22

Over the course of about a month we have received multiple reports of a rogue access point attempting to intercept traffic. I suspect an attacker is using a wifi pineapple, or similar hardware device. They seem to be enabling it for short periods of time and then disappearing before we have time to react. When this attack pops up again I want to be able to react quickly and have them arrested.

What is the best way to confront this threat?

rook
  • 46,916
  • 10
  • 92
  • 181
  • Do you have location information - ie is it in one office, across a campus etc.? This could help with valid options for detection. – Rory Alsop Jan 18 '12 at 13:14
  • 1
    @Rook - that question is relevant but seems to be about a specific rogue attack; this one is broader and I've tried to answer it from a "state of the industry rogue-detection techniques" perspective. –  Aug 17 '12 at 16:55
  • This question is meant to provide a canonical answer base. That question is way more localized than this one. – Lucas Kauffman Aug 17 '12 at 16:58
  • It looks like my comments and my answer (and others' answers) to another, more general question about "how do you detect rogues?" have been merged into this one. I find this weird and confusing. If you are reading this question and you're confused, that's why. (Insert here whining and complaining at overzealous moderators for trying way too hard to be organized and just messing things up. Acknowledgement that the whining belongs more on Meta. Cessation of my emotional involvement in the matter follows.) –  Aug 17 '12 at 22:01
  • @fennec you can re-post your answer here, i'll upvote it. – rook Aug 18 '12 at 01:04
  • Who, "we"? You talk like Louis the Eleventh. – Nicolas Barbulesco Jun 12 '16 at 12:48
  • Checkout Evildefender from Github – Detectware Dec 15 '16 at 20:38
  • Checkout moucherhunter from ThinkSecure – Detectware Dec 15 '16 at 20:41

8 Answers8

15

The general ways that a rogue access points are found:

  • An enterprise wi-fi access point spends some of its time not just serving clients, but listening on various channels for other wi-fi traffic. (This works best for the 2.4Ghz band where there are fewer channels. Fortunately this is also where most run-of-the-mill, non-targeted attacks are going to be. You can also use a dedicated sensor instead of an AP. You can also configure one radio of a two-radio access point as a full-time sensor radio.)
    • This information is typically reported to a centralized system (a controller, the controller-managing software, etc) through some mechanism (snmp trap, snmp polling, proprietary notification protocols, etc). You could probably write a centralized system yourself if you really felt like it, though in practice third-party interfaces with wireless equipments' SNMP can be a little bit hit-or-miss, and the data is not available in any standardized format. There are also patent-related implications, such as this one which is the one that I happen to know about.
    • The central system will perform checks to see whether that BSSID belongs to a known, valid access point that belongs to your organization's network.
    • The central system will analyze the reported rogue for security. (For instance, a rogue access point broadcasting MyCorp's SSID on an open network is a threat to MyCorp employees, but something broadcasting a different SSID, e.g. PANERA or NEIGHBORCORP-GUEST, or a peer-to-peer wifi connection, might not be a threat.)
  • Devices in the packet path, such as wi-fi controllers, can try to see if they have seen a MAC address on the wireless network which is also present on the wired network in an unexpected way. If they do, that's a sign that the wired network has been connected to the atmosphere, and you know what controller port it is connected to.
  • An active scan can be run on the organization's network, requesting web pages on port 80 or 443, and/or running a tool such as nmap, to look for indicators of common consumer-grade networking equipment (e.g. a Linksys login page).
  • The wired infrastructure (switches, routers) can be polled for bridge forwarding tables, which contain MAC addresses. These MAC addresses can be analyzed to see if they belong to an OUI of a manufacturer of wireless network equipment (e.g. Linksys).
  • You can install software on your organizations' laptops or other computers that report back many of the same types of information that the access point would detect (SSID/BSSID lists, etc) and report those to the aforementioned centralized system, or report what SSID the computer is actually connected to. It helps to be able to tell whether that laptop is in the office at home, or you'll potentially see many other access points.

