What is the best way to determine if you're company has rogue access points? I currently have netstumbler, but how do I know if the AP I'm finding belongs to my LAN and not some nearby house or school?

Netstumbler will only show you networks that are broadcasting the ESSIDs in the beacons, and while it's likely that a non-hostile rogue would be relatively un-configured (therefore, most likely broadcasting its ESSID), there's no guarantee of this. A more savvy user (I hear these exist), might know enough to try to secure his unauthorized AP a bit.

To find rogues, there's basically two ways: scan your wired net, and scan the wireless net. You need to be looking for MAC addresses of known wireless vendors (or ESSIDs that you don't recognize).

Of course, a list of observed MAC addresses is useless if you haven't already documented what wireless NICs and APs you have out there. Document, document, document!!

As far as locating where the 'rogue' actually is, you can infer a lot of this by looking at SNR levels at various points in your space, and doing some rough triangulation. Directional antennas can help, but I've done fine with just a plain old NIC.

I've been paid to hunt down rogue APs in some well-known enterprises, and it's always a lot of fun seeing the deer-in-the-headlights look of someone who knows he's been busted, and is in for a serious talking-to.

If this is something that's a high-priority for your organization's security (and it should be), you might want to consider hiring a professional.

Thanks for the reply. How or where can I find a list of known MAC addresses? Also, I know vendors get a block of MACs, but what exactly disguishes the vendor MAC...first 16 bits (4 hex characters), first 24 bits (6 hex characters)? Basically, I want to write a script that checks this info.

check out the IEEE site for OUIs. You can download a list of assigned MACs there.

Keep aware that the manufacturer of the .11 chipset of the NIC or AP you bought is not always going to be who you think it is :eek: