Linksys WAP11, SMC MC2655W and the Netgear ME102

Increasing RF power on Access Points using snmp commands.

Disclamer: Anything you do to your access point is at your own risk! Check your laws for power output restrictions.

Please read this article before proceeding: http://www.wi2600.org/mediawhore/nf0/wireless/docs/802.11/WAP11/fun_with_the_wap11.txt

In my testing I used a Linksys WAP 11. These same commands may or may not work with other brands. Before any of this worked I needed to upgrade my firmware to 1.4g.5. It's likley that it will work with later versions but I have not tested it. All the tcpdump output and snmp commands are done in Linux. There are ports of these programs in Windows as well.

Using the information from the above article I sniffed the snmp information  to set power in tcpdump. Note: the word "string" is the read/write snmp community string:

15:50:28.641418 > 192.168.2.233.32770 > 192.168.2.2.snmp: C=string SetRequest(46) .1.3.6.1.4.1.410.1.1.8.8.0=c7_c3_bf_bd_bb_bb_bb_b9_b9_b9_b9_b9_b9_b9

Linksys default power settings from the above dump:

Channel
 Setting
1
 c7
2
 c3
3
 bf
4
 bd
5
 bb
6
 bb
7
 bb
8
 b9
9
 b9
10
 b9
11
 b9


If we want to change these channels to the maximum power we use snmpset:

snmpset -On 192.168.2.2 string .1.3.6.1.4.1.410.1.1.8.8.0 x 8080808080808080808080808080

To verify that the Access Point accepted the snmpset we can do an snmpget:

snmpget -On 192.168.2.2 string .1.3.6.1.4.1.410.1.1.8.8.0

The correct result:

.1.3.6.1.4.1.410.1.1.8.8.0 =  Hex: 80 80 80 80 80 80 80 80 80 80 80 80 80 80

To set it back to the default power settings:

snmpset -On 192.168.2.2 string .1.3.6.1.4.1.410.1.1.8.8.0 x c7c3bfbdbbbbbbb9b9b9b9b9b9b9

We can use the Netstumbler graphing to see any difference in our signal. This is running on a laptop with a Lucent/Orinoco card. The first graph is with the Access Point around 30 feet away in the same room. "X" marks the spot when the power was set to maximum:


Netstumbler Measurement 1

The second graph is with the Access Point around 50 feet away, one floor down in a wood frame building. "X" marks the spot when the power was set to maximum:

Netstumbler Measurement 2

Once you know the snmp OID you can use snmpset to change many settings in the access point. For example. If we want to have snmp traps broadcast to the local subnet First we sniff them with tcpdump. Enable traps:

15:50:45.931418 > 192.168.2.233.32770 > 192.168.2.2.snmp: C=string SetRequest(33) .1.3.6.1.4.1.410.1.1.1.3.0=01

Disable traps captured in tcpdump:

15:50:48.801418 > 192.168.2.233.32770 > 192.168.2.2.snmp: C=string SetRequest(33) .1.3.6.1.4.1.410.1.1.1.3.0=02

Then we know the parameters to enable and disable snmp traps using snmpset command:

snmpset 192.168.2.2 string .1.3.6.1.4.1.410.1.1.1.3.0 d 1
snmpset 192.168.2.2 string .1.3.6.1.4.1.410.1.1.1.3.0 d 2

Snmp traps could be used to monitor the MAC addresses of WLAN clients as they associate themselves with an access point. Useful for security monitoring.



Frank Keeney

Pasadena Networks, LLC


See other articles:

Vacation War Driving.
War Driving in Southern California. Almost 1,500 Access Points mapped from Los Angeles to San Diego.
War Driving the Rose Parade.
Watch wardriving on your computer in streaming video.
Slides and streaming video of 802.11b wireless network presentation.
802.11b WLAN Resources.

Related links:

WAP 11 Hack

Want to know when I write more articles about wireless networking? Send me email to be notified.

Wireless Insecurity Many wireless hardware and software Links: http://wireless.pasadena.net

All logos and trademarks in this site are property of their respective owners. All the rest © 2001 Pasadena Networks, LLC




Computer Security Conference