humdinger

I plan on using Netstumbler to detect rogue access points within my organisation's premises.

From what I've read, I shouldn't have a problem in detecting the presence of a wireless access point, however I could face some difficulty in determining the exact location of the device.

It would appear that two main solutions are offered. The first would be to use a laptop with a highly focused antenna (Yagi or Parabolic would seem ideal), and use this setup from the likes of the car park. From there I could "paint the walls" with the antenna and should be able to determin which office the access point is located in, before heading inside for a closer examination.

My other option appears to be to use a PDA and wander up and down the halls, scanning for access points. From what I've read it seems that this is the best method for detecting the presence of an access point, but is not ideal for determining the exact location of an access point (or even if it's a foreign device).

It may help if you have some background information on the organsiation. It's a fairly small company, yet the building is moderately sized - 3 stories high, with two wings containing open plan offices. The budget is limited, which is why we can't simply install a lot of sensors around the building to perminantly scan the area, nor can we afford the services of an external "wireless scanning expert/contractor". We currently have no wireless networks within the organisation (that we know of!).

Now to the point of the post (the questions).

Firstly, can anyone spot any major flaws in the above two options, or point out a solution that I may have missed.

Secondly - would it be possible to use a Yagi or Parabolic antenna indoors and sweep the building from my desk? Or would I have to wander around juggling a laptop and large antenna?

Thirdly - It would appear that both the Yagi and Parabolic antennas offer very focused beams, is one more ideal than the other for this type of use?

Forthly - Is it possible to attach an external antenna to a PDA with a compact flash or SD I/O card based wireless adaptor? If so, which adaptor would you recommend?

Finally - Could I use the PDA in such a manner, whereby once I detect a wireless access point I could then dampen the field (by wrapping it in a foil bag). I could then use this limited range to help me get a better idea of where exactly the access point is located (using the logic - if it detects it whilst the signal is dampened then it must be close).

Thanks for taking the time to read this post. I'd appricate your advice before I spend any money on this project.

nashr

I've actually walked the halls with a laptop (no external antenna, just PCMCIA card). Obviously, this is not the best method, but I think an iPaq setup would work just fine. The biggest problems will probably be due to your building construction, although in some limited manner this could work to your favor.

I had problems determining what floor the signal came from. I thought it had to be on my floor due to signal strength, then someone pointed out that there was a conference room above us. We went up one flight and found a contractor ("Big 4" no less) hooked into the gov't network with his wifi activated. Argh!

The part that may work to your advantage is if the building construction does limit the signal, it may make it easier for you to isolate the location (you may not "see" it as far away).

Good luck!

__________________
Help! I've been Simpsonized!

Monitr7

Just remember to hit the building from three sides, to better triangulate the position of the AP. If you only hit one side, it may look like the AP is on the second floor, but you're actually "shooting" up into the third. Two extra sweeps, on the side and back of the building, will help give a better approximation.

If you use an iPAQ with a PCMCIA sleeve, an Orinoco card, and a Yagi, it would make life a little easier; for that approach and just about every other.

Sounds like you have a pretty good idea of what you want to do. Your above approaches are sound, but take the above advice, if you like.

You can't really hunt that well from a stationary position. The Yagi is a good idea, as it allows for pinpointing of the AP. Don't use a laptop; an iPAQ would be much better suited for inter-office AP hunting.

Personally, I prefer the Yagi, as it isn't quite as focused as a parabolic. If the beam is too narrow, you might indavertantly pass over an AP. The Yagi allows for small side and rear lobes that could still detect the AP, even if the Yagi isn't directly pointed at it.

Just my .02 USD.

__________________
WTOTD Industries - Where quality is Job #3.

G8tK33per doesn't care about the tarded people!
-Kanye West

humdinger

Thanks for the advice. I'm glad I'm not the only person who has had problems in this area.

I've tried walking around the halls with a laptop. Like you say, it works, but is far from the ideal solution (it's not very discrete either ).

I'm curious to find out what other 'experts' thing of the hardware solutions I suggested. Perhaps the ideal option would be a combination of the two?

One possibility I guess would be to test it. Plant one person with a wireless device running in ad-hoc mode and have another trying to locate him (similar to the "Running Man" competition run by Thorn). If we find the running man then we have our solution. I'd be willing to try this out with my personal equipment (PDA) before spending company money, one thing I don't have access to is an antenna however, so I won't be able to determin whether or not this will offer a great advantage over the PDA.

humdinger

Thanks Monitr7,

"If you use an iPAQ with a PCMCIA sleeve, an Orinoco card, and a Yagi, it would make life a little easier; for that approach and just about every other."

Top plan. That way I'll be able to use the PCMCIA card in both the laptop (which we already own) and the PDA (which we'll have to purchase). I could kick myself for not thinking of that.

Could you just confirm whether or not you think the YAGI would work when "painting the walls" from the outside, as the beam isn't as focused?

Thanks for your time.

edit: Typos

Monitr7

Yep, it'll work just fine. It's definitely focused enough for what you want to accomplish. I've gone with the Yagi for the past three years, and it hasn't let me down yet. No matter how narrow the beam, you'll still have to do some searching in the approximate area of the AP.

__________________
WTOTD Industries - Where quality is Job #3.

G8tK33per doesn't care about the tarded people!
-Kanye West

Thorn

No major flaws. You've pretty much nailed it.

