advantage I found with NNI is that their product helps reduce false positives by identifying APs outside our building and labeling as such - so when a Sears truck drives by with a built in AP our alarm bells don't go off. Other neat things include a cool RADIUS service that "authorizes" connections based on location. Tied together with other authentication services that would make for a really really powerful solution for securing your wireless.
Anyway, hope that helps find some good solutions for you.
-Jack Ash
PS: No, I am not an employee of NNI or anything of the sort, I'm just a guy who went through your exact problem last year and ended up finding this solution.
Re:Commercial Solutions (Score:2)
Oh, and regarding the RADIUS stuff, the authentication can be based on things like "Joe's laptop is in Conference room 6N, so he's authorized for wireless inside that room but not outside it". Obviously you need to define your rules in the software but you get the gist. The system
Re:Commercial Solutions (Score:2, Informative)
Comment removed (Score:5, Funny)
Roguedetect from the OSU open source lab (Score:4, Informative)
Re:Roguedetect from the OSU open source lab (Score:4, Informative)
In my experience, that map will never reflect reality and may cause many wild goose chases.
Re:Roguedetect from the OSU open source lab (Score:2)
Re:Roguedetect from the OSU open source lab (Score:2)
If configured to do so, but you don't need to have dhcp to use an access point.
Log into the access point and... (Score:4, Funny)
Hey, if it works for a maze of Linux machines
But in all hoestly, you probably want a directional antenna as the other posters are suggesting. However, I suggest you get 2-3 volunteers, each with their own directional antenna. It will be easier to triangulate the signal if you have 3 folks coming in from 3 different angles.
MAC address (Score:3, Insightful)
You should also keep your servers secured against your internal network, only allowing services that are actually needed. There's a tendancy to trust everything internal on your network -- but really, with wifi and so many people having laptops, as well as systems infected with viruses and spyware, the internal network is just as volitaile as the internet itself.
Re:MAC address (Score:3, Insightful)
About the only way you can really lock this down via MAC addresses is to restrict what MAC can appear on what Switch port in your network. This does require that you have managed switches.
Another thing to do would be to check the mac list in your DHCP ser
Re:MAC address (Score:2)
Re:MAC address (Score:2)
Well, that's why I said to only allow approved MAC addresses -- not find and ban MACs of the AP's (one of the big problems was locating them in the first place).
Use several methods. (Score:3, Informative)
If you are attempting to do this for a multi story building then you may choose to sweep in a sphere, or simply do the single floor sweep with multiple locations on each floor.
This will give you a good general location to search more closely.
If this doesn't help or work very well, or you are interested in the armchair approach, try searching from the network.
You know the IP address of the access point. If you don't, connect to it and find out. This may require breaking a WEP key, and setting up and internal website that shows the AP's WAN IP address when you view the page if the AP is set up to route and NAT.
Now that you have the IP address, you should also have the MAC. Set up the DHCP server to deny that MAC an IP address if you don't want to worry about it and think the person isn't very bright.
Use your routers to find the port or hub the AP is connected to, and use various network tools to locate the actual connection. You could flood the network with ARPs or pings for the IP and pull plugs until it stops responding.
If you're certain it is the only device on that wire you could 'disable' it with an etherkiller. Of course, you may also set the building on fire, but either way the AP will stop.
You could also setup a rogue machine that listened to the wireless signal and spoofed TCP/IP responses for webpages and images. If the people can't use the AP, then it's effectively dead.
There are a variety of ways to further shut down APs, but this ought to get you started.
-Adam
Re:Use several methods. (Score:2)
Say there is a rogue node out there and it has your internal address of 10.0.0.10 (router of
Re:Use several methods. (Score:2)
1. Mac addresses of machines. At my workplace, it's mostly Dell machines, a few Compaqs and a few legacy kingston ethernet cards in either (more about this in #2)
2. All ethernet devices have a pre-defined "preamble" that defines the manufacturer. Dump your arp table off of your managed switch and look for these.
