locating a wireless user

For once I am posting a question since it is something I have yet to be able to answer properly, but the bug keeps itching at me to answer it.

How do you physically locate a wireless user? Pretend you have a wireless network and someone has been getting in. Other than getting lucky and walking around, how do you locate someone efficiently?

Now, I know expensive and expansive solutions exist for larger campus-type wireless implementations to locate users using information on their signal strength and triangulation between overlapping wireless coverage. But what about for your average techie joe who wants to do this? Is there any software and non-expensive hardware that can help?

I also know that I could attempt attacks against a laptop and see if I can turn on an annoying WAV file and increase the sound…but that’s a bit too intrusive and variable.

I’ll likely troll a few forums and IRC chans looking for this information over the course of the next few months as I’d really like to answer it.

5 thoughts on “locating a wireless user

  1. Client based solutions
    Pay-for: AirMagnet (and probably most Wireless Audit tools) has a “giger-counter” type functionality where you can walk around and as you get closer it makes more noise
    Free: There are some signal strength utils (listed Wi-Foo) and you can get one with the SANS Wireless Auditing course (perl script if I remember correctly). The gotchas are probably hinged on Prism based cards since they do report signal strength (and you will probably want a directional antenna (yagi) to focus your search). BTW, you will stick out like a sore thumb walking around with a laptop/yagi in most environments (learned from skool of hard knocks).

  2. Yeah, I can totally understand the problems with a yagi and sticking out. I’ll have to look some of your suggestions up and see what I can find out. I think I do first need to start experimenting with some directional antennae.

  3. Once upon a time IBM had a propriatary package for Linux that ran on clients to allow this. Basically it was an infrastructure tool to allow a buisness entity to monitor when rouge access points and nodes came within proximity of it’s wireless infrastructure.
    All the clients forwarded passively collected data (Along with their GPS coordinates) to a master host which did the math to scope out the coordinates of all points on the network. All I ever got my hands on was a locked out demo (non-open source) but it was a cool concept.

Comments are closed.