Freeware to scan for rogue AP / SSIDs for PCI-DSS compliance

We decided not to spend that  60k/year on external consultants services to do scanning for rogue AP/SSIDs.

I noticed the consultant run a software tool on their laptop.  Any tool that could give a decent PDF report
certifying there's no rogue Wifi AP around will be most welcome.   Need something easy to use
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
You could utilize aircrack-ng, and that can be obtained free, including as a part of Kali Linux. Not necessarily the most friendly but would address what you need.
btanExec ConsultantCommented:
The better and long term approach is to have devices in the packet path, such as wi-fi controllers, that comes with rogue AP detection to try and see if they have seen a MAC address on the wireless network which is also present on the wired network in an unexpected way.
An active scan can be run on the organization's network, requesting web pages on port 80 or 443, and/or running a tool such as nmap, to look for indicators of common consumer-grade networking equipment (e.g. a Linksys login page).

Detect forging 802.11 packets to disassociate clients from that access point, especially for wireless clients which your system recognizes as belonging to your organization (often called "rogue containment")
The top 3 enterprise wireless vendors (Cisco, Aruba, Motorola) will all offer a wireless IPS with several or all of these capabilities.

Kali is one good tool. One apps and appliance combination that is good are Fing App and the optional addon Fing Box. Try out the apps.
In order to block devices with the Fing app, you’ll need the hardware add-on called Fingbox.

Fingbox is a network security toolkit for home networks that unlock more free features in the Fing app. Fingbox has a range of network management and security features including device blocking.
https://www.fing.io/support/fing-network-scanner-app-features/

The app mentioned allows you to quickly and easily scan any network you are connected to in order to see what other devices are also connected.

Overall you need to make sure the inventory whitelist is built up and upon new AP introduced, it should alert you or monitoring centre to further investigate. Most of the time the rogue AP will be targeting common local SSID like the free and open WIRELESS provider in your locale and even the local airport common SSID. Key is to get those client connect to it automatically. These should be hunt down asap and block out if deem unlegit.
sunhuxAuthor Commented:
1. Does aircrack-ng generate report in PDF?  I need something that looks formal

2. Which is easier to use?  Fing or aircrack-ng ?

3. I've installed RHEL before : just boot from CD.  Can I install it on my X203 which
     has Win 7 on it to dual-boot: any links on how to do this is apreciated
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

btanExec ConsultantCommented:
Detecting fake AP and SSID is not solely just via software and generation of report. As mentioned, you need to establish a whitelist of AP and SSID in your environment, any deviated sighting of AP broadcasting the whitelisted SSID or suspicious SSID (as shared earlier) will then be surfaced in your reporting if that is the intent to share with your Supervisor. In fact, this need continuous monitoring and scanning. WIPS is desired as it can also detect de-authentication attempts which attacker will normally attempt so that victim can disconnect from existing and reconnect to the fake AP and SSID instead.

AirCrack suite does not detect fake AP though it can listen to the broadcast-ed SSID, actually it is mostly used to either faked an AP or crack the weak password of wireless setup. See in specific the tool named Airbase-ng @ https://www.aircrack-ng.org/doku.php?id=airbase-ng

Fing app can do the inventory update as per each scan done
creating a free Fing account will also allow you to access to the following features:
- Digital Inventory: with an account you can name the devices on your network, allowing you to create and store a digital inventory of your devices.
- Alerts: This stored digital inventory then allows Fing to identify and alert you when new devices have accessed your network since the last time you scanned....
However, it is manually done to surface the deviated or suspicious AP. If you really need a solution, FingBox is the one to consider on top of the apps. It is a WIDS
WIDS (Wireless Intruder Detection System) on 2Ghz spectrum
Fingbox detects the most harmful Wi-Fi attacks and offers protection against MITM (Main In The Middle) and other malicious network attacks. Specifically, Fingbox detects and alerts you about:
-Unauthorized Access Points – Rogue Access Points – Evil Twin Access Points
-Wi-Fi jamming and de-authentication floods
https://www.fing.io/support/security-alerts/
and also for info - Fingbox vs Fing App - https://www.fing.io/support/fing-app-vs-fingbox/

A note that above only works if the fake SSID AP's Mac address hasn't been spoofed to match a known good AP's Mac address. But if WIPS or WIDS is in place, such attempt may be sieved out through times on the deviated APs. No 100% sure means to surface faked AP accurately but it is best effort if you start the scanning and detection regime

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks, let me test out the Windows tools & will close this thread this weekend
btanExec ConsultantCommented:
For author advice.
btanExec ConsultantCommented:
For consideration.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.