If you get good at this, you would be able to glance at your switch's tables and see at the very lea
Synopsis (Score:2)
FINDING A ROGUE ACCESS POINT
Simple step-by-step instructions for PHBs
1. Break WEP key on access point
2. Turn on routing and NAT on the AP
3. Set up an internal website to long its WAN IP address
4. Given the IP address, find the MAC
5. Set up DHCP server to deny the MAC and IP address
6. Flood the network with ARPs.
7. Set up a honeypot that spoofs TCP/IP responses.
8. ???
9. Now that you have found the AP, unplug it. (The black cable with two prongs at the end)
Fake it (Score:2, Interesting)
Is it open? (Score:3, Interesting)
Re:Is it open? (Score:3, Insightful)
Check the LAN switches (Score:4, Insightful)
Re:Check the LAN switches (Score:2)
If you have managed switches, you should be able to get the physical port number, then take a walk to the wiring closet, and find out what's patched to that switch port.
Hopefully you have some documentation of what desk is at the other end of your patc
Re: (Score:2)
Re:MAC address (Score:2)
Except that in response to many cable Internet companies' restrictions on MAC addresses, most SOHO wireless routers come with an option to manually set the WAN MAC address, and/or a button to clone the MAC of the machine connected to port #1. It's possible that the WAP may be hidden amongst your own corporate machines.
Treat the DISEASE, not the symptoms (Score:3, Insightful)
Supply your users with a better wireless network! Make sure there is connectivity EVERYWHERE & then lock your own network down (through VPN, WPA+Radius, or whatever).
If even facility-provided wireless is absolutely verboten everywhere, just put up jammers & be done with it.
Or change your AUP and internal network security so that you wouldn't care about WAPs.
If you decide to go hunting for them, you'll have to do it more than once. There is employee turnover & machine turnover & anyone can bring in a new WAP.
Re:Treat the DISEASE, not the symptoms (Score:2)
Although the poster hasn't stated his intentions when finding the responsible employee I hope he considers asking him (presuming he didn't just forget to turn off the AP) why he needed it, overlooking the incident, no harm done (after securing the network) and seeing what can be done to prevent the need for using these devices in the future.
You're spot on.
Simpsons Quote (Score:3, Funny)
"I have captured the signal and am presently triangulating the vectors and compressing the data down in order to express it as a function of my hand... They're over there!"
Well... (Score:2)
What you really need to do for the medium-long term is prevent the access points from working at all (something like only allowing registered MAC addresses to get DHCP leases, for one example).
non-tech solution (Score:4, Insightful)
Worker bees will comply almost instantly. If it's still on the air by that evening, start looking in manager offices. If you can at least isolate it to one floor you should be able to just LOOK for it. It's connected to the network, right? Follow some ethernet cables and you'll eventually find it. It's not like they would hide it in a metal filing cabinet.
And when you do find it, don't be an @$$ about it. Just remind the misguided soul that this is against corporate IT policy and we'll be happy to extend a supported AP into the ceiling near you on monday.
RF "video" camera (Score:3, Interesting)
Re:RF "video" camera (Score:2)
There is but Geordi is still using it because his bionic eyeballs haven't been invented yet. Perhaps you could substitute a small engine air cleaner.
Just ASK! And then use your eyes. (Score:2)
People will generally do the right thing.
After a week or so, just walk around with something running Kismet to alert you to the obvious, but more importantly simply LOOK in peoples cubies: If you try to hide an AP/R
Forget signals.... (Score:2)
1) Attach to the access point (assuming it's not using WPA)
2) Traceroute back to find out the access point's IP
3) Look up in your manuals (you *do* have manuals, don't you) to find out where that IP block is assigned
4) Invade the sales department.
Alternatively, after you connect, try the usual addresses to access the admin interface of the AP. Change it to some settings that will never work, then chan
Err... (Score:2)
Do you really need to physically locate them? (Score:2)
What you could do is attach to the wireless network (don't try this in Florida
Next look for the MACs in all your switches (easily automated queries to you
Another solution (Score:2)
Another solution is to combine a GPS unit (Or just a map of your office since you know where you are in it) with the detailed signal strength that apps like netstumbler can produce. As you walk around the office you're plotting signal strength points on a map. It would shortly become quite clear. Given enough points you don't even need to do any math or draw any lines. With very few points you can still
Re:Another solution (Score:2)
Re:Another solution (Score:2)
GPS is good for figuring out where an access point is, but only on a building level, (is the AP in this building or that one?) not on a desk/office/cubicle level.