Actions that can be taken against these devices include:

  • shutting down the network port at the switch (if the attacker is on your network)
  • forging 802.11 packets to disassociate clients from that access point, especially for wireless clients which your system recognizes as belonging to your organization (often called something like "rogue containment")
  • using a network-visualization tool that can trilaterate the location of the rogue access point from its signal strength (as reported by your access points) and your wifi network layout, then walking to that location and finding it in person
    • or using another signal-detection tool to track it down

The top 3 enterprise wireless vendors (Cisco, Aruba, Motorola) will all offer a wireless IPS with several or all of these capabilities, and some smaller vendors do as well. This is one of the many reasons they're more expensive than your cheap home Linksys wifi router.

7

A rogue access point implies it is connected to your LAN, which is easy to detect using port-security.

This WiFi pineapple is more or less a honeypot that is not present on your network. Detecting it will be a lot harder since it's not on your network. It is just spoofing your SSID I suppose?

So how about you write a script that lists all the access points it can detect and counts them. You might also add something to scan for SSID's look at the their MAC and see if there is an SSID that contains your SSID's name or a something a-like (MyCompany or MyCompany-new) and verifies it against a list of MAC addresses from your own devices. I might add that spoofing a mac-address is rather easy, counting the SSID's might just be easier.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
6

There are phone apps that attempt to physically locate wifi access points. Android has them, but I believe that Apple pulled these types of apps from their store, but they are available in the hacked market: https://market.android.com/details?id=girsas.wifiradar&hl=en

This might require some coordination and narrowing down the potential location, but it should provide valuable data for tracking this down.

schroeder
  • 123,438
  • 55
  • 284
  • 319
5

Read this too! http://seclists.org/pen-test/2007/Nov/57

The Wifi Pineapple is just one device a person can use in these situations. I'm not sure what kinds of reports you have but, if the person is using a portable Rouge-AP they are most likely mobile(walking, biking) or, static but, within proximity of your AP's(drinking coffee, or on a laptop or, even a smartphone)...

It gets really dangerous because when dealing with portable rouge-AP's like the wifi pineapple it becomes apparent that the person your interested in is in fact, amongst your company...An insider.

So, you combat a mobile threat like this YOU need to get mobile. Already people have suggested downloading apps for mobile smartphone w/ wifi to scan for rouge-AP SSID's. Even if they are spoofing the SSID a mac address can also be pulled, and assessed(this will give you the device origin)[CAN BE SPOOFED}.

HOW: WARDRIVING/WARWALKING You will need a list of your wireless assets current hardware MAC address, and walk around with multiply cellphones with wireless scanning apps going, and a list of wireless MAC addresses. You can all pretty much look incognito because, no one thinks just a smartphone can accomplish things of this nature.(in reality, even a wristwatch can now compromise a wireless network...) OR, it can be used to scan wireless signals, and look completely inconspicuous. http://hackaday.com/2011/12/27/rooting-a-motorola-actv-android-wristwatch/

Your suspected attacker is trying to stay under the radar as well. This may only be a compromised remote router as well, acting as a wireless client bridge or a Karma rouge-AP. If you go wardriving, you can use a laptop(suggested multiply persons w/ multiply laptops) with windows running InSSIDer. Grab the MAC list, and go out scanning. Put your MAC address list in a notepad, and check it against the AP's your discover. HERE: www.metageek.net/products/inssider/

Another option is forcing the wireless spectrum to do your bidding(in a legal way) Tactical De-authentication attacks are the next wave in securing wireless from these kinda of threats though, its still emerging... HERE

All I can tell you is that I have a wifi pineapple, and it is insane what you can do with a few clicks now... You need to stop this threat ASAP or it might be to late, and your corporate network is under hell-fire. Cellular phones with wireless capabilities are also a threat now... Your average smartphone can also become a rouge-AP, and sniff traffic, strip SSL...

