One of my challenges (not to be confused with the DC3 challenge below) is being able to detect rogue devices on our network. One of the most elusive is the wireless access point. Sure, I can detect that from the air with relative ease. However, correlating the MAC address from the radio interface to a MAC address on the ethernet interface isn't as easy.
In some instances, the MAC is off by a single digit. For example, the radio MAC will be 00-11-24-B4-CD-52 and the ethernet MAC will be 00-11-24-B4-CD-53. This is not always the case though and really boils down to me guessing. I'd prefer something more specific.
While processing a scan last week, I noticed a pattern in some of the hosts I was scanning. Certain hosts answered on TCP port 5009 and identified themselves as Apple Airports. Airport is Apple's name for their wireless interface, so that could, in reality, be anything, such as a MacBook or what have you.
What I did was install the Windows version of the Apple Airport management GUI and then sniff the traffic. When contacted by the management software, the device in question would ALWAYS respond with some garbage followed by the string "ACPP":
0000: 6163 7070 0000 0001 c832 06d8 0000 0001 [ acpp.....2...... ]
Nmap, however, would not recognize port 5009 (using the -A flag) as an Airport management port. But it did recognize the port as open.
What we did next was scan the network space for devices with an open port 5009. That output was then chained into Amap. Amap got the ACPP response when sending the SSL identity trigger! So, any device listening on port 5009 AND responding on that port with ACPP was definitely an Apple Airport!
We're looking into other access point devices now to see if we can get something similar.
