Kismet Wireless

Kismet Forums


Posted by:dragorn
Subject:Rouge Access Point Detection
Date:15:23:30 29/01/2013

> Good Day,
> I'm trying to build a wireless intrusion detection system using kismet to detect rouge access points that are connected to our corporate LAN.
> The problem that I'm trying to solve is how would kismet differentiate a rouge access point connected to the corporate LAN from the non-connected access points. Is there a feature of kismet that would solve this?
> So far, a viable option would be to get the CAM table of the switches via SNMP and compare the BSSID of the potential rouge access point. If it matches, then we know the rouge access point is connected to the LAN. We can then shutdown the port it is connected to.
> I'm interested if there are other approaches in detecting the access point with this scenario?

The problem you have with an overlay ids (like kismet, and commercial offerings) unfortunately is knowing exactly what APs are legitimate and what ones aren't, as you say.

There is some filtering built into Kismet, though it is fairly basic - you can set regex for SSIDs and a list of BSSIDs, but those can be spoofed, too.

You can't just compare the CAM tables - the mac address of the radio is not the same as the mac address of the ethernet NIC in the AP, so you can't know what radio is linked to what port.

You CAN (and commercial wids with a wired component do) inject broadcast frames and look for them coming out of APs - then you know they're on your broadcast domain and are unauthorized.

You can also try to build knowledge of currently deployed APs and their locations, then look for outliers in signal strength that indicate they aren't where they should be. In general signal strength in rfmon is pretty bogus, but it's usually at least itnernally consistent (-20 is better than -50, even if the signal is really -80)

Reply to this message