Rogue wireless devices within a given customer facility may pose a threat to the organization. The rogue devices may represent unknown or undocumented devices connected to the corporate network or may be evidence of a threat actor performing evil twin attacks against the legitimate infrastructure.
Procedure
- Search for instances of customer details (name, acronyms, abbreviations, etc) present in the SSID results from your passive analysis tool. Ignore legitimate SSID names for this step as those networks are initially assumed to be legitimate.
- Filter your passive analysis results to display only the expected SSID names associated with the customer environment. Search for anomalies in those results:
- Record any networks that employ a different encryption/authentication strategy than the legitimate network (open vs psk, psk vs enterprise, open vs enterprise, tkip vs eap, wpa2 vs wpa3, etc)
- Record any networks that have a different MAC Organizationally Unique Identifier (OUI) than other infrastructure. What you are normally looking for is identification of a different manufacturer. This may require multiple OUI lookup queries since manufactures may own several OUIs. OUI lookup can be conducted at https://www.wireshark.org/tools/oui-lookup.html.
- Report any potential rogue networks to the customer for action and record an associated finding in the report.
*Note: If heat maps are being generated for the target organization, Rogue Device Searches can be executed more efficiently using Netspot. Details on the Netspot procedure are included in Netspot.