October 3, 2006

Discover Rogue Access Points with DHCP

Linksys API recently was challenged with the task of determining if any rogue access points existed on a large network, spanning multiple locations. The concern was that local staff would go down to CompUSA or Office Depot and buy APs to provide “convenience,” and IT would have no way of knowing. It was not practical to go visit each site, and we could not rely upon local staff, because they were the very people we were worried about.

We determined that the likely scenario would be that the staff plugged it in to the network and obtained an “external” IP address from our DHCP servers. The likelihood that they would have statically assigned an IP seemed slim since they would have no way to determine which IPs would fall outside the DHCP range. Also, we counted on laziness to rule the day, since it would work fine with DHCP.

I came up with the following batch script to run against our DHCP servers. It dumps all current DHCP lease holders, and then checks them for known AP MAC address prefixes.

REM ###Script written by Bill Dougherty
REM ###Used to check for rogue access points within DHCP
REM ###Script requires 2 additional files:
REM ### servers.tx2 should be a simple text file with a list of the IP addresses for your DHCP servers. 1 per line
REM ### macs.tx2 should be a text file with a list of MAC address prefixes for known access points.
REM ### The list below includes the MACs registered with the IEEE for the major WAPs you are likely to find in retail stores. MACs located at http://standards.ieee.org/regauth/oui/index.shtml
REM ### You must be logged in with admin rights on your domain for this script to work.
REM ### —————–Save the code between the two REM statements as a batch file called wapcheck.bat
del scopes.txt
del clients.txt
del accesspoints.txt
for /f “tokens=1” %%a in (servers.tx2) do (netsh dhcp server %%a show scope > scopes.txt && call :ScopeDump %%a)
goto :CheckMacs
set SRV=%1
for /f “tokens=1” %%b in (scopes.txt) do (netsh dhcp server %SRV% scope %%b show clients 1 >> clients.txt && sleep 1)
for /f “tokens=1” %%c in (macs.tx2) do (findstr %%c clients.txt >> accesspoints.txt)
REM ###——————-End wapcheck.bat
REM ### ——Save the list below into a file called macs.tx2
00-13-10 Linksys
00-04-5a Linksys
00-06-25 Linksys
00-0c-41 Linksys
00-0f-66 Linksys
00-12-17 Linksys
00-14-bf Linksys
00-16-b6 Linksys
00-18-39 Linksys
00-09-5b Netgear
00-0f-b5 Netgear
00-14-6c Netgear
00-18-4d Netgear
00-11-50 Belkin
00-17-3f Belkin
00-30-bd Belkin
00-0e-3b Hawking
00-05-5d D-Link
00-0d-88 D-Link
00-0f-3d D-Link
00-11-95 D-Link
00-13-46 D-Link
00-15-e9 D-Link
00-17-7c D-Link
00-17-9a D-Link
00-50-ba D-Link
00-80-c8 D-Link
00-13-49 ZyXEL
00-40-01 ZyXEL
00-a0-c5 ZyXEL
00-04-e2 SMC
00-0b-c5 SMC
00-13-f7 SMC
00-40-27 SMC

«File Download»

This is a simple but effective script. Put the main section of code in between the REM statements into a batch file. Create a text file called servers.tx2 with the IP addresses of your DHCP servers. Put the MAC addresses into a file called macs.tx2, and you are good to go. Note: you must be logged in as a domain admin, or at least as a user with rights to manage DHCP.

Sometimes the simplest answers are the best. When performing security audits, it is not practical or even possible to test every threat. A good security tester creates scenarios based upon the likely actions of the user, tests those scenarios, and then mitigates the threat. In this case, rogue APs were found and eliminated. Does this mean a more skilled person couldn’t figure out how to statically assign an IP and mask the AP from DHCP? Of course not. But the tests for that threat are harder, take longer, and cost more. Sometimes you go for the low hanging fruit. This test took less than 30 minutes to create, but yielded huge results. Hopefully you too will find it useful. If so, drop me a comment and let me know.


