3

This posting has some good advice for tracking rogue access points:

Tracking down a rogue access point

The issue I have is that many will not work for a huge deployment. I'd like to build a device to look for them that I can keep on me and walk the property, when it detects something it will fire an alert. I can handle the scripting for this, but I am uncertain if my hunch is correct: Does the pineapple spoof AP MAC (BSSID) as well as SSID? If not a default setting, I think I can create a list of all our MAC addresses and compare them to what I see in the facility per our SSIDs.

Edit/Update:

I found some information on another posting and I want to be clear I'm referring to an Evil Twin, which is a subset of Rogue AP. Yes, a rogue AP is a big deal, but an Evil Twin/Pineapple which is ssl stripping and trying to steal CC's and etc. is a problem. @OscarAkaElvis said this:

"Not exactly. In an Evil Twin, you can "clone" a network but not entirely. I mean, it is supposed you clone "almost all" network characteristics.For example usually is cloned SSID, same channel but the BSSID usually is cloned except one digit. The reason is because an Evil Twin usually is launched at the same time with a DoS to the legitimate network to force users to disconnect. And your fake network can't be exactly the same or the clients of fake network will be kicked too. So the user usually should click voluntarily in the fake network as a consequence of desperation of not having internet"

Which makes sense as if there are 2 BSSID exactly the same you'll tons of issues. This is what I had suspected, but I wouldn't call it confirmed. Can anyone confirm this?

link to other question I took this from: Whats the difference between an evil twin and a rogue access point?

bashCypher
  • 1,839
  • 11
  • 21
  • Why does default matter? You are hoping all attackers will just not bother checking a box? –  Jul 17 '18 at 18:55
  • @notstoreboughtdirt It seems like you haven't actually done this, so I'm not sure what use this comment is. See my edits above. – bashCypher Jul 17 '18 at 18:58
  • the real fun is in finding non-displaying characters which the OS will ignore and thus allow your WAP to actually catch auto-reconnects without triggering alerts on stuff like Meraki AirMarshal... U+FFFA through U+FFFD has a couple that OS X ignores ;D – Angelo Schilling Jul 17 '18 at 21:24
  • @AngeloSchilling interesting. I will need to research this. Also, I'm realizing that Deauth packet detection in parallel to confirming BSSID against an inventory of WAP's will make for a pretty robust detection system. Granted, it will need to be "war walked", but is a step in right direction. – bashCypher Jul 17 '18 at 21:40

1 Answers1

1

Rogue access point is a very serious problem. I think it is easy to attack, but hard to defend.

Does the pineapple spoof AP MAC (BSSID) as well as SSID?

Unfortunately, a pineapple or rogue AP can spoof MAC addresses. Therefore, comparing MAC addresses can not provide a proper detection. The term you need to look for is Wireless intrusion prevention/detection system.

What is a wireless intrusion prevention system?

As it is written in Wikipedia,

Wireless intrusion prevention system. In computing, a wireless intrusion prevention system (WIPS) is a network device that monitors the radio spectrum for the presence of unauthorized access points (intrusion detection), and can automatically take countermeasures (intrusion prevention).

As a result, you need to implement a wireless intrusion prevention/detection system. There are many tools that can do it for you, however I am not going to do any tool recommendation here. Plus, there are open source tools, such as Snort-Wireless or Kismet, which have mainly intrusion detection capabilities. I do not want to write about WISP more, since this post is about "rogue AP detection". If you would like to know about them in detail, you can check on the internet. I also found some good articles about it;

  1. SANS - wireless-intrusion-detection-system
  2. Revista Informatica Economică - Wireless Intrusion Prevention Systems
  3. Symantec - Wireless Intrusion Detection Systems
Pilfility
  • 442
  • 4
  • 14
  • It's too hard to use WIPS in an enviornment our size. Does it spoof BSSID/MAC by -default- or just SSID is what I'm asking. +1 for the help, but we haven't really gotten to the answer I need. I know it can be changed, but does it do it automatically? – bashCypher Jul 17 '18 at 17:33
  • It depends on the attacker and the tool he is using. I can not say "default". There are many tools for Evil Twin attack and they can have different implementations. Even the attacker can run his own custom scripts. But a clever attack would spoof the MAC address too. It is not difficult and time consuming to spoof. A simple script with 5-6 lines can easily spoof. Check for some Evil Twin tools, you can find out if they do it by default or not. If I were an attacker and tried my attack without spoofing, and see that I am detected, in my next attack I would spoof it then :) – Pilfility Jul 19 '18 at 14:54