Catching a Rogue Access Point in the Wild

Summary

We discovered an evil‑twin SSID that mimicked the corporate guest network but was operated by an attacker to perform credential capture and MITM traffic. This article walks through the detection signals, the verification steps we used, and the mitigation + reporting actions that followed.

Detection Signals

Multiple BSSIDs advertising the same SSID with differing vendor OUI and channel behavior.
Clients reporting intermittent DNS failures and captive portal redirections.
Unusual DHCP lease activity observed on the network monitoring VLAN.
Alerts from wireless monitoring (Kismet/airmon-ng) showing new APs with identical SSIDs appearing at different physical locations.

Verification Steps

Passive capture: collect 60–120 seconds of 802.11 management frames (beacons/probes) with a monitor-mode adapter to compare BSSIDs, capabilities, and vendor OUIs.
Packet analysis: analyze the beacon frames in Wireshark and inspect supported rates, RSN/cipher suites, and vendor IEs for anomalies.
DHCP & ARP checks: capture DHCP offer packets to identify the rogue DHCP server and IP assignment patterns. Use tcpdump -n -i port 67 or port 68.
Client behavior: observe whether clients are redirected to captive portals or presenting self-signed certificates during TLS (possible credential collection).
Physical correlation: map RSSI and channel across the facility to approximate the rogue AP's location using Kismet or a directional antenna.

Packet Examples

Here are sanitized examples you can use to look for signs in captures.

Frame 1: Beacon (rogue)
IEEE 802.11 Beacon, SN=0, FN=0, Flags...
SSID: "CorpGuest"
BSSID: 02:12:34:56:78:90 (OUI: 02:12:34 -> unknown vendor)
Channel: 6
Supported rates: 6,12,24
RSN: WPA2-PSK (TKIP)  <- mixed/weak cipher
Vendor IE: unknown TLV fingerprints...

Note: attacker devices sometimes show locally administered MACs (1st byte bit set) — pay attention to OUIs.

Mitigation & Immediate Actions

Isolate affected clients and block the rogue AP's BSSID/MAC at the wired uplink where possible.
Notify building security and physically inspect the area where RSSI indicates the source.
Enable 802.11w (Protected Management Frames) and require strong WPA2/WPA3 with enterprise authentication where possible.
Harden captive portal flows: use HTTPS-only portals, HSTS, and pinned certificates where feasible.
If credentials were potentially captured, force resets and notify affected users and IT.

Detection Tools & Links

Kismet Wireshark Aircrack-ng (monitor mode) Kali / Flipper for RF checks WiFi Pineapple (authorized lab use)

WiFi Pineapple on Amazon Wireshark

Reporting & Lessons Learned

Maintain wireless monitoring on guest and public spaces — rogue APs are often short-lived.
Educate users: show examples of fake portals, and encourage verifying certificate prompts.
Formalize a wireless incident playbook: detection, containment, notification, and forensics.
Consider running periodic wireless audits with directional scans and wardriving (authorized) to detect transient threats.

Appendix: Useful Commands

# Put interface into monitor mode (Linux)
sudo ip link set wlan0 down
sudo iw dev wlan0 set type monitor
sudo ip link set wlan0 up

# Capture 802.11 management frames with tcpdump (requires monitor mode)
sudo tcpdump -i wlan0 -s 0 -w rogue_ap.pcap 'type mgt'