Tracking down a rogue access point

The general ways that a rogue access points are found:

  • An enterprise wi-fi access point spends some of its time not just serving clients, but listening on various channels for other wi-fi traffic. (This works best for the 2.4Ghz band where there are fewer channels. Fortunately this is also where most run-of-the-mill, non-targeted attacks are going to be. You can also use a dedicated sensor instead of an AP. You can also configure one radio of a two-radio access point as a full-time sensor radio.)
    • This information is typically reported to a centralized system (a controller, the controller-managing software, etc) through some mechanism (snmp trap, snmp polling, proprietary notification protocols, etc). You could probably write a centralized system yourself if you really felt like it, though in practice third-party interfaces with wireless equipments' SNMP can be a little bit hit-or-miss, and the data is not available in any standardized format. There are also patent-related implications, such as this one which is the one that I happen to know about.
    • The central system will perform checks to see whether that BSSID belongs to a known, valid access point that belongs to your organization's network.
    • The central system will analyze the reported rogue for security. (For instance, a rogue access point broadcasting MyCorp's SSID on an open network is a threat to MyCorp employees, but something broadcasting a different SSID, e.g. PANERA or NEIGHBORCORP-GUEST, or a peer-to-peer wifi connection, might not be a threat.)
  • Devices in the packet path, such as wi-fi controllers, can try to see if they have seen a MAC address on the wireless network which is also present on the wired network in an unexpected way. If they do, that's a sign that the wired network has been connected to the atmosphere, and you know what controller port it is connected to.
  • An active scan can be run on the organization's network, requesting web pages on port 80 or 443, and/or running a tool such as nmap, to look for indicators of common consumer-grade networking equipment (e.g. a Linksys login page).
  • The wired infrastructure (switches, routers) can be polled for bridge forwarding tables, which contain MAC addresses. These MAC addresses can be analyzed to see if they belong to an OUI of a manufacturer of wireless network equipment (e.g. Linksys).
  • You can install software on your organizations' laptops or other computers that report back many of the same types of information that the access point would detect (SSID/BSSID lists, etc) and report those to the aforementioned centralized system, or report what SSID the computer is actually connected to. It helps to be able to tell whether that laptop is in the office at home, or you'll potentially see many other access points.

Actions that can be taken against these devices include:

  • shutting down the network port at the switch (if the attacker is on your network)
  • forging 802.11 packets to disassociate clients from that access point, especially for wireless clients which your system recognizes as belonging to your organization (often called something like "rogue containment")
  • using a network-visualization tool that can trilaterate the location of the rogue access point from its signal strength (as reported by your access points) and your wifi network layout, then walking to that location and finding it in person
    • or using another signal-detection tool to track it down

The top 3 enterprise wireless vendors (Cisco, Aruba, Motorola) will all offer a wireless IPS with several or all of these capabilities, and some smaller vendors do as well. This is one of the many reasons they're more expensive than your cheap home Linksys wifi router.


A rogue access point implies it is connected to your LAN, which is easy to detect using port-security.

This WiFi pineapple is more or less a honeypot that is not present on your network. Detecting it will be a lot harder since it's not on your network. It is just spoofing your SSID I suppose?

So how about you write a script that lists all the access points it can detect and counts them. You might also add something to scan for SSID's look at the their MAC and see if there is an SSID that contains your SSID's name or a something a-like (MyCompany or MyCompany-new) and verifies it against a list of MAC addresses from your own devices. I might add that spoofing a mac-address is rather easy, counting the SSID's might just be easier.


There are phone apps that attempt to physically locate wifi access points. Android has them, but I believe that Apple pulled these types of apps from their store, but they are available in the hacked market: https://market.android.com/details?id=girsas.wifiradar&hl=en

This might require some coordination and narrowing down the potential location, but it should provide valuable data for tracking this down.