Hello everybody,

Lately I’ve done some wardriving sessions through the company’s premises to discover if there are any rogue access points attached to the wired network.

I discovered some APs but what I am interested in is how I can map/plot these APs into something like Google Earth.

I am using Backtrack with Kismet as software, and a laptop + Ubiquity card with external antenna as hardware.

I know about the solution with a GPS receiver that works pretty well with Kismet, but since I don’t have such a GPS device yet I was wondering if there are any other alternative solutions for doing this instead of using a GPS.

Thanks in advance for you answers.

lol

map and some darts?

seriously though, if you know the lat/long, you should be able to plot it inputting it into any of those wardriving mapping programs by hand jamming it into the appropriate format for the program.  i'd buy a GPS device before i went thru all that trouble though, they are fairly cheap.

With any RF signal you can track it by signal strength. I have used Netstumbler before to find rouge AP's in buildings. There is also paid tools like Airmagnet Mobile. Just use SNR with a few different wifi nic's and antennas to find the AP you are looking for.

Brian

If you don't want to go the Wireless IDS route there are a couple of options. You can do it manually by collecting Signal and Noise data (SNR) for AP or Station that you are trying to locate. Grab some plans of your location and start walking around plotting as many points as you can, recording the SNR data. I use the prism2 cards with wlan-ng drivers. They have a reporting mode that provides this information.

Kismet will also report signal strength information for you but it does not have any historical data. But you can follow the signal strength and attempt to locate the rogue. A directional antenna will help a lot here. In Kismet press "s" to change the sort mode then press "i" to see the signal strengh for the Ap you selected.

Nessus includes an AP fingerprinting plugin that is not too bad.
Alternately you can do wired side analysis of MAC prefixes. You will need to know the MAC addresses of your legitimate APs. I think the IEEE has a nice database of Wireless Manufacturers OUIs.

Even using a method like triangulation you will not be 100% accurate. there will be discrepancies created by RF interference and signal loss to name a few.

I'm not too sure how you would use a GPS indoors (it requires line of sight to a satellite) I guess you could use it while outside and attempt to plot the coordinates on plans of your location.

Whatever method you choose you will really only have an approximate idea of where the rogue lies.

hth,

-dean-