Rogue Access Point

By: Christopher Barnett, Nealesh Ragoodial, Christian Oliva, Bejo Philip Benny, Driss Ould-Ibbat

IASP-560 Wireless Network and Security

Final Group Project

Table of Contents

❖ Introduction 3

❖ What is Rogue Access Point 3

❖ Problem 4

❖ Related Work 6

❖ Approach 8

❖ Prevention 8

❖ Raspberry Pi setup 10

➢ Linux commands

❖ How to detect 13

➢ Kismet

➢ Net Surveyor

➢ Solar Winds

❖ Outcome 14

➢ Contributions

❖ Conclusion 16

❖ Works Cited 16

Introduction

Many companies provide wireless networks to help efficiency, convenience and

productivity in the workplace. It is very easy that someone collect packets and analyze

them with free software such as Wireshark. Most systems implement wireless network

security protocols such as WPA and WPA2. However these methods cannot protect

users from rogue access points because attackers can have these installed and bypass

all forms of security measure. Average users cannot tell he the difference between

rogue access point and a legitimate access points. If given the chance successful rogue

AP’s can gather sensitive data from a company. It it necessary to have the correct tools

to prevent and detect these devices. It is up to the organization itself to incorporate a

policy where the installation of such device cannot be installed and if so, it will be

detected quickly before any harm is done.

What is a Rogue Access Point?

One of the most common wireless security threats is the rogue access point—it is used

in many attacks, both DoS and data theft. Many other rogue access points, however,

are deployed by employees wanting unfettered wireless access—these access points

are called soft access points. Other rogues are located in neighboring companies using

your network for free access. Typically low-cost and consumer-grade, these access

points often do not broadcast their presence over the wire and can only be detected

over-the-air. Because they are typically installed in their default mode, authentication

and encryption are not enabled, thereby creating a security hazard. Because wireless

LAN signals can traverse building walls, an open access point connected to the

corporate network the perfect target for war driving. Any client that connects to a rogue

access point must be considered a rogue client because it is bypassing the authorized

security procedures put in place by the IT department.

A rogue access point is a device that is not sanctioned by an administration,

however, it is operating on the network anyway. It can be an access point set up by

either an employee or by a hacker. There are many reasons to think that an access

point is definitely a rogue. The SSID of the access point is neither your network SSID

and it is not listed in the SSID list. The access point may not be broadcasting an SSID

at all. It is safe to check the SSID of an access point using methods from the MSS CLI,

methods from Network Director, and from MSS (Wilton 2008). The access point is

basically masquerading one of your SSID. Access points that are masquerading your

SSID are rogue by default, but you can change this rule. The access point is an ad-hoc

access point. Ad-hoc access points are formed directly between two client devices.

End users who add wireless devices to a network can pose major security

threats, most of these rogue access points serve as an unsecured gateways to a

person’s data (Wilton 2008). A rogue access point can pop-up on a network. It can

pop-up by a malicious intent or an employee. Commoditization of Wifi access points can

raise the possible risk of someone putting up a personal access point on the network. It

is estimated that almost twenty percent of businesses have rogue access points in their

network. A wireless access point is installed by an employee without any consent of the

IT Department. With no proper security configuration, the users have exposed their

company’s network to the outside world. Many rogue access points can be detected by

performing an audit in the business with a sniffer software. Another method is to install

probes that constantly watch and monitor the wireless network, checking for changes or

install a server software that monitors both wires and wireless sides of a network. An

access point that is set up by a hacker who is outside of the business, with a wireless

network. The rogue access point picks up beacons, which are signals that advertise its

presence from the company’s true access point, and then transmits the same identical

beacons. Therefore, as long as wireless security is enabled, this type of attack can not

compromise the user’s network, but, it can cause harm by slowing down the

connections with the real network.

Wireless radios automatically scan the radio frequency spectrum for other access

points, transmitting in the same exact spectrum. This radio frequency scan, discovers

third-party transmitters in addition to other radio frequencies. Rogue access points and

their clients undermine the security of a company network by potentially allowing an

access point to the network by a wireless user or a client in the area (EC-Council 2011).

Rogue access points can also interfere with the operation of a company’s network. A

rogue access point can allow a hacker to conduct a man in the middle attack. The

hacker makes an independent connection with the victim and relays the messages

between them. Therefore, making them believe that they are chatting directly to each

other over a private connection. Rogue access points can flood the network with

useless data and can create a denial of service attack. It can also send fake SSIDs, that

advertise attractive features such as a free internet connectivity (EC-Council 2011).

