RE: HW/SW Rogue AP Wireless Detection

From: Joshua Wright (Joshua.Wright@jwu.edu)
Date: Tue Mar 18 2003 - 08:12:54 EST

• Next message: Dave Aitel: "Re: Spike"
• Previous message: Marco van Berkum: "strange urlscan behaviour"
• Maybe in reply to: Gary Nugent: "HW/SW Rogue AP Wireless Detection"
• Next in thread: Daren Nowlan: "Re: HW/SW Rogue AP Wireless Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It is unwise to use NetStumbler or MiniStumbler for detecting rogue AP's. Since both of these tools use the active scanning mechanism described in IEEE 802.11 1997, they will be unable to detect those AP's that are using "cloaked" SSID's. You are likely to find rogue's that don't know enough to hide their presence, but you will not locate rogues that don't want to be found.

Kismet on an iPaq has worked well for me, but it requires the Familiar or Intimate Linux distribution to be installed over PocketPC. Kismet will also run on a Zaurus, but has limited battery life and no .11a support. The Home Shopping Network (of all places) is selling the Zaurus for $200 (http://www.hsn.com/cnt/prod/default.aspx?pfid=694341&club_id=694341&sz=0&sf=&dept=&cat=) - already runs Linux. Note that you will also need an 802.11b CF card to use the Zaurus with Kismet.

You may also wish to check out the WinFingerprint project at http://winfingerprint.sourceforge.net/aptools.php for wired-side rogue AP scanning (as an added measure of precaution, not your sole solution for detecting rogues). Of course, the ultimate solution is AirDefense (http://www.airdefense.net/).

-Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright@jwu.edu
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

> On Fri, Mar 14, 2003 at 03:05:28PM -0500, R. DuFresne wrote:
> > doesn't this setiup though limit you to 802.11b scanning
> and thus leave
> > you open to rogue 802.11a AP's?
> >
>
> kismet supports 802.11a scanning in the latest version. it uses the
> vt_ar5k drivers for gnu/linux from http://team.vantronix.net/ar5k/.
>
> but you need an atheros ar5000- based 32bit cardbus/pci card and i'm
> not sure if it's possible to run it on the ipaq. nevertheless, these
> cards need some more power which could be a problem on any mobile
> device.

----------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does. Plug your security holes now!
Download a free 15-day trial of VAM:
http://www2.stillsecure.com/download/sf_vuln_list.html

• Next message: Dave Aitel: "Re: Spike"
• Previous message: Marco van Berkum: "strange urlscan behaviour"
• Maybe in reply to: Gary Nugent: "HW/SW Rogue AP Wireless Detection"
• Next in thread: Daren Nowlan: "Re: HW/SW Rogue AP Wireless Detection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:30 EDT