WiFi Rogue AP Detection

Dan Salmon

Hey! What networks are around me?

I've got a WEP network called "Caravan"

I've got a WPA2 network called "Hunting Lodge - 5G"

I've got a WPA2 network called "FishNet"

I'd like to connect to FishNet, please

Yeah, sure okay what's the password

I think it's

Looks good to me, bro

Cool, can I download cat pics now?

Yeah alright

Hey, I also have FishNet

Rogue AP

No thanks, I'm good

Hey I'm that guy and I say disconnect from me

Deauth Attack

Okay, now I'm looking for networks again

Like I said, I have FishNet. What's the password

I think it's

Handshake Captured

Attack Detection

Watch our clients for abnormal # of deauth packets

Deauth

Rogue AP

Watch for APs with similar networks

Handshake Capturing

Not possible

Tool Limitations

Detect cloned MAC address 

Block deauth attacks

Doesn't

Can't

Lookup non-cloned MAC manufacturers

Next Version

  • 802.11w (2012)
  • Necessary for 802.11ac voluntary certification

Rogue AP Detection

By Dan

Rogue AP Detection

IT Masters Program - IT662 - Fall 2018

  • 470