When the user connects, the fake SSID is simply added to the client’s wireless

configuration, therefore, the client begins to broadcast the fake SSID, which touches

other clients.

Problem

Many people don't understand the atrocities involved with wireless networking and end

up deploying them without activating the proper security measures needed to ensure

secure communications with the office network. As a result, the existence of this

unauthorized AP leaves your network susceptible to attack by anyone who has a

wireless connection and is within close enough proximity to see it.

Related Work

Comparison

The flexibility and portability of wireless communications has afforded organizations

many benefits such as increased productivity and lower installation cost. The benefits

are not without cost, by using airwaves as the transmission medium, an entirely new set

of security issues are born. These papers focus on rogue access points exposing the

enterprise network to a barrage of security vulnerabilities in that they are typically

connected to a network port behind the firewalls.

Contrast

In “A Passive Approach to Rogue Access Point Detection”, the authors proposed

to use the round-trip time (RTT) of network traffic to distinguish between wired and

wireless nodes. This information coupled with a standard wireless AP authorization

policy allows the differentiation (at a central location) between wired nodes, authorized

APs, and rogue APs. They showed that the lower capacity and the higher variability in a

wireless network can be used to effectively distinguish between wired and wireless

nodes. They have shown that as a result of the lower capacity of the wireless link

wireless nodes have greater RTT associated with their packets. As the capacity of

wireless links increase it is likely that the RTT associated with the wireless link will come

close to that of the current wired links.

In “Rogue Access Point Detection in WLAN by Analyzing Network Traffic and

Behavior”, the authors present a rogue access point detection approach. In this

approach they are extending the functionality of basic analyzer. It will deeply analyze

different properties of WLAN. If required, it will calculate statistics and store it in

database. They used this result to compare next data. Besides analyzing wireless data,

some filters are implemented that can be used to identify rogue APs in WLAN.

Presented a very simple approach to detect rogue AP without using any extra sensor

and extra hardware. By extending some functionality of packet analyzer we can use it to

identify rogue APs.

In “Rogue Access Point Detection System in Wireless LAN”, the authors

proposed the detection and the rogue access points Classification of rogue access point

and related risk assessment is analyzed. Rogue detection algorithm is also proposed. It

is designed to utilize the existing wireless LAN infrastructure. These rogue access

points (APs) expose the enterprise network to a barrage of security vulnerabilities in that

they are typically connected to a network port behind the firewall. Most of the current

approaches to detecting rogue APs are rudimentary and are easily evaded by hackers.

There is no need to acquire the new RF devices or dedicated wireless detection

sensors.

The discussion on rogue access points have been circulating in network security

and computer ethics research for more than a decade. The idea that someone would

have access to wired network without the permission of the administrator or owner

causes us to question more deeply on the true power of computers. In these two articles

“. “Using Multi-Agent Sourcing Method for Detection and Elimination of Rogue Access

Points in WLAN-802. 11” and “Rogue Access Points — Threat to Enterprise Security,”

authors Dnyanada Patil, P.N. Mahalle, and Bruce Potter explore the implications on

network security and try to offer possible solutions. In his paper, Potter discusses the

various threats to privacy and security that rogue access points introduce to technology.

On the other hand, authors Patil and Mahelle discuss the increasing popularity on rogue

access point attacks common Wireless LANs and try to implement multi-agent node

detector to help the network monitor itself.

Through his paper, Potter is essentially establishing the different methods that

hackers could use rogue access points as a means of fooling a computer user. He goes

into depth on each of these possible plays, including sniffing around traffic, pretending

to be a valid access point, searching out idle deploying systems, etc., as a means of

warning the reader to be well aware of the different methods a hacker could use to

infiltrate your secure system. Potter offers the suggestion of educating the user-base as

the critical prevention towards rogue access points. Within the system, Potter implores

us to only connect to any given SSID if the AP supports WEP encryption. This would

essentially add another authentication step to the process of accessing your wireless

system. Patil and Mahelle offer similar suggestions of self-education and spreading

awareness, but also offer a multi-node solution to physically authorize a requesting

user. Patil and Mahelle suggest giving our network multiple master agents that would be

allowed to cross check each other in order to prevent one master being hacked and

compromising the network. In their architecture, a DHCP-server will be in charge of

authorizing what requesting user MAC address actually matches their given information.