Also, see other posts for good points regarding the issue of indoor reflections of signal.
Vague on details (Score:3, Insightful)
Let me get this straight...you're out to find "unauthorized" network activity between computers? As stated in previous posts, who owns these computers? Who owns the network?
If it's your network, then you need to record the MAC address of the unauthorized machines and use security measures to lock network. More securely, you can even configure the network to provide service *only* to authorized network adapters. That's how they do it here, and this is a public school (if THEY can do it, then you certainly can ;) The IT administration here is a bunch of boneheads).
But what happens if they're not on your network? Well, then we start to cross into a gray area of sorts. More variables need to be considered where none are given, such as who owns the machines and what restrictions the employees have agreed to previously.
If they own the computers, are running the network themselves, and are not violating any agreement with their employer, then finding/squashing the networks is really none of your business.
Re:Vague on details (Score:2)
Say you want to use your corporate laptop in a conference room without a network conneciton and you don't have 802.11. You circumvent IT and set up your own and plug it into the network. Congrats! You could easily have just opened up the network to neighboring companies, wardrivers, etc. "oops!"
As to the presumption that its fine to bring equipment in to the office. Say you want to bring in a personal
Re:Vague on details (Score:2)
Re:Vague on details (Score:2)
"If they own the computers, are running the network themselves, and are not violating any agreement with their employer, then finding/squashing the networks is really none of your business."
I disagreed. Adding your own wireless network that is connected to the corporate network is a security risk.
Re:Vague on details (Score:2)
Well, if they are not violating an agreement with their employer, then there is no policy against their activities, yes? If indeed there is a security risk, then the issue should be addressed formally and considered fully before taking action. Once policy is established, the employees then must comply.
In case you think otherwise, I don't disagree with you at all; everything you said makes sense. I was just wondering how they were related because you seemed to take a contrary position. :)
Anyway, all I m
Re:Vague on details (Score:2)
Use a custom antenna (Score:2)
This one [slashdot.org] is highly directional.
These [slashdot.org] might be easier to aim.
adsfdsaf (Score:2, Funny)
Independance Day (Score:2)
I'm no network security expert, but you could scan all machines for those with abnormal ports open. You could look for 80 or 8080. I think XP machines do not listen on port 113 while off the shelf wireless routers do. Then just cut off that user. Obviously i
Peasant mobs with pitchforks and torches. (Score:2)
I hope you fail (Score:3, Interesting)
Each access point that exists is an employees time and money your IT department wasted. Now you are wasting more time and money hunting them down and if you succeed you will waste even more by forcing the employee to find another workaround.
Some people's job is to get stuff done. Other people's is to stop people from getting stuff done. Most companies would be better off if they fired everyone of the second type.
Auditor! (Score:2)
A Fluke [fluke.com] Can help regarding signal strength, but the built-in antennas generally aren't great for spotting directions. They can help you start delimiting a general area without having you look like an idiot walking around w
GPS? (Score:2)
Do I "smell" a new market (Score:2, Funny)
Next..the amazing WAP smelling dog [sony.net].
arpwatch and/or jffnms (Score:2)
A wireless access point with no internet connect isn't much of a threat.
You could also run a program like jffnms that probes your switches for ports. When a new port comes active, you should see it pop up on the interface. You can then match that up with arpwatch to see if that's a valid
Open or Closed Network? (Score:2)
If it is closed, finish closing it, don't let your routers even talk to unauthorized devices that might get plugged in (so you don't talk to the wifi box), and ring alarms if unauthorized MAC addresses appear. Certainly don't have your DHCP server issue IP addresses to just any device that gets plugged in.
If your network is open (because you secure your traffic and machines), then maybe there is no harm in having wifi on it. Install access points for your
Follow the cabling... (Score:2, Informative)
-Find the interface which has learned this MAC address.
-Identify the cabling port that connect to that interface.
-Consult your cabling schedule to determine the location of that port.
Or next time save yourself the headache of unathortized devices plugging into your network and implement some type of network authentication scheme. That, or, shut down all unused ports and set your switches to only learn one mac address per port.
