5 Replies Latest reply on May 11, 2018 6:48 PM by wfriesn1

    Finding Rogue AP MAC Addresses

    thad

      Hello again folks. I'm trying to see if its  possible to find Rogue MAC IP addresses somehow, search them in UDT, and see if they are connected to our network- and to whom. Is there any way of going about this or is this not possible? Thank ya.

        • Re: Finding Rogue AP MAC Addresses
          rschroeder

          NPM should be able to tell you which AP's are yours, and which are rogue.  Start by making sure all your AP's are in NPM, then build heat maps showing their coverage, and then build a report to show AP's present that aren't yours.

           

          You won't have the right info until you get some good filtering in place, because every smartphone that has its internal hot spot enable will show up as a rogue or unknown AP in your WLAN.

           

          You'll need to filter out known APs that have physical connections into your switches, and then find all AP's that are "unknown" AND that have physical connections into your switches.  Those are the bad guys.

           

          Also, no private AP's should be able to connect directly to your WLAN, as if your corporate AP's were in repeater mode.  But if you have a public Guest SSID, that pretty much eliminates that filtering ability, since any AP or Smartphone with local hotspot enabled will connect to it.

           

          You might be able to do more filtering and identify neighborhood homes or neighboring businesses with AP's whose WLAN overlaps with yours.  A good heat map will show those "rogues" and you may be able to visit the business owners and discuss how you can be good WLAN neighbors with each other. Maybe you can agree on how you'll shut off all 2.4 Ghz services and leave them for your neighbor (aren't I sweet?).  Or maybe you both want to use 5 Ghz services, and you can agree on who will use which radio channels.  Then you each set up the overlapping AP's to only use your agreed-on channels.

           

          It'll be hard to get this same kind of efficiency with private/personal/neighborhood/home AP's, though.  And it'll be impossible to get that cooperation from everyone with a smart phone that has its WiFi hotspot feature enabled. Unless you wanted to be aggressive and target every unauthorized hotspot with floods of de-authentication packets.  And that's not going to go over well with many people.

          • Re: Finding Rogue AP MAC Addresses
            bhazelba

            Rogue AP Detection:

             

            What is a Rogue AP?  Most people refer to ii as a wireless device hosting some sort of wireless network within your airspace.  While this can cause interference and potential user issues it isn't really a security issue unless it is trying to mascaraed as one of your access points OR ...

             

            My definition of a rogue AP:  A wireless device hosting a wireless network that is SIMULTANEOUSLY connected to your internal network thus allowing connected wireless users to access your internal network resources.

             

            I kept trying to figure this out.  How do I tell if there is a wireless device that is setting up an SSID, allowing users to connect wireless, and is directly connected to the internal network.  I found the trick.  It was hard, but I got to thinking MAC addresses.

             

            Each wireless network interface has a unique MAC address.  Wireless APs have a wireless radio MAC and also has a cabled network interface MAC.  Think of your laptop.  You have (2) NICs.  One wireless and one Ethernet.  They both have MAC addresses.  If you look at the MAC addresses on your laptop they are probably very different from each other.  the components in your laptop are made from different manufactures and lot runs.  So your wireless adapter MAC is vastly different from your ethernet adapter MAC.  BUT manufacturers of APs generally have their MAC address of the wireless radio very similar to the Ethernet adapter MAC.  For Example:  Radio = 1111.1111.11AC  Ethernet = 1111.1111.AD

             

            Once you install UDT, your Orion server will start tracking wireless information.  It also creates several new tables on your Orion SQL server.  So i got to fiddling around and (working with my friendly neighborhood SQL admin) was able to setup a script to compare MAC addresses from Wireless devices, and MAC addresses of devices on the internal network.  We wrote a query to look for MAC addresses in both tables that were very similar (first 10 characters of the MAC are identical)  My SQL dude setup a job to run this script weekly and email me a report.  What we got was the following:

             

            UDT_MACAddressSSIDWireless_Mac
            00227541329AHDMD00227541329A
            300D438B50AEbubs300D438B50AC
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D27
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D27
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D19
            5820B15F8D19HP-Print-19-Officejet Pro 86205820B15F8D19
            E0469A33FCC1Parainfluenza2E0469A33FCC2
            E0469A33FCC1Parainfluenza2E0469A33FCC2
            E0469A33FCC3Parainfluenza1E0469A33FCC2
            E0469A33FCC3Parainfluenza1E0469A33FCC2
            E8B4C8A9CE71Samsung Galaxy Grand Prime 1282E8B4C8A9CE71
            E8B4C8A9CE71Samsung Galaxy Grand Prime 1282E8B4C8A9CE6D
            FC15B4AA71D5HP-Print-D5-Officejet Pro 8600FC15B4AA71D5
            FC15B4AA71D5HP-Print-D5-Officejet Pro 8600FC15B4AA71D5