This step to a self-checking step to the authorization process that allows the network to

check you are who you say you are. While both articles deal with the common issue of

rogues access points security threats, both authors show different approaches in the

ultimate architecture one can implement to their own network. With this continuing

research on rogue access points, it is clear that more work is needed to establish a

permanent solution to the security threat posed by rogue access points.

Our Approach

What we did to prepare for this project was turn a raspberry pi into an access point and

named it “MavericksWiFi” which is very similar to the school’s WiFi connection called

“Mavericks-WiFi” which includes the dash in the name, where ours does not. This can

trick students into thinking this is a legitimate school WiFi connection. We will run

wireshark on the raspberry pi and show the IP’s that are connected to it and analyze the

packets.

Prevention

There are many different types of techniques to help stop a rogue from entering into

your network. The user should establish strict rules and also make sure that the user

are well polished, but only IT staff are able to connect any type of networking

equipment. The user can also change the rogue classification rules, because all

unknown devices are classified as suspects. When the user changes this to rogue, the

controller automatically classifies any third-party access point or a client as a rogue, and

the user can optionally isolate the access point by dropping all the packets to and from

the device. Users also need to use a strong security system. For example, the IEEE

802.11i security uses IEEE 802.1x for the same authentication between the network

and the client (Wilton 2008). Therefore, clients that try to access network information

must be authenticated by the network. Using active access points scanning in addition

to passive scanning. An active scan sends probes with a null SSID name, to basically

look for rogue access points and the clients. It is also important to investigate ad-hoc

access points and to add security for them or simply take them away. Basically, an

ad-hoc network is one that is created directly between two client devices (EC-Council

2011).

.

Figure 1: Overall view of a Rogue Access Point setup

Raspberry pi to access point setup:

What do you need:

- Raspberry pi

- Raspbian OS

- Wireshark

- Wireless mouse

- Wireless keyboard

- Ethernet cable

- Power supply

- Monitor

Use the following to update your Raspbian installation:

sudo apt-get update sudo apt-get upgrade Install all the required software in one go with this command:

sudo apt-get install dnsmasq hostapd

Since the configuration files are not ready yet, turn the new software off as

follows

sudo systemctl stop dnsmasq sudo systemctl stop hostapd

To ensure that an updated kernel is configured correctly after install, reboot:

sudo reboot

We need to set up hostapd to tell it to broadcast a particular SSID and allow WiFi connections on a certain channel. Edit the hostapd.conf file (this will create a new file, as one likely does not exist yet) with this command:

sudo nano /etc/hostapd/hostapd.conf

Enter the following into that file. Feel fee to change the ssid (WiFi network name)

and the wpa_passphrase (password to join the network) to whatever you’d like. You can

also change the channel to something in the 1-11 range (if channel 6 is too crowded in

your area).

interface=wlan0 driver=br0 ssid=MavericksWiFi

hw_mode=g channel=6 ieee80211n=1 wmm_enabled=1 auth_algs=1 wpa=2 wpa_key_mgmt=WPA-PSK wpa_passphrase=mercy123 rsn_pairwise=CCMP Save and exit by pressing ctrl + x and y when asked.

Unfortunately, hostapd does not know where to find this configuration file, so we

need to provide its location to the hostapd startup script. Open /etc/default/hostapd:

sudo nano /etc/default/hostapd Find the line #DAEMON_CONF="" and replace it with:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Restart the Raspberry Pi using the following command:

sudo reboot After your Pi restarts (no need to log in), you should see your ssid appear as a

potential wireless network from your computer.

How To Detect

Now that we know what a rogue access is and the harm it can do on corporations, we

must now know how to detect one of these devices. The difficulty on how these access

points can be found Depends on how the individual configured the device. He or she

could have just simply created an AP and renamed it. Or they could have attached a

wireless antenna, installed on an ethernet point and configured it as a

man-in-the-middle device. It truly depends on the skill of the hacker.

There are an abundant of software out there that can detect rogue access points.

Most are free and the better ones would have to be paid for. Of course, the paid

software will always be better due to support and stable functionality. But in the hopes

of testing, free software will get the point across. With most of these scanning tools, you

must have a general idea on what AP’s you or the business has installed. For example,

If you are scanning a particular floor and notice your tool displays 5 AP’s yet the

topology says only 4 have been installed. Obviously one of the AP’s will have to be

rogue. We will be discussing three types of software. Two of which will be free and one

will be a paid version which most security companies use. The softwares in which we

will be using are NetSurveyor, Kismet and the paid software - SolarWind.

