Posted by:argh
Subject:Locating Rogue Wireless Access Points in Your Office
Date:06:36:12 05/12/2007

Kismet can certainly be a part of this, but it may take more than a laptop and Kismet. You are talking about close-range direction finding (DF), and it can involve several things. Often for traditional Kismet use, you want a gain antenna to multiply weak signals. For close range DF, you do _not_ want any gain at all, but you want directionality. Building a system to pinpoint rogue AP's from afar will not work, you will need it to be mobile. A possible exception could be a lot of Kismet drones around the office, but that is probably beyond the scope of this.

Often a loop antenna is what is good for DF. It is basically a circle antenna, built to more or less correct size for the frequency you are using. More basic info on the antenna type here:

For stalking the cubes, you can be hard pressed to figure out which cube it is, if they are all pegging the meter on signal strength. Covering a PCMCIA wifi card's antenna with your hand for attenuation could perhaps help here. Unlike nearly all directional antennas, a loop is used in it's null mode, or where the signal is weakest. The null mode can provide a much sharper indication of direction, often +/- 5 degrees. To help, a step attenuator (an inline box with series of switches with incremental 'signal degradation') is often needed.

Kismet can be a valuable part of this, because a loop antenna is often not properly tuned for transmitting. Kismet does not transmit, as it is passive. Active wardriving/wifi enumeration programs will _not work well_ with a loop unless it is properly tuned for impedance and SWR at the correct frequency.

Kismet has DF abilities, but it depends on a clear GPS signal, which you may not get inside a large office. Basic signal strength can also be measured with but it can be confused if there are several local APs.

All said and done, carrying a big (or small) armload of stuff like this through a big office can easily scare off the rogue AP before you get there. It's not very stealthy, unless you disguise it on a cart, all covered up with cloth or something transparent to RF. You would still have a problem getting a reliable GPS signal.

Kismet will easily tell you (from afar) what the rogue AP's MAC address is, without you needing to stand in front of his/her desk pointing a finger. It may be a lot easier to use the MAC address to find out what port of a switch it is plugged into, and if the network is diagrammed at all, that should tell you what jack it is. Go to that jack (or desks that are nearby), and start pointing fingers....

