Detecting Rogue APs Using Nmap NSE

[paul at pauldotcom.com (Paul Asadoorian)]

Hey Josh,

Nice job on the script!

I will run the script with debug on and send you some more info on other
devices.

To find access points that do not have HTTP (or are blocking HTTP) my
suggestions would be:

- Query uPnP which almost always leaks the device type
- Query HNAP which also leaks this info (sometimes HNAP runs on port 80,
sometimes vendors run it on other ports such as 8099)
- Read the "Realm" in the BasicAuth dialog box for ones that use it
- SSH/Telnet is a bit difficult, usually you will get back a BusyBox
banner, which just means its running BusyBox and not necessarily an
access point

Cheers,
Paul

On 3/16/10 3:58 PM, Joshua Wright wrote:
> A long time ago I read a paper Renaud wrote about using Nessus for
> identifying rogue AP's.  The principle is that we can use banner
> grabbing and OS fingerprinting to identify AP's through the wired
> network.  This technique was adopted in the find_ap.nasl script, and
> then copied by others in commercial products.
>
> In my Ethical Hacking Wireless class with the SANS Institute, we had
> used the last GPL version of Nessus to demonstrate this plugin in a lab
> exercise.  I figured it was time for something different
> (http://bit.ly/7JJSz8) so I created my own script in Nmap NSE format:
>
> http://www.willhackforsushi.com/code/rogueap.nse
>
> The script will use HTTP banner grabbing and OS fingerprint matching to
> identify rogue AP's with output similar to the following:
>
> $ sudo nmap -sS -O --open --script=rogueap.nse 172.16.0.1-10
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-16 15:29 EDT
> Interesting ports on 172.16.0.1:
> Not shown: 999 closed ports
> PORT   STATE SERVICE
> 80/tcp open  http
> |_ rogueap: Possible Rogue AP Found: "WRT54"
> MAC Address: 00:14:BF:0F:03:30 (Cisco-Linksys)
> Device type: general purpose
> Running: Linux 2.4.X
> OS details: Linux 2.4.18 - 2.4.35 (likely embedded)
> Network Distance: 1 hop
>
> I'd love to hear from list readers if you can send me signatures from
> your own devices.  You can run the same script with debug functionality
> to collect the header and HTTP payload information like this:
>
> $ sudo nmap -sS -O --open -d1 --script=rogueap.nse 172.16.0.1 | tee
> scan-log-for-josh.txt
>
> Note that I added "-d1" to turn on debugging output for logging the
> necessary data to create new signatures.  Thanks!
>
> I didn't add the SNMP and FTP analysis capabilities I believe Nessus has
> for their plugin; I'm not sure how effective those are.
>
> I'm considering how to write signatures to deal with cases like the
> Apple Airport which has no HTTP interface:
>
> $ sudo nmap -sS -O --open --script=rogueap.nse 172.16.0.108
>
> Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-16 15:54 EDT
> Interesting ports on 172.16.0.108:
> Not shown: 997 closed ports
> PORT      STATE SERVICE
> 5000/tcp  open  upnp
> 5009/tcp  open  airport-admin
> 10000/tcp open  snet-sensor-mgmt
> MAC Address: 00:1F:F3:01:E3:42 (Apple)
> Device type: general purpose
> Running: NetBSD 4.X
> OS details: NetBSD 4.99.4
> Network Distance: 1 hop
>
> OS detection performed. Please report any incorrect results at
> http://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 14.70 seconds
>
>
> Certainly it would be easy to identify this as a one-off, but I'm
> thinking about how to add a non-string-matching detector that is more
> extensible based on OS details, open ports and other unique characteristics.
>
> Comments welcome, thanks!
>
> -Josh
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-- 
Paul Asadoorian
PaulDotCom Enterprises
Web: http://pauldotcom.com
Phone: 401.829.9552