.

Wireless APs mapping/plotting

<<

Florin

Newbie
Newbie

Posts: 29

Joined: Thu May 03, 2007 8:57 am

Post Fri May 04, 2007 9:42 am

Wireless APs mapping/plotting

Hello everybody,

Lately I’ve done some wardriving sessions through the company’s premises to discover if there are any rogue access points attached to the wired network.

I discovered some APs but what I am interested in is how I can map/plot these APs into something like Google Earth.

I am using Backtrack with Kismet as software, and a laptop + Ubiquity card with external antenna as hardware.

I know about the solution with a GPS receiver that works pretty well with Kismet, but since I don’t have such a GPS device yet I was wondering if there are any other alternative solutions for doing this instead of using a GPS.

Thanks in advance for you answers.
Security+, OSCP, CISM, CISSP
<<

heffnercj

EH-Net Columnist
EH-Net Columnist

Posts: 69

Joined: Thu Mar 15, 2007 2:45 pm

Post Fri May 04, 2007 3:30 pm

Re: Wireless APs mapping/plotting

A topographic map and a protractor.  ::)
<<

LSOChris

Post Fri May 04, 2007 8:32 pm

Re: Wireless APs mapping/plotting

lol

map and some darts?

seriously though, if you know the lat/long, you should be able to plot it inputting it into any of those wardriving mapping programs by hand jamming it into the appropriate format for the program.  i'd buy a GPS device before i went thru all that trouble though, they are fairly cheap.
<<

Florin

Newbie
Newbie

Posts: 29

Joined: Thu May 03, 2007 8:57 am

Post Fri May 11, 2007 2:06 am

Re: Wireless APs mapping/plotting

Thanks for your replies guys.

But I was interested in alternative methods that I can use to detect and map the AP.

From what I know the GPS method has some limitations - it can't be used to detect AP inside buildings.

If someone can give me a valuable hint I'll greatly appreciate.
Security+, OSCP, CISM, CISSP
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Fri May 11, 2007 7:10 am

Re: Wireless APs mapping/plotting

With any RF signal you can track it by signal strength. I have used Netstumbler before to find rouge AP's in buildings. There is also paid tools like Airmagnet Mobile. Just use SNR with a few different wifi nic's and antennas to find the AP you are looking for.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 237

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Fri May 11, 2007 2:30 pm

Re: Wireless APs mapping/plotting

Using a paid solution, you can use multiple Wireless IDSes to triangulation the postion, this is even more accurate then GPS. This is gonna be way expensive, your best bet is to get your company to buy and inexpensive USB GPS device and use it with Kismet. It will give you inbuilding mapping, just not as accurate as triangulation with multiple cards in multiple locations. Or you could go crazy and build a wifi gun like the Shmoo did a few years back at DEFCON.
<<

dean

Post Tue May 15, 2007 2:36 pm

Re: Wireless APs mapping/plotting

If you don't want to go the Wireless IDS route there are a couple of options. You can do it manually by collecting Signal and Noise data (SNR) for AP or Station that you are trying to locate. Grab some plans of your location and start walking around plotting as many points as you can, recording the SNR data. I use the prism2 cards with wlan-ng drivers. They have a reporting mode that provides this information.

Kismet will also report signal strength information for you but it does not have any historical data. But you can follow the signal strength and attempt to locate the rogue. A directional antenna will help a lot here. In Kismet press "s" to change the sort mode then press "i" to see the signal strengh for the Ap you selected.

Nessus includes an AP fingerprinting plugin that is not too bad.
Alternately you can do wired side analysis of MAC prefixes. You will need to know the MAC addresses of your legitimate APs. I think the IEEE has a nice database of Wireless Manufacturers OUIs.

Even using a method like triangulation you will not be 100% accurate. there will be discrepancies created by RF interference and signal loss to name a few.

I'm not too sure how you would use a GPS indoors (it requires line of sight to a satellite) I guess you could use it while outside and attempt to plot the coordinates on plans of your location.

Whatever method you choose you will really only have an approximate idea of where the rogue lies.

hth,

-dean-

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software