SSID Identification

[Kenomouth64]

I have a Wifi Pineapple Nano and plan on using this device for Rogue Access Point detection. Is this the best option for doing this or should I use something else such as AirSnort. So we have two different wireless networks at our business, they all have multiple routers distributed throughout the building. However we do not know which routers are where. We have a list of the MAC addresses, manufacturer, device model and IPs associated with the SSIDs. 

However when I run a recon, I do not detect any of the SSIDs and they are indeed set to broadcast. I detect quite a few devices with a "Hidden SSID". When I run the PineAP feature, I get a list of quite a few SSIDs in my pool, but I have not figured out how to associate those SSIDs with the MAC. 

Again I am not sure that I am using the correct tool here. I really just want to verify that there are no RAPs in my facility.

[Kenomouth64]

Echo Hello World

[digip]

Try airmon-ng to put a network card in monitor mode and survey your location using airodump-ng. With only one network card, you'll have to test per channel one at a time, then stop and start the airodump-ng tool again with a new channel each time, since hopping on all channels, will give poor results and not work properly. Once you locate all the SSID's and can see the signal strength get stronger as you get closer, then try probing for your AP at each location. If anything comes back with a MAC address(BSSID) not supposed to be on your manufacturer list, this is most likely a rouge AP, but not a perfect solution for testing since they can also be spoofed.

Ideally scanning locally on the intranet with tools like nmap, would be a quicker way to identify all devices and their MAC addresses, and you can then work out what matches to what location of each AP and the associated SSID when comparing them to the nmap results and an airodump-ng scan, sort of match them together. Once that's mapped out, figure out what doesn't belong if you end up with an a MAC address in airodump-ng, that wasn't on the nmap scan.

There are probably better ways or tools to do this for a wifi survey, but I'm just throwing this out there off the top of my head.

Documentation from when they were setup would also help you eliminate your devices against rouge ones, other than those that impersonate the MAC of an AP, which is also quite difficult to detect if that is what someone decides to do but you can use airodump-ng to sort them by signal strength and then as you walk closer observe more where they are. If you find that one is really far from where it should be, like at an edge wall of the office, then try doing the same from outside and start narrowing down where it is to find it. Others may say use kismet, as it can do this as well and has some more tools for surveying signal strengths, but I'm not really familiar with the tool, so you'd have to dig in on that one.

[Forkish]

If the SSID is being prodcasted, you could try the Signal Strength module. Walk around until you can determine a direction in which the suspect SSID signal gets stronger and see where that takes you.

[Kenomouth64]

Well, I ended up just capturing all the wireless devices I could, using my Aircheck tool. I combined all of the devices, along with their associated information, then filtered out the devices, I knew were legitimate. Unfortunately that leaves me with 76 device to track down with my network engineer, and verify their legitimacy...

I imagine majority of them are wifi hotspots, printers, or nearby facilities equipment. Nevertheless, I will in for a long day.

[barry99705]

Have fun with that!  I've been there before, it's not fun.  If you have managed switches, it can be a little easier.

[0phoi5]

On ‎29‎/‎01‎/‎2018 at 3:12 PM, Kenomouth64 said:

Well, I ended up just capturing all the wireless devices I could, using my Aircheck tool. I combined all of the devices, along with their associated information, then filtered out the devices, I knew were legitimate. Unfortunately that leaves me with 76 device to track down with my network engineer, and verify their legitimacy...

I imagine majority of them are wifi hotspots, printers, or nearby facilities equipment. Nevertheless, I will in for a long day.

Potentially not an option, but does your business do Disaster Recovery test days, or similar? When they power down all systems and then power them back up?

If so, use this to your advantage. With everything on the estate powered down, they'll be a lot less APs to look at, and you'll know the ones that have disappeared are definitely connected to your buildings power (take a reading before power down and after power down).

For future, maybe set up a dedicated PC (something little will do, like a Pi) to constantly monitor APs in the area and keep a decent log. Maybe use Kismet or airodump-ng. You can then see the APs that stick around long-term and the ones that have cropped up recently.

Edited January 31, 2018 by haze1434

[barry99705]

15 hours ago, haze1434 said:

When they power down all systems and then power them back up?

 

 

Whaaaaaa!!!???  That's crazy talk!  Actually that's called "Which dumb ass didn't do a copy run start on the core switch" day.  That day was fun, cause they didn't do it THREE years ago...

Edited February 1, 2018 by barry99705

[0phoi5]

12 hours ago, barry99705 said:

Whaaaaaa!!!???  That's crazy talk!  Actually that's called "Which dumb ass didn't do a copy run start on the core switch" day.  That day was fun, cause they didn't do it THREE years ago...

I guess they took the joke 'I'm a Linux Admin, so I get laid as often as I have to reboot' and thought they better reboot more often