3 Replies Latest reply on Oct 5, 2017 2:33 PM by rguth

    Finding Rogue AP MAC Addresses


      Hello again folks. I'm trying to see if its  possible to find Rogue MAC IP addresses somehow, search them in UDT, and see if they are connected to our network- and to whom. Is there any way of going about this or is this not possible? Thank ya.

        • Re: Finding Rogue AP MAC Addresses

          NPM should be able to tell you which AP's are yours, and which are rogue.  Start by making sure all your AP's are in NPM, then build heat maps showing their coverage, and then build a report to show AP's present that aren't yours.


          You won't have the right info until you get some good filtering in place, because every smartphone that has its internal hot spot enable will show up as a rogue or unknown AP in your WLAN.


          You'll need to filter out known APs that have physical connections into your switches, and then find all AP's that are "unknown" AND that have physical connections into your switches.  Those are the bad guys.


          Also, no private AP's should be able to connect directly to your WLAN, as if your corporate AP's were in repeater mode.  But if you have a public Guest SSID, that pretty much eliminates that filtering ability, since any AP or Smartphone with local hotspot enabled will connect to it.


          You might be able to do more filtering and identify neighborhood homes or neighboring businesses with AP's whose WLAN overlaps with yours.  A good heat map will show those "rogues" and you may be able to visit the business owners and discuss how you can be good WLAN neighbors with each other. Maybe you can agree on how you'll shut off all 2.4 Ghz services and leave them for your neighbor (aren't I sweet?).  Or maybe you both want to use 5 Ghz services, and you can agree on who will use which radio channels.  Then you each set up the overlapping AP's to only use your agreed-on channels.


          It'll be hard to get this same kind of efficiency with private/personal/neighborhood/home AP's, though.  And it'll be impossible to get that cooperation from everyone with a smart phone that has its WiFi hotspot feature enabled. Unless you wanted to be aggressive and target every unauthorized hotspot with floods of de-authentication packets.  And that's not going to go over well with many people.

          • Re: Finding Rogue AP MAC Addresses

            Rogue AP Detection:


            What is a Rogue AP?  Most people refer to ii as a wireless device hosting some sort of wireless network within your airspace.  While this can cause interference and potential user issues it isn't really a security issue unless it is trying to mascaraed as one of your access points OR ...


            My definition of a rogue AP:  A wireless device hosting a wireless network that is SIMULTANEOUSLY connected to your internal network thus allowing connected wireless users to access your internal network resources.


            I kept trying to figure this out.  How do I tell if there is a wireless device that is setting up an SSID, allowing users to connect wireless, and is directly connected to the internal network.  I found the trick.  It was hard, but I got to thinking MAC addresses.


            Each wireless network interface has a unique MAC address.  Wireless APs have a wireless radio MAC and also has a cabled network interface MAC.  Think of your laptop.  You have (2) NICs.  One wireless and one Ethernet.  They both have MAC addresses.  If you look at the MAC addresses on your laptop they are probably very different from each other.  the components in your laptop are made from different manufactures and lot runs.  So your wireless adapter MAC is vastly different from your ethernet adapter MAC.  BUT manufacturers of APs generally have their MAC address of the wireless radio very similar to the Ethernet adapter MAC.  For Example:  Radio = 1111.1111.11AC  Ethernet = 1111.1111.AD


            Once you install UDT, your Orion server will start tracking wireless information.  It also creates several new tables on your Orion SQL server.  So i got to fiddling around and (working with my friendly neighborhood SQL admin) was able to setup a script to compare MAC addresses from Wireless devices, and MAC addresses of devices on the internal network.  We wrote a query to look for MAC addresses in both tables that were very similar (first 10 characters of the MAC are identical)  My SQL dude setup a job to run this script weekly and email me a report.  What we got was the following:


            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D27
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D27
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D19
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D19
            E8B4C8A9CE71Samsung Galaxy Grand Prime 1282E8B4C8A9CE71
            E8B4C8A9CE71Samsung Galaxy Grand Prime 1282E8B4C8A9CE6D
            FC15B4AA71D5HP-Print-D5-Officejet Pro 8600FC15B4AA71D5
            FC15B4AA71D5HP-Print-D5-Officejet Pro 8600FC15B4AA71D5



            What I found out is if the MAC on the left column is the same as on the right, then this is a device only wireless, and we are cool, no worries.  If you see the Parainfluenza SSID, the left and right don't match but are very very close.  Meaning these 2 MACs are from the same device.  Therefore this is a wireless AP hosting an SSID and is also connected to the internal network.  (This example is actually an exempted AP that we manage).  Also, Mr.  BUBS is a rogue AP.  Tracked it down to a Dr.'s office and yanked it off the network  


            The Samsung Galaxy looks close, but the MACs are too far off to be from the same device.  But it is suspiciously close.  The maker of the wireless adapter in the galaxy phone also made another device connected internally.  Needs further investigation.


            There are a couple of printers listed.  One is wireless only and is OK, but the other is putting out an SSID and is connected to the internal network.  Turns out the printer plugs into our network with a cable, but also puts out a little wireless network.  Turned that off, but it stayed on.  Found out we had to do a firmware update to get it to actually turn off the wireless capabilities.  User was upset, because she wanted to print stuff from her phone.  I said, "Ok, but if you want to print from your phone, let me just shutdown this little network jack in the wall, but you won't be able to print from your PC anymore.  Your choice. "


            How do you find out if a MAC is connected to the internal network.  Go to UDT home page and put in the search bar.  It will pop up and show you the switch and port it is plugged into, or it will show nothing.


            Works great !!!


            If you want specifics let me know.




            5820B15F8D196HP-Print-19-Officejet Pro 862019:39.550:21.55820B15F8D27
            5820B15F8D196HP-Print-19-Officejet Pro 862037:48.448:40.35820B15F8D27
            5820B15F8D196HP-Print-19-Officejet Pro 862019:39.550:21.55820B15F8D19
            5820B15F8D196HP-Print-19-Officejet Pro 862037:48.448:40.35820B15F8D19
            E8B4C8A9CE711Samsung Galaxy Grand Prime 128238:23.148:22.9E8B4C8A9CE71
            E8B4C8A9CE711Samsung Galaxy Grand Prime 128238:23.148:22.9E8B4C8A9CE6D
            FC15B4AA71D511HP-Print-D5-Officejet Pro 860048:17.148:40.3FC15B4AA71D5
            FC15B4AA71D511HP-Print-D5-Officejet Pro 860010:19.150:21.5FC15B4AA71D5