Rogue Wi-Fi access points are a pain for network administrators! A rogue access point is an unofficial device installed by somebody in a secure environment without authorization.
Often, a rogue access point is installed not to perform malicious activities but is connected on the corporate network by a employer to use Wi-Fi inside the company. It’s very easy to do, even my 7-years daughter could do the installation!
Unfortunately, it brakes the security policy and can be disastrous for the corporate assets: A rogue access point is usually badly or, worste, not configured at all (factory settings). It becomes easy for remote attackers to access confidential data or resources using this “backdoor”. Commercial products, like the Aruba mobility controllers, provide rogue access points detection mechanisms. Helas, they are not “free” and cost $$$.
Paul Asadoorian, from pauldotcom.com, released in an excellent article: Discovering Rogue Access Points With Nmap. Using the OS fingerprint feature of Nmap and some Perl code, Paul wrote a script which does perfectly the job!