It's possible, but large antennae are better for exterior sweeps. A 24dBi dish is about 2ft. across. It's a bit awkward to be swinging one of those.

For interior sweeps, use either a laptop and low-gain Yagi (~10dBi or less) on "mailroom" type cart (I like the Rubbermaid models - less metal to throw signals off) or a Pocket PC and a low-gain Yagi.

It's possible, but it means cracking the case and adding cabling and connectors yourself; ugly but it works. You'll have to have some minimal skills with a soldering iron and electronics to do it. Check Google, I've seen one HOWTO for a CF card, but don't recall the address.

From experiments I've found that a Mylar-coated snack bag (e.g. Lay's Potato Chips) will consitantly attenuate the signal about 7 to 8dBm. Chris, myself and the other WarDriving Contest staff members used this exact method for the RunningMan Mini-Game at DefCon12. http://www.blackthornsystems.com/ed_runningman.htm This was the reverse application of what you want to do, but it works both ways.

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

humdinger

Thanks Thorn.

You mentioned using a low gain Yadi with a PDA. I've been reading around this topic for a while and haven't come across a Yadi antenna - was this just a typo?

I've already read through the contest on your website, that's where I got the idea from. It's a good read too, by the way.

Thorn

Your welcome.

Oops. It was a typo. It should be "Yagi". It's been fixed.

Thanks. Scott Pinzon and the other guys at WatchGuard deserve the credit for the article, while Chris and the other WD Contest staffers deserve the credit for the fun time running the Mini-Game, and of course, the contestants for playing. While it was my idea, the staffers refined it and more importantly executed the whole thing. Special credit should be given to Tara, who actually kept the contestants guessing who and where the Runnning Man was.

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

humdinger

Just how easy is it to get a PCMCIA wireless card running on a Pocket PC based PDA?

I'm simply concerned that there may be driver issues (the cards won't have been designed with the Pocket PC O/S in mind will they?) and the fact that I've only ever seen PDAs running 802.11b based cards (so will a 802.11g card work?).

Thorn

It depends on whether the maker has released PPC/CE/2002/2003 drivers. Some have, some haven't. The popular B cards (ORiNOCO and Linksys v1, v2, v3) do have drivers and will detect G networks. You just cannot use the G speeds, but since you're just hunting rogues that shouldn't be an issue.

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

streaker69

Ok, I did not read the entire thread, but did read the OP's original post, and I have a simple idea.

Using Airsnare, you could build a database of friendly MAC's. MAC's that you know are valid. Any new equipment purchased goes into the friendly database.

You can run Airsnare on a wired machine to monitor the traffic, then use a pingsweep program to ping the entire subnet. Anything that responds and is not on the friendly list will alert you to it's presense. From there you can try to find out which office it is using the wander the hall means.

Might save you some miles in walking, and be lest suspicious to the users that would be doing such a thing. It'll take a bit to get the MAC's setup as friendly but on a small to medium network, it shouldn't be too tough of a job.

If you don't have a ping sweep program, one could probably be written pretty quickly in pearl, php or even a Batch file.

__________________
"One of these days, I'm going to cut you to pieces."

If you're offended by this post, please feel free to report it to one of the many helpful moderators of this forum.

Thank you.

The Others

Now, i don't want to throw an Access Point shaped spanner in the works, but...

The above suggestions are all fantastic ways of hunting down an 802.11b/g access point. I'm only concerned that finding an 802.11a access point will not be possible. Also note that people can easily evade a NetStumbler setup by disabling SSID broadcasts.

I like Streaker69's idea of using airsnare, but, be warned, setting up a list of friendly MAC addresses will take you an age; it took me long enough to to my house setup. I dont know any details, but, I'm sure there must be a commercial, easier, option available. After all, you only need to capture MAC addresses of equipment on your LAN. Note, spoofing a MAC address is very easy, especially on access points and routers that usually have a web based interface to do so. With this in mind, an airsnare or similar based approach will fall flat on it's face.

__________________
all good ends all

streaker69

True enough, but do you think the Suits in there are gonna be spoofing an address? Even so, what address are they gonna spoof? One that already exists on the network? You can't have two devices with the same MAC on the same network, at least that's what I always learned. I may be wrong, but what would happen if two machines with the same MAC show up? I know a few years ago, we were tracking down why a Netware network kept crashing and we found out that two nics had the same MAC on the LAN. They were cheap cards from japan and apparently all the cards from this one company had the same MAC.

My idea was just a thought, and it could be used to supplement other plans as well. Using Solarwinds Engineering tools, I can ping sweep an entire network in a few seconds and get all MAC's of all machines connected. You run it at various times during the week/day and you'd eventually get all the MAC's. Once you have the list, compare all of them to the OUI list to make sure it's a brand your company purchased, if your company has a standard list of hardware that's purchased it wouldn't be tough to track down a rogue device.

I'm just throwing out ideas.

__________________
"One of these days, I'm going to cut you to pieces."

If you're offended by this post, please feel free to report it to one of the many helpful moderators of this forum.

Thank you.

Monitr7

True, NS won't find 802.11a. However, other commercial (read: expensive) products, such as Yellowjacket or AirMagnet will.

Wouldn't Kismet be able to detect those, though?

Party-poopin' killjoy!

__________________
WTOTD Industries - Where quality is Job #3.

G8tK33per doesn't care about the tarded people!
-Kanye West