Cyber Security Case Study – Rogue AP detection

The cyber security case study understands the concept of rogue access points and how the presence of the same on a network can be detected using scanning techniques. Wireless network scanning commands on Windows 7 operating system is leveraged and the SSID and authorized list of mac-address of access points are compared. A lab is setup to demonstrate the practical analysis of the identified technique. Appropriate mechanism by which rogue access points can be mitigated is also understood.

Hardware Requirement

1.Switch ( 1nos)
2.Access points ( 2nos)
3.Windows 7 Laptop with wireless card (1 nos)

Understanding Rogue AP

Rogue access points are unauthorized devices which are setup on a network by attackers. The users on the network would connect to the rogue AP to gain access to the systems and services on the corresponding network. Attackers would passively monitor the communication between the user and the AP to analyse confidential and sensitive information like username / password, confidential data etc.

Wireless network scanning with Windows 7

Wireless scanning can be performed by using inbuilt windows commands. The command which can be used is netsh wlan show network. Netsh is a library which supports various commands. It is associated with wlan to show the different wireless network status. To display the list of wireless access points on the network the following command is used.

netsh wlan show network mode=Bssid

The network mode Bssid, which is Basic service set identifier, displays the list of access points, mac-address and other details associated with the access point.

Lab Topology Diagram

A lab is setup as shown below to practically demonstrate the concept.

Two access points are connected to the switch. The SSID of the valid AP is AP1 and that of the rogue AP is MMMM. AP1 is configured with the IP address 192.168.0.1 along with WEP and a password. (Any password can be used). The laptop is configured with the IP address 192.168.0.2, with WEP and the shared key WEP password which is configured on AP1.

Rogue AP detection using SSID name

After connectivity is established between AP1 and the laptop, type the Windows 7 command which would display the list of available access points on the network. The command along with the screenshot is shown below.

It can be observed that two access points with SSID name MMMM and AP1 is displayed. Using the output of the command, the rogue AP can be detected as MMMM is not authorized on the network.

Rogue AP detection using mac-address

Advanced filters can be applied on the above command which would display the mac-addresses of the identified access points on the network. In the above command it can be observed that the BSSID field displays the mac-address of the respective access points.

Administrators on a network can maintain of list of authorized mac-address of the access points and compare it with the scanned list. In the above topology, AP1 is the only authorized access point. The mac-address of AP1 is 6c:19:af:58:f8:89. Appropriate filtering is used on the earlier command to display only the mac-address / BSSID of the output. The command is shown below.

netsh wlan show network mode=Bssid | findstr “BSSID”

The findstr filter would display only the lines containing the BSSID, which would contain the mac-address of the access points. The screenshot of the output is shown below.

From the above topology, it can be observed that the first BSSID / mac-address is unauthorized as only the second BSSID which is 6c:19:af:58:f8:89, is the valid mac-address of authorized access point which is AP1.

Rogue AP Mitigation

Two methods by which rogue AP’s can be mitigated are identified and described below.

WIPS

Wips, which stands for wireless intrusion prevention system is a network device which is used for mitigating rogue AP attacks. Vendors like Cisco, Aruba manufacture the devices. The devices can be setup on the network for preventing rogue AP attacks.

Port-Security

Port-security is a feature which is available on switches. The feature can be configured to allow a list of known or authorized mac-addresses on its respective ports. If an unknown mac-address is identified, the port can be configured to transition into blocked state. When an attacker attempts to connect a rogue AP to the switch port, the port would be blocked as the mac-address of the AP is not in the allowed list, thus defeating the attempt of the attacker to setup a rogue AP.