             

             

            What I found out is if the MAC on the left column is the same as on the right, then this is a device only wireless, and we are cool, no worries.  If you see the Parainfluenza SSID, the left and right don't match but are very very close.  Meaning these 2 MACs are from the same device.  Therefore this is a wireless AP hosting an SSID and is also connected to the internal network.  (This example is actually an exempted AP that we manage).  Also, Mr.  BUBS is a rogue AP.  Tracked it down to a Dr.'s office and yanked it off the network  

             

            The Samsung Galaxy looks close, but the MACs are too far off to be from the same device.  But it is suspiciously close.  The maker of the wireless adapter in the galaxy phone also made another device connected internally.  Needs further investigation.

             

            There are a couple of printers listed.  One is wireless only and is OK, but the other is putting out an SSID and is connected to the internal network.  Turns out the printer plugs into our network with a cable, but also puts out a little wireless network.  Turned that off, but it stayed on.  Found out we had to do a firmware update to get it to actually turn off the wireless capabilities.  User was upset, because she wanted to print stuff from her phone.  I said, "Ok, but if you want to print from your phone, let me just shutdown this little network jack in the wall, but you won't be able to print from your PC anymore.  Your choice. "

             

            How do you find out if a MAC is connected to the internal network.  Go to UDT home page and put in the search bar.  It will pop up and show you the switch and port it is plugged into, or it will show nothing.

             

            Works great !!!

             

            If you want specifics let me know.

             

            -B

                                                                                                                                                                                                                            

            UDT_MACAddressCurrentChannelSignalStrengthSSIDFirstUpdateLastUpdateWireless_Mac
            00227541329A1HDMD29:11.449:12.100227541329A
            300D438B50AE11bubs29:04.849:05.0300D438B50AC
            5820B15F8D196HP-Print-19-Officejet Pro 862019:39.550:21.55820B15F8D27
            5820B15F8D196HP-Print-19-Officejet Pro 862037:48.448:40.35820B15F8D27
            5820B15F8D196HP-Print-19-Officejet Pro 862019:39.550:21.55820B15F8D19
            5820B15F8D196HP-Print-19-Officejet Pro 862037:48.448:40.35820B15F8D19
            E0469A33FCC12Parainfluenza249:09.449:12.1E0469A33FCC2
            E0469A33FCC12Parainfluenza249:03.849:05.0E0469A33FCC2
            E0469A33FCC344Parainfluenza128:54.449:05.0E0469A33FCC2
            E0469A33FCC344Parainfluenza129:08.849:12.1E0469A33FCC2
            E8B4C8A9CE711Samsung Galaxy Grand Prime 128238:23.148:22.9E8B4C8A9CE71
            E8B4C8A9CE711Samsung Galaxy Grand Prime 128238:23.148:22.9E8B4C8A9CE6D
            FC15B4AA71D511HP-Print-D5-Officejet Pro 860048:17.148:40.3FC15B4AA71D5
            FC15B4AA71D511HP-Print-D5-Officejet Pro 860010:19.150:21.5FC15B4AA71D5
            • Re: Finding Rogue AP MAC Addresses
              bhazelba

              Here is out procedure.  Sorry for the late reply.  Hope this helps!

               

               

               

              Rogue AP Detection

               

              Through the use of SolarWinds, many different MAC address tables are built.  Each of these is used for different modules within SolarWinds.  These tables can be queried through SQL to identify interesting information.  A SQL job that runs weekly (shown below) generates results are sent via email for review.

               

              Requirements:

              • Below, NetPerfMon2 would need to be replaced by the database name for your SolarWinds Database.
              • You have to have the UDT module installed.
              • Your Wireless controllers need to be added into SolarWinds.

               

              Caveat:

              • This whole process assumes the following:
                • Each wireless network interface has a unique MAC address.  Wireless APs have a wireless radio MAC and also has a cabled network interface MAC.  Think of your laptop.  You have (2) NICs.  One wireless and one Ethernet.  They both have MAC addresses.  If you look at the MAC addresses on your laptop they are probably very different from each other.  the components in your laptop are made from different manufactures and lot runs.  So your wireless adapter MAC is vastly different from your Ethernet adapter MAC.  BUT manufacturers of APs generally have their MAC address of the wireless radio very similar to the Ethernet adapter MAC.  For Example:  Radio = 1111.1111.11AC  Ethernet = 1111.1111.AD

               

               

              SQL Job :

               

              SELECT [MACAddress],[CurrentChannel],[SignalStrength],[SSID],[FirstUpdate],[LastUpdate]

              FROM [NetPerfMon2].[dbo].[Wireless_Rogues] AS NetPerfMAC

              WHERE (EXISTS

                      (SELECT [MACAddress]

