Jon,

If you are running lightweight APs off a controller most of the controller software I've seen includes rogue AP detection. The APs themselves act as detectors reporting the beacons and related information back to the controller. The controller itself is generally able to see the wired side of the network and can then identify the rogue. Some controllers also include the ability to shut down rogue APs.

The only other tool I've seen in the past that would be able to identify an unauthorized network device, including rogue APs, is netdisco (http://www.netdisco.org/). Netdisco will go out and scan your network using SNMP, LLDP, and CDP. This allows it to not only identify those devices but also identify what switch and port it is connected to.

HTH,

Estell Kauffman

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Jon D
Sent: Tuesday, May 15, 2012 2:28 PM
To: security-basics (at) securityfocus (dot) com [email concealed]
Subject: Re: Tool to find rouge wireless access points?

Sorry Felipe. Basically the core question is 'how to find rouge access points'.
For example, if an end user plugs in a linksys wireless router under their desk, how do you detect it?

Expanding on the question, is that usually from what I've seen, just scanning with nmap or something might not pick it up if the AP is configured not to respond to pings, and doesn't have ports open, etc.
And without knowing the encryption password, sniffing wireless traffic seems out of the question too. Simply scanning with something like kismet will only tell you that there's an AP in the area, but you don't know if it's an AP plugged into your network, or if it's another companies AP.
The link that was posted about sniffing the encrypted wireless traffic for netbios requests that aren't encrypted seems interesting.
Something I'll try.

Thanks,
Jon

On Mon, May 14, 2012 at 3:58 PM, Felipe Martins <martins.felipe.security (at) gmail (dot) com [email concealed]> wrote:
> Yes, i'm on the same way. I didn't  fully understand what the question
> was. Can you be more specific Jon.
>
> Best Regards
>
> Felipe Martins
> CEH, RHCE, RHCI, LPI, ITIL, NCLA, DCTS Security Specialist and
> Projects
>
>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]