Kismet Wireless

Kismet Forums


Posted by:kismetninja
Subject:Rouge Access Point Detection
Date:01:54:09 31/01/2013

Thank you dragorn for the ligthning quick response :-)
> The problem you have with an overlay ids (like kismet, and commercial offerings) unfortunately is knowing exactly what APs are legitimate and what ones aren't, as you say.
> There is some filtering built into Kismet, though it is fairly basic - you can set regex for SSIDs and a list of BSSIDs, but those can be spoofed, too.

The apspoof feature I assume. I have it configured

> You can't just compare the CAM tables - the mac address of the radio is not the same as the mac address of the ethernet NIC in the AP, so you can't know what radio is linked to what port.

Got it. thank you

> You CAN (and commercial wids with a wired component do) inject broadcast frames and look for them coming out of APs - then you know they're on your broadcast domain and are unauthorized.

When I inject broadcast frames, what exactly should I be looking for?

Commercial wids apparently have signatures of different AP beacons which we do not have

> You can also try to build knowledge of currently deployed APs and their locations, then look for outliers in signal strength that indicate they aren't where they should be. In general signal strength in rfmon is pretty bogus, but it's usually at least itnernally consistent (-20 is better than -50, even if the signal is really -80)

Will look into this as well. thanks

Reply to this message