Nmap Development mailing list archives
[PATCH] Pcap support for NSE, Promiscuous nodes detection
From: majek04 <majek04+nmap-dev () gmail com>
Date: Sun, 4 Feb 2007 01:58:54 +0100
Good news everyone! I created patch[1] for nmap that gives some interesting features to NSE: - sending raw ethernet packets - reading raw packets To show you how it works I prepared sample script. It can scan hosts in local ethernet and it checks if theirs network cards are in promiscuous mode. In other words it checks if someone is sniffing in your network. Technique I used is described in [2]. Sample usage: (Port number doesn't matter. It's used just to trigger scripts) # sudo ./nmap -sS -p1 -n --script=promiscuous.nse 192.168.0.0/24 Starting Nmap 4.21ALPHA2 ( http://insecure.org ) at 2007-02-04 01:08 CET Interesting ports on 192.168.0.1: Host script results: |_ Promiscuous detection: PROMISCUOUS (tests: "11111111") Interesting ports on 192.168.0.3: Host script results: |_ Promiscuous detection: Win98/Win2K/WinXP with pcap installed. I'm unsure if they're sniffing. (tests: "1_1___1_") The promiscuous test is correctly guesing NIC mode on these systems: - BSD - MacOSX - Linux It's not possible to guess Solaris. I need more data about windows results. And these tests don't work on wireless. Well, now the details. 1. NSOCK To make possble integration pcap into scripts I had to do changes in core nsock, and I've added pcap support to it. New nsock_pcap functions are described in nsock.h and usage is simmilar to original pcap functions. Simple example can be found in nsock/examples/nsock_pcap.c Unfortunately windows doesn't fully support pcap. In windows there are issues with timings. But except that, everything should work. 2. NSE New features in NSE: I extended host structure: host.directly_connected (boolean) - whether the host is directly connected host.mac_addr (6 byte binary string) - 48bit ethernet address of destination or nil if host is not directly connected host.mac_addr_src (6 byte binary string) - 48bit ethernet address of our network card (or spoffed) we are going to send packets from this MAC address host.interface (string) - dnet-style interface name through which we are connecting to the host New dnet structure: dnet:get_interface_link(interface_name) (string) interface_name - dnet style interface name - it returns link layer2 name. Currently result can be one of this: 'ethernet' 'loopback' 'p2p' nil dnet:open_ethernet(interface_name) interface_name - dnet style interface name - openes ethernet device to send packets from it dnet:send_ethernet(packet) packet - binary string with layer2 headers +upper layers - sends ethernet packet using current dnet device dnet:close_ethernet() - closes ethernet device Dnet devices are cached. So if you'll open some interface in more than one lua thread, they use one phisical descriptor. Descriptor is closed only when no process is using it. Extended nsock structure: nsock:pcap_open(device, snaplen, promisc, test_off, test_len, bpf) device - dnet-style interface name snaplen - max length of packet to be captured (like '-s' in tcpdump) promisc - 1 if device should be opened in promiscuous mode, 0 otherwise test_off - offset in received packets from which we'll run test test_len - length of test to be done on received packets bpf - Berkeley packet filter expression (like in tcpdump) - openes pcap device nsock:pcap_close() - closes pcap device nsock:pcap_receive(test_data) test_data - binary string that would be compared with received packet if the test will succeed than we'll receive packet if you want to receive all packets just pass empty string - result is tuple that contains if the packet is received true, packet_len, l2_data, l3_data - packet_len is length of original packet (but you can receive less data depending on snaplen) - l2_data is data from second OSI layer, like ethernet headers - l3_data is data from third OSI layer, like ipv4 headers (remember that length(l2_data) + length(l3_data) == MIN(packet_len, snaplen),) if error occured nil, error_description, nil, nil Pcap devices are also cached. It would be performance nightmare if we'll open single pcap descriptor for every lua thread. So please don't use host specific pcap filters. To distribute packets to specific lua threads we created the idea od 'test'. Every received packet is binary-tested with data your lua thread provided (test_data). Lua thread will be restored when it's test will fit to some received packet. Of course it's possible that one packet will trigger many lua-processes, that's perfectly okay. For example let's set test for source on ip packets (test offset is: ethernet offset + source ip offset) (test length is 4 bytes) # nsock:pcap_open(host.interface, 64, 0, 14 + 12 , 4, 'ip') Okay, after we registered pcap let's sniff packets that are from our current target host: # nsock:pcap_read(host.bin_ip) That's it. Every packet we receive will be from our host. I guess you guys would like to send raw IP packets rather than ethernet. I'm considering implementing this if there is demand. Cheers! Marek Majkowski [1] http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap/ nmap-4.21A1-nse-pcap.diff - patch almost fits 4.21Alpha1 (only example file doesn't work) nmap-4.21A1-nse-pcap.tar.bz2 - full sources nmap-4.21A1-nse-pcap.exe - windows installer [2] http://www.securityfriday.com/promiscuous_detection_01.pdf _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [PATCH] Pcap support for NSE, Promiscuous nodes detection majek04 (Feb 03)
- Re: [PATCH] Pcap support for NSE, Promiscuous nodes detection Diman Todorov (Feb 04)
- Re: [PATCH] Pcap support for NSE, Promiscuous nodes detection majek04 (Feb 04)
- Re: [PATCH] Pcap support for NSE, Promiscuous nodes detection majek04 (Feb 05)
- Re: [PATCH] Pcap support for NSE, Promiscuous nodes detection Hans Nilsson (Feb 04)
- Re: [PATCH] Pcap support for NSE, Promiscuous nodes detection Diman Todorov (Feb 04)