PaulDotCom mailing list archives
Detecting Rogue APs Using Nmap NSE
From: jwright at hasborg.com (Joshua Wright)
Date: Tue, 16 Mar 2010 15:58:56 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago I read a paper Renaud wrote about using Nessus for identifying rogue AP's. The principle is that we can use banner grabbing and OS fingerprinting to identify AP's through the wired network. This technique was adopted in the find_ap.nasl script, and then copied by others in commercial products. In my Ethical Hacking Wireless class with the SANS Institute, we had used the last GPL version of Nessus to demonstrate this plugin in a lab exercise. I figured it was time for something different (http://bit.ly/7JJSz8) so I created my own script in Nmap NSE format: http://www.willhackforsushi.com/code/rogueap.nse The script will use HTTP banner grabbing and OS fingerprint matching to identify rogue AP's with output similar to the following: $ sudo nmap -sS -O --open --script=rogueap.nse 172.16.0.1-10 Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-16 15:29 EDT Interesting ports on 172.16.0.1: Not shown: 999 closed ports PORT STATE SERVICE 80/tcp open http |_ rogueap: Possible Rogue AP Found: "WRT54" MAC Address: 00:14:BF:0F:03:30 (Cisco-Linksys) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.35 (likely embedded) Network Distance: 1 hop I'd love to hear from list readers if you can send me signatures from your own devices. You can run the same script with debug functionality to collect the header and HTTP payload information like this: $ sudo nmap -sS -O --open -d1 --script=rogueap.nse 172.16.0.1 | tee scan-log-for-josh.txt Note that I added "-d1" to turn on debugging output for logging the necessary data to create new signatures. Thanks! I didn't add the SNMP and FTP analysis capabilities I believe Nessus has for their plugin; I'm not sure how effective those are. I'm considering how to write signatures to deal with cases like the Apple Airport which has no HTTP interface: $ sudo nmap -sS -O --open --script=rogueap.nse 172.16.0.108 Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-16 15:54 EDT Interesting ports on 172.16.0.108: Not shown: 997 closed ports PORT STATE SERVICE 5000/tcp open upnp 5009/tcp open airport-admin 10000/tcp open snet-sensor-mgmt MAC Address: 00:1F:F3:01:E3:42 (Apple) Device type: general purpose Running: NetBSD 4.X OS details: NetBSD 4.99.4 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.70 seconds Certainly it would be easy to identify this as a one-off, but I'm thinking about how to add a non-string-matching detector that is more extensible based on OS details, open ports and other unique characteristics. Comments welcome, thanks! - -Josh -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkuf4wAACgkQapC4Te3oxYwg+gCffX5wpdkxxf25Xp6LAq73se2t jHwAoIk1PId4p3i9z96XLpzz0cIyZdx7 =PQGy -----END PGP SIGNATURE-----
Current thread:
- Detecting Rogue APs Using Nmap NSE Joshua Wright (Mar 16)
- Detecting Rogue APs Using Nmap NSE Paul Asadoorian (Mar 17)