NetSurveyor is a very easy and straightforward network discovery program in

which anyone can download use. It can have many uses like finding out where the best

position an AP could be installed to finding unauthorized devices on the network. It

displays what channel is being used most. It also show detailed information regarding

each network. Info such as; SSID, MAC Address, Beacon strength and quality, as well

as if the network is encrypted or not. NetSurveyor is a great program to understand how

traffic is being handled and what APs are available. However, it does have its faults. It is

very broad in its scanning and the rogue APs have to be configured lightly to be seen

here.

One step up would be a program called Kismet. Kismet is not detection software

but a sniffer instead. It can filter through packets of information and decode WEP

packets on the fly. Kismet is very lightweight and can be installed on Linux and with

some configuring, on Windows. Kismet has a lot of functionality but there is one in

particular which could be used against rogue access points. If an individual were to

arrive at a company and install an AP, they will most likely hide the SSID so programs

like NetSurveyor could not detect it. Kismet however, can fight back against this

technique by decloaking the SSID so it can be found. It can also give an alert when an

AP is found with weak encryption or a default configuration. With these two features and

a lot more, Kismet is a great open source program to detect rogue access points.

The last of our software is a paid management system known as Solar Winds.

Kismet and NetSurveyor were both local software that can be ran on any machine. In

contrast, SolarWinds is monitoring software which runs on the server level. It monitors

all the AP’s on the network and categorizes what it deems to be rogue on the network.

This software is self managing which explains why its a paid software.

This software breaks down the information in a report like format where it is easy to

read and share. Once configured properly, it would be able to display a heat map of

used access points in the given area.

Conclusion

With cyber attacks becoming more common and sophisticated, it is important to

be educated and aware of vulnerabilities that occur on a daily basis. In this paper

we have discussed what rogue access points are and their potential dangers if

not correct promptly. It is very imperative for companies and institutions to

educated in this matter. Mainly due to the fact we were simply able to make our

own access point and pretend to be apart of the school network with ease while

capture and analyzing data packets with wireshark. It can be tricky for rogue

access points to be detected but with the correct software that we mentioned, it

can help mitigate any possible future attacks.

Outcomes

After continuous research and testing we were successful in our project but of

course not without any hiccups.

Contributions

Driss - Research on Access Points

Christ O - Hands on

Neal - Test and Research Detection Software

Bejo - Research on Technical papers

Chris B - Research on Wireshark and Net Surveyor

Work Cited:

- Wilton, Andy (2008) Deploying Wireless Networks, New York, New York,

Cambridge

- EC-Council (2011) Network Defense Security Policy And Threats, Clifton, New

York, Cengage Learning

- Seth, Vivek. “Turning Your Raspberry Pi into a Rogue Wifi Router For Hacking.”

Medium.com, Medium, 17 Feb. 2016,

medium.com/@viveks3th/turning-your-raspberry-pi-into-a-rogue-wifi-router-for-ha

cking-46d4941bbca9.

- “WIFI HACKING – KISMET – How to Install Kismet on Windows.” University of

South Wales: Information Security & Privacy, 7 May 2017,

uwnthesis.wordpress.com/2016/03/29/wifi-hacking-kismet-how-to-install-kismet-o

n-windows/.

- “Rogue Detection under Unified Wireless Networks.” Cisco, 26 May 2017,

www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-r

ogue-detect.html.

- Bandal, G., Dhamdhere, V., & Pardeshi, S. (2018). Rogue Access Point

Detection System in Wireless LAN. Retrieved from

https://pdfs.semanticscholar.org/41a4/4df312f08ce3551a932335310d6e542e2fa

7.pdf

- Bandal, G., Dhamdhere, V., & Pardeshi, S. (2018). Rogue Access Point

Detection System in Wireless LAN. Retrieved from

https://pdfs.semanticscholar.org/41a4/4df312f08ce3551a932335310d6e542e2fa

7.pdf

- Jagtap, S. (2018). Rogue Access Point Detection in WLAN by Analyzing Network

Traffic and Behavior. Retrieved from

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.184.7176&rep=rep1&ty

pe=pdf

YouTube Link: https://www.youtube.com/watch?v=zUCB8Ac0I2Q&feature=youtu.be