The explosion of wireless technology into the hands of end users is one of the biggest challenges facing security officers and network administrators. With their transparent bridging, today’s wireless access points are easy to set up, but they’re even easier to misconfigure, leaving your network vulnerable to hackers.

You need a way to detect any unauthorized wireless access points on your network. In this Daily Drill Down, I’ll show you how to search for and identify rogue access points using NetStumbler on a laptop and the associated Pocket PC program MiniStumbler. I’ll also show you how to map the results using a GPS receiver and a mapping program like MapPoint.

Location mechanisms
There are two basic approaches for locating rogue access points: beaconing, or requesting a beacon, and network sniffing, or looking for packets in the air. These methods use different features of the IEEE’s 802.11b wireless standard as an exploit to discover weaknesses and access points on your network. Let’s look at each in a little detail.

Requesting a beacon
The IEEE’s 802.11b standard is designed to enable a wireless device to see the SSIDs (Service Set Identifiers) used by nearby wireless access points. When the wireless device sees the SSID, it can configure itself to connect to the wireless network. To make this work, an 802.11b-compliant network card transmits a packet—a beacon—that causes all of the access points in the vicinity to announce their availability.

This is an effective method because it doesn’t require any current traffic. The problem with this mechanism is that the access point must be configured to respond to these beacon requests. Most “enterprise class” access points let you turn this setting off. Because of this, the beaconing mechanism isn’t completely effective at finding all wireless access points. However, some users may not be aware that they should disable this feature when they deploy their wireless access points. Likewise, inexpensive wireless access points intended for home use don’t normally allow you to disable the beaconing mechanism. Unfortunately, because they’re inexpensive, they are the type of device most likely to be smuggled in and connected to your network without your knowledge.

Sniffing the air
“Sniffing” is another mechanism for detecting a wireless network’s presence. It involves turning on the receiver on the wireless card and allowing the receiver to passively capture packets out of the air. When the receiver finds information that looks like a packet, it can record the information, allowing the hacker to deconstruct the packets. Using the deconstructed information, the hacker can find a way to access your network.

The problem with the sniffing mechanism is that currently you must select a specific channel to monitor. Given that 802.11b can operate on 12 channels, it’s difficult to constantly switch between channels to monitor packets. So it’s technically feasible to detect an access point by sniffing traffic, but it’s impractical at present.

Another problem with sniffing is that there must be traffic on the network for this method to work. If no one is using the rogue access point, there’s no traffic to monitor. The access point could be sitting right next to you, but if it’s not in use, your monitor will never find it.

Beyond these limitations, sniffing wireless packets is a useful way to determine who’s using the wireless access point after it’s been identified. The process used by NetStumbler and MiniStumbler, requesting beacons, will return the channel information that you can use later to sniff the network.

The biggest threat

For the purposes of this Daily Drill Down, I’ll focus on requesting that the access point transmit a beacon frame. You can use this method whether or not there is active traffic on the network. This means you can make your sweep through a building or a campus during a weekend, when users of rogue access points are less likely to be present. Intruders are likely to use this same method because it lets them look for access points when no one is around. So requesting beacons gives you the added benefit of evaluating your network’s security using the same tactics as a potential attacker.

Choose your weapon
Two very useful tools for finding rogue wireless access points are NetStumbler and MiniStumbler. To run NetStumbler, you’ll need at least a notebook and a wireless LAN card that the software supports. There’s a list of supported cards available at the NetStumbler Web site. You’ll also need a GPS capable of connecting to the notebook if you want to log and map your results.

Alternatively you can run a smaller version of NetStumbler called MiniStumbler. MiniStumbler runs on a Microsoft Pocket PC device, such as the Compaq iPAQ. All you need is a Pocket PC device and a wireless LAN card that is supported by MiniStumbler. As with NetStumbler, if you want to log the signal’s location, you’ll need a GPS that you can connect to your Pocket PC.

MiniStumbler is much more useful than NetStumbler for zooming in on rogue access points. Because a Pocket PC can fit in the palm of your hand, it has a natural advantage over a bulky notebook. You can use the signal strength displayed on the Pocket PC, just like a minesweeper might use a metal detector, to home in on rogue ports.