UPDATE: The NETSH command used in this script requires Windows 2003 server. The WindowsXP version of NETSH does not have the DHCP option. Thanks to ALUNG for helpin me debug!

Digg! Digg This Story!

Thanks for stopping by.
If you found this article useful, please leave a tip.


  1. Alung said,

    October 6, 2006 @ 7:47 pm

    Hey Bill,

    What is required to make this work. rm isn’t a windows command so I’m assuming you installed the rm command?

    I hope all is well with you.

    This is a great idea, I’m going to test it in a few different areas.

  2. bill said,

    October 6, 2006 @ 10:10 pm

    Mr. Lung,

    Thanks for the comment! That is a good catch. On my admin system, I have Unix Services for Windows, and “rm” is force of habit. I changed the script to use “del” instead, so it should work on any XP or windows 2003 system, so long as you have admin rights. I hope all is well. Let me know if it works for you.


  3. bill said,

    October 7, 2006 @ 9:06 am

    Someone on a WIFI forum asked me for a better explaination of the script and especially the ‘DEL’ commands, so here goes:

    The DEL commands are cleanup commands that let you run this script more than once. When you run this script, 3 text files are created on your local system. The first file is scopes.txt and it is created with this command:

    for /f “tokens=1″ %%a in (servers.tx2) do (netsh dhcp server %%a show scope > scopes.txt && call :ScopeDump %%a)

    This will dump all of the DHCP scopes configured on the DHCP server to the file scopes.txt. This command loops against the file servers.tx2, so that you can dump all the scopes from all your DHCP servers. The script works across the network, so I recommend running it on an admin workstation, instead of directly on your servers.

    Once we have the list of scopes, we then want to dump all of the current DHCP leases from each scope, which is done with the :ScopeDump sub-routine:

    set SRV=%1
    for /f “tokens=1″ %%b in (scopes.txt) do (netsh dhcp server %SRV% scope %%b show clients 1 >> clients.txt && sleep 1)

    ScopeDump creates our 2nd text file called clients.txt which is a list of every currently held DHCP lease on all our servers. Now that we have our list of clients, the last step is to check that list for MAC addresses from WAP vendors:

    for /f “tokens=1″ %%c in (macs.tx2) do (findstr %%c clients.txt >> accesspoints.txt)

    This creates the last file accesspoints.txt. Open that file and see if you found anything. If you found a matching MAC prefix, you’ll then need to investigate to see if it is a legit device or a rogue AP. A Linksys NIC will show up, as will a Linksys AP. You can usually tell by the client name.

    So why the DEL commands? Because we want to start fresh every time. Our script feeds these text files with the double carat ‘>>’ which appends whatever we are feeding it to the end of the file. Deleting these files every time we start makes sure you always have fresh data. I hope this helps.


  4. Alung said,

    October 7, 2006 @ 8:23 pm

    Mr. D,
    I’m still missing something, can you send me your files so I can try using them.

  5. Alung said,

    October 7, 2006 @ 8:42 pm

    Don’t you need to create the file with > prior to appending it with >>? When you append the clients.txt file it doesn’t exist because you did a del as one of your first commands.

  6. Alung said,

    October 7, 2006 @ 8:57 pm

    One other thing, my netsh command doesn’t have a dhcp option? Is mine outdated?

  7. bill said,

    October 7, 2006 @ 9:00 pm

    I posted the files above for you. You do not need to create the files first. The first time the script uses >> it will create the files.

    Since you seemed to be having problems, I tried the scripts on a couple of different machines. It looks like the NETSH command on Windows XP does not have the DHCP option. On Windows 2003 server, NETSH DHCP works fine. That is likely the cause of your issues.


  8. Alung said,

    October 7, 2006 @ 9:10 pm

    Yep, that’s it. I’m using XP!