HERE

In the future, I suggest your company look into wireless IDS/IPS systems that are commercially available today. Some, even have all the defense tricks I said above. ;-) Good luck to you on this! Feel free to contact me I can help!!! ;-)

Community
  • 1
TyTech1337
  • 51
  • 2
  • HERE: This is a wifi radar app for android. http://opensignalmaps.com/ or https://market.android.com/details?id=org.prowl.wifiscanner&hl=en – TyTech1337 Jan 18 '12 at 23:35
  • Ok yes, this is on track with something I want to build. A passive scanner that security guards walk around with and when it sees "MySSID" with "anUnknownMACaddress" it fires and alert. Issue: the pineapple can spoof mac addresses. – bashCypher Jul 17 '18 at 00:13
4

Because the device is on intermittently, location has obviously been challenging. If you've got the time and resources, there is a way to hunt down that signal.

You need two wireless devices and, if they're on different machines (they probably have to be in order to move the directional around enough), good time synchronization for logging. One should have an omnidirectional antenna. The other should have a high gain directional antenna. I'll call those devices O and D.

Whenever device O sees the rogue access point, you should compare the signal strength against what is seen by device D. Comparison is needed to make you aware of when D is pointed in a blind direction. Rotate device D until the cone is pointing in a direction that gives you a strong reading. When you have that reading, relocate D to a very different place and start assessing again. You should end up with a series of readings that allow you to select the strongest line / coverage cone from each place you locate D. That should rapidly narrow down the location that the device can be located.

There are more details on the practice at http://en.wikipedia.org/wiki/Direction_finding. There are also faster location methods, but they require more complex equipment and relatively complex software.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
3

Write a simple cron script that calls iwlist eth1 scan on a wifi computer every minute or so, and greps through it to see if your access point's names shows up as more than one cell (or otherwise appears abnormal). If something's off, send emails to the administrators who then attempt to pinpoint the source.

I'd suggest trying to use a directional wifi antennas to pinpoint the direction the signal is coming from; or wifi-direction sensing android app like schroeder's solution. This step is probably best done with more than one person, moving in different locations; seeing how the signal gets stronger/weaker. I wouldn't necessarily assume that the signal is omni-directional; see for e.g., [2], so simple triangulation may not work.

Finally would it be possible to start using WPA or encryption so the evil twin can't really mask as your network?

dr jimbob
  • 38,768
  • 8
  • 92
  • 161
3

I beleive there are currently two methods. The first is that you can use a physical detector, such as AirCheck, and follow the signal until you find it. Then you can identify wether its one you have put there, or if someone else has.

The other method would be to find them on the network side. This article details how it's possible using Nessus, and it mentions the drawbacks of using a physical scanner (different frequencies, interference etc).

If you find one physically, best solution would be to rip it out of the socket!

Network wise (I have limited knowledge of firewalls/switches, so this maybe nonsense), but if you can find out what port its connected to, it maybe possible to disconnect this port, or blacklist the MAC address. You would have to confirm that with someone with greater knowledge however.

fin1te
  • 391
  • 1
  • 3
3

How to do it depends on the size of your company and it's physical presence as well as how often you want to do it. There are actual rogue wifi detectors that you can install that do nothing else but scan for rogue wifis but that's probably overkill. Chances are the best way to do it is simply install a free detector on your phone and walk around looking for points. As you go closer the signal gets stronger, as you move away it gets weaker, so if you're following a signal and it starts to get weaker you know you've just passed an access point. If you have a corporate WiFi solution it may actually offer that functionality as well. I know Cisco and Aerohive both include rogue wifi detection out of the box, it may be worth having a look. As for what to do when you find them it's not always as simple as pulling the plug. If someone has gone through the trouble and expense of buying a wireless access point and installing it themselves chances are they are trying to solve a problem that the IT department didn't. Politely tell them it's against the rules, find out why they did it, and then solve the issue so they don't need their own AP. Of course some rogue APs may be installed by malicious insiders or outsiders for the purposes of hacking into your network. If you find one where you suspect this is the case secretly set up a hidden web cam or two around the area and pull the power cable out of the back just enough so that it looks like it came out accidentally, and then see who comes to plug it back in and when. It's probably a cleaner paid off to check on it and plug it back in, but it could be the hacker him/herself in which case you call the cops to make an arrest and prosecution.

GdD
  • 17,291
  • 2
  • 41
  • 63