Distributed Workforce, Wireless Security

Discovering Rogue Access Points With Nmap

By Paul Asadoorian
There are lots of ways to skin this cat. This came up and piqued my interest because I was looking at the Nessus plugin to do this. This is a neat concept, but relies on some really old information from Nmap 3.50 OS fingerprints. I decided that using Nmap directly is probably best to perform this task. Luckily, my handy Nmap Book has a section devoted to this called “8.8 SOLUTION: Detect nns-cover-202x125.pngRogue Wireless Access Points on an Enterprise Network”, which can be found in the OS Detection Chapter. Now, there is an example Nmap command in the book, but I came up with the following Nmap command on my own to do this on my home network:

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices. I want to know if those ports are open (-sU and -sS), and I want to fingerprint them if they are open (-sV). I also want all of the result types (nmap, grepable, and xml) so I can work with the results on XML and if a scan dies, resume with the csv file. I also want an OS fingerprint and use aggressive timing.
This is great, but for use in an enterprise I want to run this on a cron job and have it email me the results every day. So I extended using Nmap Parser (a perl library for accessing Nmap results and running Nmap scans) and came up with:
RogueAPDetect, written in perl.
reload_nmap_c.jpgNmap Parser was also featured in Security Weekly Episode 55 where I show you how to use it to find vulnerable hosts on the network in conjunction with nbtscan.
I installed the latest version of Nmap Parser, version 1.13. [Editors Note: Nmap Parser 1.18 is now available, but the compatibility with Nmap version 4.76.] I had to change the object names to be compatible with the new version, but it works like a champ. Example results look like this:

rogueapdetect.pl v0.001 - ( [email protected] )
Scan Information:
Number of services scanned: 7
Start Time: 1221793134
Scan Types: syn udp
Hosts scanned:
Address   :
OS match  : OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
Device Type: WAP
Address   :
OS match  : OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
Device Type: WAP

Oh look, a couple of devices running OpenWrt, go figure!
– Paul
[Editors note: I figured that this was a good idea to post after some of the discussion on the SANS Alumni mailing list. Paul also commented there (and I agree) that wired side detecting should be combined with wireless scanning as well. Just one of the reasons is that it can be difficult to accurately determine the device if only given a MAC address; Try figuring out if that Linksys MAC address is a client or router. Not to mention that MAC address changing is pretty trivial nowadays, adding a little more cloudiness to the situation. Using Paul’s methods for correlating information on open ports, banner grabbing, and OS detection certainly makes more sense for the wired side portion of the discovery.
Paul has promised us a new tool with new features in the near future. I hear rumors that there is an NSE script (the Nmap Scripting Engine) in the works. Stay tuned!
– Larry ]

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.