Author Topic: Most popular freeware wi-fi sniffer? (Read 4618 times)

AJ Dual · « **on:** November 16, 2009, 11:04:56 AM »

Hi.

I've been tasked with finding a potentialy "rouge" Wi-Fi network at work. I don't even think it's a case of actual malfesance, but probably one of the teams has plugged in a Linksys to try and give visiting vendors Wi-Fi access, or even just thinking they can use it as a hub for a printer or something and don't even realize it's running Wi-Fi too.

I can actualy authenticate to it, with a default password no less.. but I can't get an IP from it, or figure out it's IP scheme, or if it's got MAC filtering turned on or whatever, so I can try and get into it's admin page and see if it's getting an IP from our LAN, and maybe figure out where in the heck in the damn building it is.

I've already tried looking through the DHCP server for known Linksys MAC ranges, but that method isn't very cooperative.

Of course, I've got "no budget" and "no time" to do this in. And I'd really like to have myself at least figure out which end of the building I'm searching in before I start crawling under EVERY desk, and peeking under every conference table, and behind every filing cabinet...

So is there any trusted windows freeware sniffer that will do this?

41magsnub · « **Reply #1 on:** November 16, 2009, 11:11:44 AM »

I have always used netstumbler, it is free and gets the info I care about.

http://www.netstumbler.com/

As I reread your question it might not be all the helpful though, you already know the network is there and what the BSSID is.

AZRedhawk44 · « **Reply #2 on:** November 16, 2009, 11:12:53 AM »

Not just Linksys.

Could be Belkin or another brand.

Or, could be a laptop in internet sharing mode, running an ad-hoc wireless hub via its wireless interface and its public interface via the NIC.

Your laptop should have a sniffer program built into it that came with the wireless card, or you can use the Windows built-in utility. Unless the SSID is hidden. Not sure if commercial sniffers can see hidden SSID networks, though.

I don't envy you. Probably faster to walk the area with a laptop and try to find the network via signal strength.

AZRedhawk44 · « **Reply #3 on:** November 16, 2009, 11:20:02 AM »

Wow, netstumbler is cool. Thx, 41. Saved to "nifty apps" folder.

Looks like it will do what you want AJ. It lists hidden SSID networks and the signal strength you have to it... somehow.

AJ Dual · « **Reply #4 on:** November 16, 2009, 11:20:16 AM »

Well, I know it's Linksys, because the SSID says so...

And I know it's one of ours because it has our default password on it to join it's Wi-Fi LAN.

I'm guessing some group, development, sales, accounting etc. grabbed it because "it's got lots of those port-things on the back"...

The only thing is it's not DHCP'ing, nor is it running a 10.0.0.X or 192.168.1.X NAT subnet, so I can't get to it's config page. At least then I could turn it off, and see if anyone complains. Or at least see if any other MAC's are accessing it, and maybe spoof one of them if MAC filtering is on.

I'll try netstumbler and see where that gets me.

I just really want to get to it's config page, and see if it's got a WAN ip from a wall jack. That'll get me down to a floor, a side of the building, and about 50 feet of cubicles to search.

Nick1911 · « **Reply #5 on:** November 16, 2009, 11:27:08 AM »

If you can connect to it, can't you do a tracert to get some idea where it's plugged in to the network?

41magsnub · « **Reply #6 on:** November 16, 2009, 11:35:07 AM »

I've also used inssider http://www.metageek.net/products/inssider/download which is functionally the same thing as netstumbler, again it would not be all that helpful for your situation.

41magsnub · « **Reply #7 on:** November 16, 2009, 11:38:55 AM »

You could try the old method, drop power to the building one circuit at a time until the network disappears, then you know what area it is in.

Unless it is on a UPS... This probably wouldn't be popular with management or the other staff either!

GigaBuist · « **Reply #8 on:** November 16, 2009, 02:31:12 PM »

I don't have any good suggestions for you. Sorry.

Used to work in an office where a certain team of programmers kept trying to use those little routers as switches. Which you can do with them just fine. As long as you don't wire them up using the WAN port on the internal network. I don't know how many hours we lost trying to track down routers that were fighting with our main DHCP server because of that nonsense.