Re:What are you going to do once you find them? (Score:2)
Re:What are you going to do once you find them? (Score:2)
Re:What are you going to do once you find them? (Score:2)
Re:What are you going to do once you find them? (Score:2)
The equipment at work is the property of work. It is not to be abused, or used outside the scope of what is deemed proper by IT.
We locked machines down about 5 years ago - had people complaining up a storm about not having access to "their" machine. Simple things back then, such as not being able to change their background or screen saver.
Some of us within IT do have full admin access to our machines (development etc) - but this is with the und
Re:What are you going to do once you find them? (Score:2)
Personal Equipment (Score:2)
For case #2, if you are improperly using company equipment you get written up or fired. Besides, unless you are an admin you wouldnt have rights to install the drivers in the first place..
Sounds like the original poster needs to crack down a bit in general.. If he can..
Re:What are you going to do once you find them? (Score:3, Insightful)
Re:What are you going to do once you find them? (Score:2)
"Rouge" Access Points?
Most of the AP hardware I've seen is some combination of Silver, Black, or Blue. Or perhaps White. But honestly, does it really matter what color it is?
No, wait... I think I found it [yahoo.com]!!
Re:What are you going to do once you find them? (Score:3, Insightful)
Well, yes, it is possible to have an access point that's not plugged into the network, but that's not very likely. (And if it's not plugged into the network, it's not a problem. But it's not always obvious that this is the case until you find it.) It's quite likely that if you find a rogue AP somewhere inside your office building, it's connected to the (wired) network.
(Though if you didn't like your IT department, you certainly could set
Re:What are you going to do once you find them? (Score:2)
I've done that too. (With all the spare APs I see to have obtained, why not?) (Though from what I've seen, most wardrivers are just making maps, and not actually looking to use any of the APs that they find. It's interesting just seeing how many there are, how many are secured, and how that changes over time.)
Alas, I never
Re:What are you going to do once you find them? (Score:2)
This depends on the company policy. The company I currently work for has a policy of no computers, PDA's, etc except those provided by the company. They have temporarily taken an employee's computer, made sure no company IP was on the computer and escorted the employee/contractor out the door.
Re:What are you going to do once you find them? (Score:2)
They have temporarily taken an employee's computer, made sure no company IP was on the computer and escorted the employee/contractor out the door.
That would seem to me to be rather illegal. Not that I don't understand the reasoning behind it but it's still quite illegal and if the employee sued them they would probably have lost big time.
The legal response to that would be to get an injunction to prevent them from revealing any IP contained on the machine while pursuing a court order to let your guys t
Re:What are you going to do once you find them? (Score:2)
I think that if there is a clear policy against doing something, and it's on private property, which corporations and golf courses are, and you are caught breaking said policy then they are given some leewa
Re:What are you going to do once you find them? (Score:2)
IANAL, but I don't see how this is any different than if you go to a professional golf tournment and get caught using your camera, and they take it, they open the camera, destory the film and give the camera back to you, (unless it's one of those disposables, of course they may give you back the pieces).
And I would still say that is illegal. The only legal recourse they'd have would be to get an injunction to prevent you from selling the pictures. They can't take your property away and destroy it. Jus
Re:What are you going to do once you find them? (Score:2)
I agree with you, it certainly is against the fundemental concept of rights that the founding fathers had, but I witness this sort of stuff happen on a regular basis. Just because you and I believe something is against the fundemental rights given
Re:What are you going to do once you find them? (Score:2)
I would think if the practice was illegal then given the type of people that go to golf tournments it would have been tested in a court of law by now. I have had it done to me, years ago, and every time I attend one, I witness it happen to at least 2 or 3 people.
Then those people don't stand up for their rights. If you refused to physically hand the camera over to them, what are they going to do about it? Hold you down and take it away? Refuse to let you leave if you start to walk away? I'd dare them
Re:You Have Bigger Problems (Score:3, Interesting)
True, but unauthorized access points give one more point of entry that someone outside the company can use to find a weakness; no network can be 100% secure, and preventing physical access is yet another tool in securing it.
If you have a wireless AP around then someone can get in from outside the building, after hours, when nobody is around to notice the intrusion...