  9. bill said,

    October 7, 2006 @ 9:15 pm

    Sorry about that! I should have been more specific. I usually run all my admin scripts from Win2k3 so that I have the widest range of commands. I don’t know why M$ changed the NETSH command for XP. Seems stupid. Thanks for helping me debug the script.


  10. Alung said,

    October 8, 2006 @ 3:01 pm

    Do you know of any way to get similiar commands on xp?

  11. bill said,

    October 8, 2006 @ 3:38 pm

    According to M$, the DHCP context of NETSH can only be run from a server. I checked and the Windows 2003 Admin Pak which you can load on XP does not include the DHCP context in NETSH. I tried copying the NETSH.EXE executable from Win2K3 server to XP and it would not execute. So, I think you are SOL. Sorry.The good news is your DHCP servers are either Win2K or Win2K3 so you can run these scripts on the local system. Or, you can use VMWare to run an admin instance of Win2K3 on your XP system…

  12. Chris Waters said,

    December 10, 2006 @ 4:12 pm

    Another great way to find rogue APs on a network is the free tool “RogueScanner”. http://www.networkchemistry.com/products/roguescanner.php It scans a network and looks at lots of factors in addition to MAC addresses to accurately classify everything on the network, including rogues.

  13. David Dove said,

    March 7, 2007 @ 3:42 pm

    In order to use the Netsh Dhcp commands under Windows XP you need to install a helper DLL.. It comes as part of AdminPak.msi. It is not sufficient to just copy Netsh.exe from a server.

    Complete instructions are at http://blogs.technet.com/teamdhcp/archive/2006/07/18/442308.aspx

    Relevant command is: netsh add helper dhcpmon.dll

  14. Chris Super said,

    June 5, 2007 @ 7:05 am

    I know it isn’t free but at least a couple of years ago was quite cheap and provided you with all of the info you needed about rouge APs and rouge clients. Also allowed you to DOS rouge APs in your area.


  15. RIch said,

    December 5, 2008 @ 10:17 am


    When I run this it searches each dhcp server in succession, that is dhcp server 1, then writes the accesspoint file, then dhcp server 1 and dhcp server 2, then appends to the accesspoint file, then it searches dhcp server 1 then 2 then 3, then writes to the accesspoint file. Shouldnt it search 1 dhcp server then write to the accesspoint file then search the next one, rather than start at the top each time? Teh final accesspoint file has the first servers information in it as many times as dhcp servers and I have 20. feel free to email me back if you can.

  16. bill said,

    December 5, 2008 @ 10:39 am


    I think it is reading through the :CheckMacs section twice, because it is reading it as a subset of the :ScopeDump section. It is not supposed to do that. Try moving :CheckMacs to a seperate batch file and run it after the 1st. One approach I’ve used in the past when I’ve seen issues like this is to have multiple seperate batch files, and then a controlling master batch file that calls each of the sub batches in order. It is a little ugly but it works.


  17. Jimmy said,

    January 26, 2009 @ 11:56 am

    Nice work it works great.. Thanks

  18. joe said,

    August 21, 2009 @ 3:06 pm


    How do you ensure”….known AP MAC address prefixes” is current?

  19. bill said,

    August 21, 2009 @ 4:41 pm


    No magic trick here. You have to keep the list current yourself. I created the list by researching IEEE website. The major manufacturers don’t change their MAC prefixes very often.

  20. joe said,

    September 1, 2009 @ 2:13 pm

    Thanks, Bill.

    Nice work!

  21. Mike said,

    September 23, 2009 @ 2:52 pm

    The sleep command errors out on my XP box: ‘sleep’ is not recognized as an internal or external command, operable program or batch file.

    An alternate “1 second” batch file method is to ping self:

    ping -n 1>nul

    increase the number of pings to increase the “sleep”. it’s probably a little more universally workable on different MS OS platforms.

  22. bill said,

    September 23, 2009 @ 5:20 pm


    Sleep is part of WIndows 2003 Resource Kit Tools. You can get them here:


RSS feed for comments on this post · TrackBack URI

Leave a Comment