Catching a Rogue Access Point in the Wild

The Alert

During a mid-day audit for a multi-tenant office, an employee mentioned intermittent captive portal pop-ups on the “Guest” network. That alone isn’t unusual—but device logs showed certificate warnings and DHCP conflicts. We suspected an evil twin AP broadcasting the same SSID to harvest credentials or intercept traffic.

Initial Triage

I stood at the lobby with a calibrated adapter in monitor mode and captured beacons from both the legitimate controller-managed SSID and an unknown transmitter. RSSI variance and channel hopping suggested a portable device. The rogue AP’s vendor OUI pointed to a consumer travel router.

Verification

We mirrored switch traffic feeding the legitimate APs and ran span captures—no corresponding MAC appeared for the rogue’s BSSID, confirming it wasn’t on the wired side. A passive walk with a directional antenna showed the signal spiking near a conference room. There we found a palm-sized router tucked behind a wall display, powered by a USB brick.

Containment

Facilities cut power to the room while we photographed and bagged the device for evidence. We then rotated the real guest SSID (new PSK), bumped minimum protocol to WPA2‑AES (with planned WPA3 migration), and pushed a blocklist entry for the rogue BSSID across the controller.

Root Cause & Lessons

• No AP roguescan policy was in place; the controller’s WIPS mode was disabled by default.
• Guest VLAN had lateral reachability to the printer subnet—an unnecessary risk.
• Captive portal certificates were expired, training users to click through warnings.

Repeatable Playbook

1. Collect symptoms and verify certificate/DHCP anomalies.
2. Capture beacons; compare OUI/vendor, channel, and RSN capabilities with known-good APs.
3. Triangulate with signal strength; verify if device is wired (switch CAM table) or purely over the air.
4. Remove power, preserve evidence, rotate credentials, and update WIPS policies.
5. Report with diagrams and a 30‑day hardening plan.

Gear Notes

A capable Wi‑Fi adapter and a portable TAP are invaluable. A passive network TAP and a high‑output USB‑C power bank kept the capture kit mobile all day.

Takeaway

SSID impersonation thrives on weak defaults and complacency. Turn on roguescan, segment aggressively, and train users to respect TLS warnings. Catching one rogue is satisfying; preventing the next five is maturity.

Affiliate Disclosure: As an Amazon Associate, SurfaceVector earns from qualifying purchases.