Installing NetStumbler and MiniStumbler
Installing NetStumbler is simple. You need only download the ZIP file from the NetStumbler Web site and unpack it into a directory. There’s no installation program and no manual settings. NetStumbler just starts running when you double-click on the executable file. You will, however, need to make sure you’ve loaded the wireless network card drivers for your wireless LAN card. You’ll have to create your own menu shortcut for NetStumbler or run it from the directory that you extracted it to.

To install MiniStumbler on your Pocket PC, make sure that your Pocket PC is docked. Download MiniStumbler from the NetStumbler Web site to the computer you’ve docked your Pocket PC to. Extract the downloaded executable to a temporary directory, and then use the Mobile Device folder in My Computer to move the file to the Pocket PC. Once MiniStumbler is on the Pocket PC, you can use File Explorer to launch MiniStumbler.

Running NetStumbler
By default, NetStumbler immediately starts scanning for beacons when you launch it. When NetStumbler starts, it creates a new file with the year, month, day, and 24-hour time listed serially without delimiters. For instance, if it’s April 21, 2002 at 3:15 P.M., it will create a file called 200204211515. You can use this filename convention to help find data files created over the course of days or years.

Figure A shows the NetStumbler screen immediately after startup. As you can see at the bottom of the screen, this example workstation doesn’t have an installed wireless card. I’ve intentionally not inserted the LAN card so you can see an empty list.

Figure A
NetStumbler starts up ready to scan.

Connecting a GPS receiver
If you plan to connect a GPS to NetStumbler, you’ll need to change the GPS options. To do so, click Options | GPS | Port. When the Port window appears, you should select one of the available COM ports. The protocol defaults to the NMEA protocol, which most GPS receivers can output. The speed is set to the NMEA default protocol of 4800 bps. The Garmin GPS III receiver that I used connected flawlessly. Of course, I had previously set the GPS receiver to the NMEA protocol.

Saving sessions
It’s unlikely that you’ll only use NetStumbler to find rogue access points in a single day. Before you shut down NetStumbler, you should save the session with the Save command on the file menu. Or, if you prefer, you can autosave the file by selecting the Options menu and then selecting AutoSave. A check mark will appear to the left of the entry when it’s selected.

After you’ve saved a few files, you’ll want to put them together. You can merge existing data into the current file by selecting File and then Merge.

MiniStumbler is very similar in its options and how it works. You run the program, set the GPS information, and go. MiniStumbler doesn’t have all of the features that NetStumbler has, but it does a splendid job of capturing access points, signal strengths, and locations that you can then move to the PC and merge together with NetStumbler.

Working with the results
When you run NetStumbler, all you wind up with is a list of access points and their locations. The real fun is taking those access points and mapping them. Start by making sure you’ve merged all of your NetStumbler files together into one large file, as described above.

Figure B shows a partial listing of the access points that I detected in the Indianapolis area.

Figure B
Some Wireless Access points found by MiniStumbler shown in NetStumbler

The next step is to convert the data in NetStumbler into a format that you can map. The conversion process takes two steps. The first is to export the data from NetStumbler by selecting File | Export | Summary and save the export file to your system. Next, connect to the NetStumbler Web site and select the option for MapPoint Converter. This brings you to a Web page that translates the summary file into a series of rows that you can then use to create a map using Microsoft MapPoint.

Unfortunately, you can’t read this file directly into MapPoint. You must first copy the results of the script into an Excel workbook. Once you’ve saved the Excel workbook, you can import the data into MapPoint. The results may look something like Figure C.

Figure C
Some Indianapolis Wireless LANs mapped

Stumbling all around
NetStumbler and MiniStumbler are great tools for finding rogue access points, and for determining how far away your access points can be detected. After you find the rogue points on your network, you can determine a course of action. You can confront the user who has deployed the port and either secure it or eliminate it. You can also use a wireless sniffer to determine the type of traffic using the port to see if a spy or hacker is trying to access your network. After that, you can use the information to help law enforcement apprehend the culprit.