Re: How to locate a wireless LAN access point without GPS?
- From: Jeff Liebermann <jeffl@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 09 Jul 2005 10:16:18 -0700
On 8 Jul 2005 20:34:27 -0700, "Dovelet" <doveletchan@xxxxxxxxxxxx>
wrote:
>In our company, I found that someone installed a wireless LAN access
>point in the office without inform our IT department. I heard that we
>can locate the exact location of the access point if I use the wireless
>LAN notebook (without GPS) with some software to walk around the floor.
>Does anyone know which software can do so? Thanks.
In Korea? So, how do you know that there's a rougue access point?
To the best of my knowlege, using only a single laptop or PDA to do
your sniffing, you cannot locate the exact position of the rogue
access point without triangulation, direction finding, interferometry,
DTOA techniques, wavefront analysis, or other forms of signal
analysis. In addition, using Netstumbler or other active probe type
of detection software, requires that the rogue access point broadcast
their SSID.
I've had to find rogue access points in the past and used various
methods. Incidentally, one of them was found in the company
presidents office, and installed as a present by his kids. Another
was being "tested" in the IT managers cubical.
The easiest method is to use a high gain 19dBi (or bigger) dish
antenna and do some direction finding with Netstumbler or some kind of
signal indicating software (usually in the driver for the laptop
wireless card). The trick is to make a map of the area, and move
around taking a large number of bearing lines. Draw the lines on the
map as you move around. Many of the lines will be reflections and
will point in random directions. However, a large number will point
cross at one point. That's your access point location. One problem
is that this tends to attract considerable attention and may provoke
the access point owner into pulling the plug.
Another method that I've used is to identify the location by where it
connects to the company LAN. If the access point can be identified by
its MAC address on the company network, it can be pinged (by either IP
address or MAC address). If I have a managed switch, I can use the
management software to determine which port has the MAC address. That
will identify the location by ethernet cable. If the company is cheap
and doesn't use managed switches, I then squeeze into the server
closets and start pulling ethernet plugs that go to the workstations.
Eventually, the pinging stops when I unplug the culprit.
I'm playing with an adaptation of a simple "homer" type of direction
finder. Once upon a time, I helpd design the USCG AN/SRD-21 that
worked on the same princple. I switch rapidly between two identical
antennas to form a somewhat directional 2 element array. When the
signal is exactly equal in strength from the two antennas, the culprit
lies on a line perpendicular to the two antennas. I've rewired the
diversity switch on a typical wireless card, and added a software
sychronous demodulator to find the null point. So far, it mostly
works, but is too slow (thanks to crappy RSSI circuitry). If I can
find some time to work on it, it should eventually make a tolerable
(cheap) direction finder.
--
Jeff Liebermann jeffl@xxxxxxxxxxxxxxxxxxxxxx
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 AE6KS 831-336-2558
.
- References:
- How to locate a wireless LAN access point without GPS?
- From: Dovelet
- How to locate a wireless LAN access point without GPS?
- Prev by Date: Re: 'bridge' between two routers
- Next by Date: Re: Adding an external outdoor antenna to an AP?
- Previous by thread: Re: How to locate a wireless LAN access point without GPS?
- Next by thread: SMC 802.11b PCMCIA WIRELESS
- Index(es):
Relevant Pages
|
