By Paul Asadoorian
There are lots of ways to skin this cat. This came up and piqued my interest because I was looking at the Nessus plugin to do this. This is a neat concept, but relies on some really old information from Nmap 3.50 OS fingerprints. I decided that using Nmap directly is probably best to perform this task. Luckily, my handy Nmap Book has a section devoted to this called “8.8 SOLUTION: Detect nns-cover-202x125.pngRogue Wireless Access Points on an Enterprise Network”, which can be found in the OS Detection Chapter. Now, there is an example Nmap command in the book, but I came up with the following Nmap command on my own to do this on my home network:

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4 192.168.69.0/24

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices. I want to know if those ports are open (-sU and -sS), and I want to fingerprint them if they are open (-sV). I also want all of the result types (nmap, grepable, and xml) so I can work with the results on XML and if a scan dies, resume with the csv file. I also want an OS fingerprint and use aggressive timing.
This is great, but for use in an enterprise I want to run this on a cron job and have it email me the results every day. So I extended using Nmap Parser (a perl library for accessing Nmap results and running Nmap scans) and came up with:
RogueAPDetect, written in perl.
reload_nmap_c.jpgNmap Parser was also featured in PaulDotCom Security Weekly Episode 55 where I show you how to use it to find vulnerable hosts on the network in conjunction with nbtscan.
I installed the latest version of Nmap Parser, version 1.13. [Editors Note: Nmap Parser 1.18 is now available, but the compatibility with Nmap version 4.76.] I had to change the object names to be compatible with the new version, but it works like a champ. Example results look like this:

rogueapdetect.pl v0.001 - ( paul@hacknaked.tv )
--------------------------------------------------
Scan Information:
Number of services scanned: 7
Start Time: 1221793134
Scan Types: syn udp
Hosts scanned:
Address   : 192.168.69.95
OS match  : OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
Device Type: WAP
Address   : 192.168.69.92
OS match  : OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34)
Device Type: WAP

Oh look, a couple of devices running OpenWrt, go figure!
- Paul
[Editors note: I figured that this was a good idea to post after some of the discussion on the SANS Alumni mailing list. Paul also commented there (and I agree) that wired side detecting should be combined with wireless scanning as well. Just one of the reasons is that it can be difficult to accurately determine the device if only given a MAC address; Try figuring out if that Linksys MAC address is a client or router. Not to mention that MAC address changing is pretty trivial nowadays, adding a little more cloudiness to the situation. Using Paul's methods for correlating information on open ports, banner grabbing, and OS detection certainly makes more sense for the wired side portion of the discovery.
Paul has promised us a new tool with new features in the near future. I hear rumors that there is an NSE script (the Nmap Scripting Engine) in the works. Stay tuned!
- Larry ]

About the author