Locating a rogue client?

patrickmkt · September 19, 2013, 6:45pm

I’m trying to locate a rogue client on one of my AP.
Without disrupting the AP, what could I use to locate this client.
My guess is to use another radio module with a directive antenna and doing some radio direction finding based on the RSSI.
However I don’t know how to setup a device that will give me a constant report of the signal strength of a specific MAC client when not set up as an AP.
What would be the easiest setup to do this? I’ll appreciate your ideas.

tws101 · September 19, 2013, 7:48pm

Define rogue client.

Do you mean rogue dhcp server?

Do you mean unauthorized client that hacked into the network?

Do you mean rogue AP that is mirroring yours?

patrickmkt · September 19, 2013, 8:22pm

I mean an unauthorized client that hacked into the network.
And I’m looking for a cheaper solution than buying a Fluke Aircheck

tws101 · September 19, 2013, 8:53pm

Well that can be complicated and take quite a bit of time…
I assume you are a WISP

Without speculating on how to hunt someone down…

Have you considered switching to PPPoE authentication?
Was WPA2-AES used to force a brute force attack or was an inferior method used?

patrickmkt · September 20, 2013, 12:05am

Again the issue is not to deny, block or improve the network security. I’m looking for a way to locate a rogue client device.

I have directional antennas, but I don’t know what would be the best receiver that can sniff & lock on a specific MAC and give me a constant RSSI output for me to do the track. One way would be to shut down the AP and create a new mobile one to do the measurents, but I would like to avoid that and keep the original AP up and just use another passive receiver that would monitor the link.

I am sure that there should be some advance network tools software available to do that coupled with some receiver. Fluke has such an integrated device, but it’s $2000. I’m trying do do the same thing DIY with some open source software and available hardware lying around.

chucka · September 21, 2013, 2:32am

I would just use a Mikrotik device with a directional antenna and run the wireless snooper, look for the mac. Go foxhunting!

JackANSI · September 23, 2013, 5:38pm

Thats really the only option you got: Time, hard work, and a really good antenna.

Get a good compass and GPS, go to several locations more than a few degrees apart (relative the signal) and find the heading that gives you the highest signal at each stop. Get out your map and plot the lines and you should be able to get somewhat of a useful starting point where they all intersect. Keep working toward there from the line of sight from your AP until the signal changes direction or you lose it. Then go back a step and repeat again…

patrickmkt · September 23, 2013, 6:56pm

Again, I have no problem about the radio direction finding part… My issue is what radio equipment to use and in what mode to be able to:

get a display of the RSSI with a good enough refresh rate
isolate the RSSI of a specific MAC address of the rogue client
do it in passive or semi-passive mode to avoid having to interfere with the production AP.

So far, I haven’t found the proper mode on ROS to get that info easily (even in sniff mode). I would suspect that there should be some WIFI network/debug tools used by some of you that may have these functions.