How to pinpoint a rogue access point?

[williamc]

I just completed a pen-test for a huge company that included locating rogue access points on their network. Sure enough, Kismet found numerous devices and we had to find them. Using a directional antenna in a manufacturing plant, we were going all over the place trying to find these devices. I adjusted strength, tried omni, and still had a very hard time tracking the devices down. The signal strength would vary depending on line of sight, obstructions, etc. I spent about four hours to find three AP's.

I'd like to know if there are any recommendations on a device that can help pinpoint these access points. Maybe a extremely narrow beam directional that only picks the signal up if it hits it directly. I'm not sure, just trying to make my job easier. Any recommendations?

William

[Dutchie]

Use a spectrum analyzer!!! There is also special software to detect rogue AP. See cwnp.com.

Hope it will bring you further.

Dutch

[Thorn]

I just completed a pen-test for a huge company that included locating rogue access points on their network. Sure enough, Kismet found numerous devices and we had to find them. Using a directional antenna in a manufacturing plant, we were going all over the place trying to find these devices. I adjusted strength, tried omni, and still had a very hard time tracking the devices down. The signal strength would vary depending on line of sight, obstructions, etc. I spent about four hours to find three AP's.

I'd like to know if there are any recommendations on a device that can help pinpoint these access points. Maybe a extremely narrow beam directional that only picks the signal up if it hits it directly. I'm not sure, just trying to make my job easier. Any recommendations?

William

You'll always have some issues with hunting rogues. The very same multi-path characteristics that make 2.4GHz attractive for use in wireless networking, also make tracking down APs difficult.

"Vagi" antennas are a "shotgun" Yagi design that kick ass for rogue hunting. They are highly directional (25 degrees), are a great size for hand-held use, and at 16dBi, they have enough gain for some distance work.

http://www.pacwireless.com/products/...Data_Sheet.pdf

Both of these vendors handle the Vagi, and I can endorse both as being good companies with which to do business.

http://www.fab-corp.com/product.php?productid=1442

http://www.wlanparts.com/product/VA2...z_Antenna.html

An attenuator can also help.

[aggtrfrad]

there are also some devices made especially for locating wifi devices:

Code:

www . hawkingtech.com/products/index.php?CatID=32&FamID=71

[Barry]

there are also some devices made especially for locating wifi devices:

Code:

www . hawkingtech.com/products/index.php?CatID=32&FamID=71

That's nice and all, but not really a big help with the OP's question. I've used kismet on my Zaurus to hunt down rogues. Though, never in an industrial environment. Usually just in schools. The little antenna on the Z usually got me to within a couple class rooms. Then I'd just stick my head in and look. Word got around pretty quick we were looking for them, and they'd either shut down while we were looking, or we found them and either took them, or smashed them right there.

[aggtrfrad]

Hi-Gain WiFi Locator Professional Edition:
When detecting wireless networks, the Hi-Gain Directional Antenna helps the user determine exactly where the source of the wireless network is coming from by showing stronger signals at different angles.

I still think that this is exactly what the OP asks. WiFi network cards have a "very estimated" signal strength sensibility. They are not even closed to accurate.