How about using AirPcap with wireshark?
You could get RSSI for the rogue client - do you have access to the AP?
If so you could create some shielding (foil) and place this in quadrants around the AP antenna and monitor the rogue client's RSSI rise/fall respectively.
Obviously this may impact other users connected to the AP…
I ever tried sending the MAC info to local service centers (sony, ibm, hp, toshiba, etc) in hope that the suspect sent his equipment for warranty claims or repairs and I was lucky, the service center replied with his details. 😉
sometimes, this is how we attempt to track stolen laptops but its really a long shot. Some laws in certain country may forbid this?
I have a situation where someone in or near an apartment building is accessing an open WAP to do "bad" things. We have his MAC and can tell when he is logged on, but we want to locate him physically.
Any suggestions?
If you don't want to listen to the traffic
Investigate the area as regards microwave sources , preferrable in the right part of the spectrum, when the perp is not active. Then repeat when he is. Repeat until the differences are accounted for.
But if you don't want to listen to the traffic, you may have difficulties
distinguishing this traffic from other microwave sources.
And pure microwave triangulation is not trivial you get signal bounces in a way you don't get with traditional radio signals. What at first looks like a sender to the north, may turn out to be someone to the east, except that there's something blocking straight transmission, and you get a signal bounce to the north.
Smart-ID had (has?) a WIFI detector that actually was a 2.4 GHz microwave detector (called WFS-1) . It had some directional sensitivity, so it was possible to get a rough idea about the direction of the signal. And the visual feedback made it possible to distinguish between genuine WiFi signals, and things like microwave ovens, which contain no signal at all. Cordless phones took a bit of experience. I remember detecting some type of Christmas decorations with it as well.
Of course, WiFi is not only 2.4 GHz these days, so you may have to decide what part of the spectrum you will be concentrating on. The AP configuration should tell you that.
There's also the Zap Checker (just Google). It's a very wide bandwidth receiver, though, and you essentially measure amount of radiation in the entire spectrum of the device, and that may be a problem, if you have other radio sources to cope with nearby. Some models come with directional antennas, which should help. It is not a device you can just turn on and use – it takes some testing and experience. But it could be used to measure radio backgroun with the perp is inactive, and compare it with when he is active, I should imagine.
Hi,
SecurityStartsHere.org, the people behind the free OSWA wireless auditing Linux distro have a 15min video demonstrating their rogue client "MoocherHunter" software, http//
Brad Haines aka Renderman, produced some good kit for defcon 12 RunningMan contest. Story and Pics at http//
My zaurus running kismet with optional 14db backfire antenna is more discrete, but has really poor battery life when searching. Tip always carry at least one spare battery in the field… roll
Great post Alice.
Worth checking your h/w compatibility, but it might still work even if yours isn't listed
http//
Hi sgrills,
FYI my zaurus 5500 is a Sharp handheld PDA that runs linux. It is hugely dated now but works okay if regularly fed batteries. Most people think its some exotic games console or a museum piece mp3 player. We regularly use older laptop kit when wifi auditing because linux drivers are available and the kernels are stable on that build. Of course if you are going for traffic capture speed matters.
As for antennae, the backfire looks like a small cake tin, we had a biquad that fits in a lunch box and somewhat larger gear like the tripod mounted 24db yagi with spotter scope and laser pointer. On a good day we look like a TV licence detector van.
Even with dayglo safety vests, safety barriers and a large "surveying" sign up some bozo ^h^h^h well meaning citizen always calls the feds. I'm glad section 44 of the Terrorism Act 2000, (officers can stop and search anyone in a designated area without having to show reasonable suspicion) is finally up for review… Strange how the good guys'n'gals always get hassled but the Naughty people are invisible ?
There was a presentation and video by Ricky Hill at Defcon 15 "GeoLocation of Wireless Access Points and Wireless GeoCaching" http//
There is another demo based on Lego MindStorm for 360' and limited vertical scanning too, http//
Surveying is more complicated in urban areas due to multipaths and AP density compared to open spaces around airfields and airports, but one would hope that those systems are already secured lol
my 2p from a past life