Harold Tuttle · « **Reply #9 on:** November 16, 2009, 02:32:14 PM »

connect to its admin page, change log in, shut it off, await tech support call

Harold Tuttle · « **Reply #10 on:** November 16, 2009, 02:34:03 PM »

or get this:
http://www.thinkgeek.com/tshirts-apparel/interactive/991e/

Product Features

Glowing animated shirt dynamically displays the current wi-fi signal strength.
Shows signal strength for 802.11b or 802.11g
Black 100% Cotton T-Shirt
Animated Decal is Removable (with hook and loop fasteners) for Easy Washing
Battery Pack is Concealed in a Small Pocket Sewn Inside the Shirt
Runs for hours off three AAA Batteries (not included)

Harold Tuttle · « **Reply #11 on:** November 16, 2009, 02:38:17 PM »

http://www.metageek.net/products/inssider

Harold Tuttle · « **Reply #12 on:** November 16, 2009, 02:40:41 PM »

http://www.xirrus.com/library/wifitools.php

Xirrus Wi-Fi Inspector
The Xirrus Wi-Fi Inspector is a powerful tool for managing and troubleshooting the Wi-Fi on a Windows XP or Vista laptop. Built in tests enable you to characterize the integrity and performance of your Wi-Fi connection. Applications include:

Searching for Wi-Fi networks
Managing and troubleshooting Wi-Fi connections
Verifying Wi-Fi coverage
Locating Wi-Fi devices
Detecting rogue APs

41magsnub · « **Reply #13 on:** November 16, 2009, 02:45:27 PM »

I think a lot of people here are missing that he knows about the wireless network, what the SSID is, and can connect to it. What he cannot do is identify the IP address it is using to log into the console or physically find it.

AJ Dual · « **Reply #14 on:** November 16, 2009, 02:46:53 PM »

Quote from: Harold Tuttle on November 16, 2009, 02:32:14 PM

connect to its admin page, change log in, shut it off, await tech support call

Meh... I wish I could. That's what I want to do, or at least shut off the Wi-Fi.

For some reason DHCP on this Linksys is turned off, not working, or it just needs a reset. Or it's set to some wacky subnet I can't reach, or has MAC filtering turned on.

Despite authenticating to the wireless, I can't actually pass any TCP-IP traffic. If I force my laptop to likely subnets.. 10.0.0.x, or 192.168.1.x, it can't ping, so the subnet's not right.

That makes me think it's not acting as a router, but just an access point, or bridge, which has me A LOT more worried.

Quote from: 41magsnub on November 16, 2009, 02:45:27 PM

I think a lot of people here are missing that he knows about the wireless network, what the SSID is, and can connect to it. What he cannot do is identify the IP address it is using to log into the console or physically find it.

Exactly.

Harold Tuttle · « **Reply #15 on:** November 16, 2009, 03:32:50 PM »

maybe its a wireless print server

once authenticated, can you open 192.168.1.1 or 2.1 or 15.1 in a browser?

41magsnub · « **Reply #16 on:** November 16, 2009, 03:39:15 PM »

Actually.. what might be interesting would be to run wireshark after connecting to this network and see what traffic is on it. It might give a clue or tell you what IP address it is, most likely you could at a minimum identify the MAC address on it.

http://www.wireshark.org/

You might also get a LAN scanner such as Solarwinds LANSurveyer (30 day trial available) to scan your LAN and see if it finds anything like this device.

http://www.solarwinds.com/products/LANsurveyor/

RevDisk · « **Reply #17 on:** November 16, 2009, 05:44:18 PM »

Quote from: AJ Dual on November 16, 2009, 11:04:56 AM

So is there any trusted windows freeware sniffer that will do this?

As other folks have said, netstumbler and wireshark if you're going the OTA route.

Alternative, search your wired network. Port scan the entire company for port 80. If any results come back with "Linksys" string in the results... Or use RogueScanner (http://paglo.com/opensource/roguescanner). I do not endorse RogueScanner as I have not used it. I have a Fluke network analyzer that does that kind of thing.

Harold Tuttle · « **Reply #18 on:** November 17, 2009, 01:04:24 PM »

well? has anyone been pilloried?

AJ Dual · « **Reply #19 on:** November 17, 2009, 01:37:57 PM »

Quote from: Harold Tuttle on November 17, 2009, 01:04:24 PM

well? has anyone been pilloried?

It's not showing up today. It may have been here with a vendor team who has since left. Or someone found out through the grapevine heads were in danger of rolling and shut it down before I found it.

Nick1911 · « **Reply #20 on:** November 17, 2009, 02:49:31 PM »

Quote from: AJ Dual on November 17, 2009, 01:37:57 PM

It's not showing up today. It may have been here with a vendor team who has since left. Or someone found out through the grapevine heads were in danger of rolling and shut it down before I found it.

That's proper application of social networking!

Harold Tuttle · « **Reply #21 on:** November 17, 2009, 02:50:11 PM »

with 3 clicks a mac laptop can act as a wireless bridge to a lan.
It's called "Internet sharing"

News:

Author Topic: Most popular freeware wi-fi sniffer? (Read 4618 times)