Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 17: Detecting Rogue Access Points

by | Jan 17, 2025

Objective

Learn how to identify unauthorized or rogue access points (APs) on a network using tools like Kismet or Aircrack-ng. Understand how to analyze Wi-Fi networks and implement strategies to protect against rogue APs.

Scenario

As a network security analyst, you are tasked with ensuring that only authorized wireless access points are active within your organization. Attackers can set up rogue APs to impersonate legitimate networks and steal sensitive information. In this exercise, you will use Kismet to detect unauthorized access points and explore mitigation strategies.

⚠️ Important: This exercise must be performed in a legal and controlled lab environment. Unauthorized wireless scanning or network attacks are illegal and unethical.

Lab Instructions

Step 1: Set Up the Lab Environment

  • Monitoring Machine: Linux system with a Wi-Fi card capable of monitor mode.
  • Authorized AP: A legitimate access point (e.g., Company-WiFi).
  • Rogue AP: A fake AP mimicking the legitimate network (e.g., Company-WiFi).

Step 2: Install Kismet

On the Monitoring Machine, install Kismet: 

sudo apt update 
sudo apt install kismet -y

Step 3: Configure Kismet

Start Kismet with root privileges: 

sudo kismet

Configure the Wi-Fi interface in monitor mode:

Identify the wireless interface: 

iwconfig

Enable monitor mode: 

sudo ip link set wlan0 down 
sudo iwconfig wlan0 mode monitor 
sudo ip link set wlan0 up

Begin scanning for nearby Wi-Fi networks.

Step 4: Identify Rogue Access Points

  • In Kismet’s interface, monitor for suspicious SSIDs:
    • Look for SSIDs that mimic legitimate networks (e.g., Company-WiFi).
    • Check for multiple APs broadcasting the same SSID.
  • Analyze the MAC Addresses:
    • Legitimate APs often have known MAC address ranges.
    • Rogue APs may have randomized or vendor-unknown MAC addresses.
  • Signal Strength Analysis:
    • Rogue APs might have different signal strengths compared to the real AP due to proximity.

Step 5: Verify the Rogue AP

Cross-check the MAC addresses against the organization’s authorized devices.

Use Aircrack-ng to list available networks for further verification: 

sudo airodump-ng wlan0

Identify and confirm the rogue AP.

Solution & Explanation

How Rogue APs Work

  • Rogue APs mimic legitimate networks to trick users into connecting.
  • Attackers can intercept sensitive data or launch Man-in-the-Middle (MitM) attacks.

Detection Techniques

  • SSID Analysis: Duplicate or suspicious SSIDs in the area.
  • MAC Address Review: Rogue APs may use unfamiliar or randomized MACs.
  • Signal Strength: Discrepancies in signal strength can help identify fake APs.

Example Detection Scenario

SSIDMAC AddressSignal Strength
Company-WiFiAA:BB:CC:DD:EE:FF-40 dBm
Company-WiFi11:22:33:44:55:66-75 dBm (Suspicious)

Mitigation Strategies

1. Wireless Intrusion Prevention Systems (WIPS)

  • Monitors wireless traffic and automatically blocks rogue APs.

2. MAC Address Whitelisting

  • Allows only approved devices to operate as APs.

3. Network Segmentation

  • Isolates critical systems from the wireless network to minimize risks.

4. Employee Awareness

  • Educate staff about the risks of connecting to unfamiliar networks.

5. 802.1X Authentication

  • Uses secure authentication to verify devices before granting network access.

Testing & Verification

  • Confirm that Kismet successfully detects all APs in the vicinity.
  • Verify rogue AP identification by comparing MAC addresses and signal strength.
  • Test mitigation by attempting to connect to the rogue AP after implementing WIPS or access control measures.

Additional Script (Optional)

Automate monitor mode setup and scanning:

#!/bin/bash
# Enable monitor mode and start Kismet
sudo ip link set wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ip link set wlan0 up
sudo kismet

Run the script:

chmod +x detect_rogue_ap.sh
sudo ./detect_rogue_ap.sh

Conclusion

In this exercise, you used Kismet to detect rogue access points by analyzing SSIDs, MAC addresses, and signal strength. You also explored effective mitigation strategies like WIPS and MAC filtering to secure networks against unauthorized wireless devices. Detecting and preventing rogue APs is crucial to maintaining a secure wireless infrastructure.

0 Comments