During Wireless Security Assessment finding Rogue Access Points are always a big issue,Today we will see how can we find those Rogue Access Points using Nmap to detect  based on OS version .

This Nmap command can detect Rogue Access Points in ur network if Rogue Access Points are connected to the network.

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4 192.168.0.1/24

Starting Nmap
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
443/tcp filtered https
161/udp open|filtered snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)
Network Distance: 1 hop

Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
80/tcp closed http
443/tcp closed https
161/udp closed snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:33:44:55:66:99 (Intel)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices.

see the results the first device 192.168.0.1 has interesting ports opened like 21,23,80
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)