General discussion


A Rogue Network

By daniels ·
Hello All,
I am hopeing that somwone might be able to answer a question for me.
I work for a company of aproxametly 200 people. We have an internal wireless network for all of our employees that have laptops.
Lately we have noticed an ad-hoc network in the building. I have done a few scans with miscelaneous software trying to figure out an IP address or a mac address. The Mac address is comstantly changing on the access point that we are connecting to.
The question is... A. How do I figure out whos computer or device the ad-hoc network is set up on.
B. Why the MAC is constantly changing everytime I try to look at it.
C. How big of a security threat this could possibly be.
Thanks in advance

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Ho boy...

by Cactus Pete In reply to A Rogue Network

Well, finding the location is a matter of signal strength. If you're lucky enough to have Aps that can do this, using them to triangulate the signal is the easiest. Otherwise, you'll do a lot of walking.

There are ways to mask the SSID, and ways to fake the MAC.

Likely, this is coming from someone's laptop... You might be able to narrow the scope of your search by focusing first on:

1. People with laptops.
2. People with psuedo IT knowledge.
3. An RF signal strngth measuring device.

My network is all Cisco 1200 series APs. We have a WLSE server which allows us to do walkabouts and check signal strength, detect rogues, etc. Overlay the access points' known locations on a map of the office floors and you can easily place the rogue... But it's unlikely that you have these... You might consider upgrading to these in the future, or some similar hardware.

[In fact, I recall being confronted by a company that does this on an outsource basis, but I can't remember their name. If I find it, I'll post this up for you.]

Good luck - it's a terrible security threat.

Collapse -

SCAN your lan

by jdclyde In reply to Ho boy...

Look on the LAN for any IP addresses that do not belong there.

If using DHCP server, look for systems that should not be in the log files.

Then block that system from accessing the LAN.

And yes, go around and look at each laptop user to see physically what they are doing and how.

Collapse -

Did you find the rogue network?

by Network Security In reply to A Rogue Network

If you still have the problem I might have a solution. I wrote a logon script that disables any active wireless network adapters. You could modify the script to record the active wireless adapter?s info with the computer name and MAC. This would let you track down the offending laptop. My script will only work if the laptop is on the domain.

Or just leave the script the way I have it and it will disable all wireless NIC's on the domain.



Troy Sorzano, Director
610.260.9989 office
PGP KeyI 0x29D52802 285E 1829 10C1 7AC0 9D27 7077 F423 B289 29D5 2802
Network Security, Remediation and Monitoring in the Philadelphia area

Collapse -

A Rogue Network

by koti_1982 In reply to A Rogue Network

Just do one thing,In u r access point just find out which IP that MAC getting,and ping that Ip and find out that SYSTEM NAME,Remove FROM NETWORK.

Related Discussions

Related Forums