You are here: ZDNet.co.uk > News > Hardware

Server platforms Toolkit

Stumble across rogue wireless access points

Robert L. Bogue Tech Republic

Published: 26 Nov 2002 16:02 GMT

The explosion of wireless technology into the hands of end users is one of the biggest challenges facing security officers and network administrators. With their transparent bridging, today's wireless access points are easy to set up, but they're even easier to misconfigure, leaving your network vulnerable to hackers.

You need a way to detect any unauthorised wireless access points on your network. In this Daily Drill Down, I'll show you how to search for and identify rogue access points using NetStumbler on a laptop and the associated Pocket PC program MiniStumbler. I'll also show you how to map the results using a GPS receiver and a mapping program like MapPoint.

Location mechanisms
There are two basic approaches for locating rogue access points: beaconing -- or requesting a beacon -- and network sniffing -- or looking for packets in the air. These methods use different features of the IEEE's 802.11b wireless standard as an exploit to discover weaknesses and access points on your network. Let's look at each in a little detail.

Requesting a beacon
The IEEE's 802.11b standard is designed to enable a wireless device to see the SSIDs (Service Set Identifiers) used by nearby wireless access points. When the wireless device sees the SSID, it can configure itself to connect to the wireless network. To make this work, an 802.11b-compliant network card transmits a packet -- a beacon -- that causes all of the access points in the vicinity to announce their availability.

This is an effective method because it doesn't require any current traffic. The problem with this mechanism is that the access point must be configured to respond to these beacon requests. Most "enterprise class" access points let you turn this setting off. Because of this, the beaconing mechanism isn't completely effective at finding all wireless access points.

However, some users may not be aware that they should disable this feature when they deploy their wireless access points. Likewise, inexpensive wireless access points intended for home use don't normally allow you to disable the beaconing mechanism. Unfortunately, because they're inexpensive, they are the type of device most likely to be smuggled in and connected to your network without your knowledge.

Sniffing the air
"Sniffing" is another mechanism for detecting a wireless network's presence. It involves turning on the receiver on the wireless card and allowing the receiver to passively capture packets out of the air. When the receiver finds information that looks like a packet, it can record the information, allowing the hacker to deconstruct the packets. Using the deconstructed information, the hacker can find a way to access your network.

The problem with the sniffing mechanism is that currently you must select a specific channel to monitor. Given that 802.11b can operate on 12 channels, it's difficult to constantly switch between channels to monitor packets. So it's technically feasible to detect an access point by sniffing traffic, but it's impractical at present.

Another problem with sniffing is that there must be traffic on the network for this method to work. If no one is using the rogue access point, there's no traffic to monitor. The access point could be right next to you, but if it's not in use, your monitor will never find it.

Beyond these limitations, sniffing wireless packets is a useful way to determine who's using the wireless access point after it's been identified. The process used by NetStumbler and MiniStumbler, requesting beacons, will return the channel information that you can use later to sniff the network.

The biggest threat
For the purposes of this article, I'll focus on requesting that the access point transmit a beacon frame. You can use this method whether or not there is active traffic on the network. This means you can make your sweep through a building or a campus during a weekend, when users of rogue access points are less likely to be present. Intruders are likely to use this same method because it lets them look for access points when no one is around. So requesting beacons gives you the added benefit of evaluating your network's security using the same tactics as a potential attacker.

Choose your weapon
Two very useful tools for finding rogue wireless access points are NetStumbler and MiniStumbler. To run NetStumbler, you'll need at least a notebook and a wireless LAN card that the software supports. There's a list of supported cards available at the NetStumbler Web site. You'll also need a GPS capable of connecting to the notebook if you want to log and map your results.

Alternatively, you can run a smaller version of NetStumbler called MiniStumbler. MiniStumbler runs on a Microsoft Pocket PC device, such as the Compaq iPAQ. All you need is a Pocket PC device and a wireless LAN card that is supported by MiniStumbler. As with NetStumbler, if you want to log the signal's location, you'll need a GPS that you can connect to your Pocket PC.

MiniStumbler is much more useful than NetStumbler for zooming in on rogue access points. Because a Pocket PC can fit in the palm of your hand, it has a natural advantage over a bulky notebook. You can use the signal strength displayed on the Pocket PC, just like a minesweeper might use a metal detector, to home in on rogue ports.