                       FROM [NetPerfMon2].[dbo].[UDT_Endpoint]

                       WHERE (LEFT([MACAddress],10) = LEFT(NetPerfMAC.[MACAddress],10) ) ))

                       ORDER BY [MACAddress]

               

               

              SELECT TOP (100) PERCENT NetPerfMAC.MACAddress AS UDT_MACAddress, NetPerfMAC.CurrentChannel, NetPerfMAC.SignalStrength, NetPerfMAC.SSID,

                                    NetPerfMAC.FirstUpdate, NetPerfMAC.LastUpdate, dbo.UDT_Endpoint.MACAddress AS Wireless_Mac

              FROM dbo.Wireless_Rogues AS NetPerfMAC INNER JOIN

                                    dbo.UDT_Endpoint ON LEFT(NetPerfMAC.MACAddress, 10) = LEFT(dbo.UDT_Endpoint.MACAddress, 10)

              WHERE EXISTS

                                        (SELECT MACAddress

                                          FROM dbo.UDT_Endpoint AS UDT_Endpoint_1

                                          WHERE (LEFT(MACAddress, 10) = LEFT(NetPerfMAC.MACAddress, 10)))

              ORDER BY UDT_MACAddress

               

               

               

              IF UDT MAC = Wireless_MAC, then the device has been seen by UDT on wireless.  Therefore the device has wireless enabled and is emitting an SSID.  These should be shut down as we do not permit devices to propagate their own SSID on our wireless space.  Only exceptions would be devices offsite.

               

               

              IF UDT MAC is very close to Wireless_MAC, then more than likely this is a true rogue access point that needs to be investigated.

               

                

              Results Table:

               

              Given an excel spreadsheet showing the results from above, and by making a few alterations and adding a couple of columns to calculate the difference between MAC address, you end up with the following:

               

              Sample Results

               

              The table above is just for illustration purposes.  An email is sent weekly to the Network Manager and Wireless Engineer containing the latest results of the query.  The results are de-duplicated and only reflect MAC addresses that are deemed to be "close".  All other data is removed before the report is sent.

               

              Example Results:

               

               

               

              Search SolarWinds:

               

              Next you need to determine if any of these devices are physically cabled to the internal network.

               

              Browse to SolarWinds and go to UDT Summary page.  In the top right of the page find the search field:

               

               

               

              Enter the MAC address.  Typically the "Wireless_Mac" address is the one found on the physical network, but not always.

               

               

              If results are displayed, you need to determine if the MAC address is on a switchport or trunk port.  If it is on a switchport, it is an official rogue access point.  If it is on a trunk port, verify that the trunk port is used for public - Wi-Fi use only.

               

              You need to run each MAC address from all columns through the search to see if any show up to plugged into the network.

               

              Remediation:

               

              Create a Service Desk ticket for the Client Services team to identify the device, inform the user, and disable the wireless capabilities (if the device is an approved device for the network such as a printer). The device needs to be removed if it is unapproved such as a wireless router.  If the device is unapproved, Client Services should report it to the Security Team so that an Incident Report can be generated.

              1 of 1 people found this helpful
                • Re: Finding Rogue AP MAC Addresses
                  wfriesn1

                  Hi. Here is a version that includes calculating the integer difference of the last two characters of each MAC address. That should eliminate the need to do the calculations externally. This works in Report Writer under 2017.3 Orion.

                   

                  SELECT  NetPerfMAC.MACAddress AS Wireless_Mac, NetPerfMAC.CurrentChannel, NetPerfMAC.SignalStrength, NetPerfMAC.SSID,

                   

                   

                                        NetPerfMAC.FirstUpdate, NetPerfMAC.LastUpdate, UDT_Endpoint.MACAddress AS  UDT_MACAddress, CONVERT(INT,CONVERT(varbinary, '0x'+RIGHT(dbo.UDT_Endpoint.MACAddress,2),1)) - CONVERT(INT,CONVERT(varbinary, '0x'+RIGHT(NetPerfMAC.MACAddress,2),1)) as Difference

                   

                   

                  FROM Wireless_Rogues AS NetPerfMAC INNER JOIN

                   

                   

                                        UDT_Endpoint ON LEFT(NetPerfMAC.MACAddress, 10) = LEFT(UDT_Endpoint.MACAddress, 10)

                   

                   

                  WHERE EXISTS

                   

                   

                                            (SELECT MACAddress

                   

                   

                                              FROM UDT_Endpoint AS UDT_Endpoint_1

                   

                   

                                              WHERE (LEFT(MACAddress, 10) = LEFT(NetPerfMAC.MACAddress, 10)))

                   

                   

                  ORDER BY UDT_MACAddress