GhostBeacon: The Tool That Detects Rogue and Hidden Wi-Fi with 99% Accuracy

GhostBeacon mainly consists of two primary modules: the Rogue (Fake) Access Point Spotter, which analyses Beacon Frames using couple of parameters to identify Rogue Access Points; and the Hidden Access Point Spotter, which analyses Probe Request/Response frames to uncover access points with hidden SSIDs. Experimental tests show that GhostBeacon achieves a detection success rate of up to 99% for Rogue Access Points and nearly 100% for Hidden Access Points. These results highlight this project’s potential to enhance wireless network security by mitigating unauthorized access and the subsequent risk of harmful network activities.

Features

1. 802.11 Rogue (Fake) Access Point Spotter
2. 802.11 Hidden Access Point Spotter

Main Execution Flow & Main Menu

Main Execution Flow

• Program first checks if the dependencies are installed on target OS. If dependencies are not installed, program calls rsc/setup.sh setup file to install dependencies automatically:

• Then, program checks whether there’s a wireless card plugged in and then it checks if corresponding wireless card is in “Monitor Mode”. Since we are going to sniff the air for capturing packets, the card needs to be in “Monitor Mode”.
• After necessary checks completed, users can choose 1 for “Rogue (Fake) AP Spotter” module or 2 for Hidden AP Spotter” module.

Module #1: Rogue (Fake) Access Point Spotter

Workflow

• In this module, an airodump-ng window pops up to display available SSIDs in wireless card’s scan range.
  

• Then, users are asked to enter an SSID value to check if there’s any rogue (fake) access point with same SSID is present.
• Also, users are asked to enter a value for packet sniffing duration.
• When these inputs are provided, the program starts to sniff “Beacon Frames” in the area and saves all access points with unique BSSID (MAC address) values into a list – namely, the “Comparison List“.
  

  Sample Run: Spotting Rogue (Fake) Access Points

Brief explanation:

• Rogue (Fake) Access Points generally have no encryption (they are OPN) to force victims for connecting them to their fake APs and ask the original AP’s password by using a Captive Portal. That’s why our first check is AP’s encryption (i.e. Privacy Bit).
• Since Fake APs are deployed later than the original AP, their uptime values are usually shorter than the original AP. Even though uptime value is easy to fake, it’s still pretty easy to discriminate this value.
• Due to 802.11’s protocol implementation, clients are tend to connect to the nearest AP among the ones having same SSID value. Which brings us to our next control: PWR (TX) check (i.e. Signal Strength). If an attacker wants a victim to connect to their Rogue AP, they first need to disconnect the victim from original AP and force them to send a connection request (i.e. Probe Request) to their Rogue AP by setting up an AP with stronger signal.
• Fake APs may have encryption (they may have their Privacy Bit set). If target BSSID has an encryption, same controls needs to be done as we did on OPN BSSIDs.

Download & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy