Nmap Development mailing list archives
Re: Promiscuous mode scan
From: "Hans Nilsson" <hasse_gg () ftml net>
Date: Mon, 16 Oct 2006 10:41:59 -1100
No replies? Anyways I looked into this a bit more. Initially I thought that the only way you could tell different operating systems apart from the replies was when the NIC was in promiscuous mode. But after doing some experiments it looks like different operating systems do respond to these kinds of packets differently even when the NIC is in normal mode. For example: ________________________B31_______B16______B8_______Gr_______M0_______M1_______M3 Windows XP SP2__________X_________X________0________0________0________X________0 Linux Kernel 2.6.15_____0_________0________0________0________0________X________X X = Got ARP Reply 0 = Did not get ARP Reply B31 = ARP destination FF:FF:FF:FF:FF:FE B16 = ARP destination FF:FF:00:00:00:00 B8 = ARP destination FF:00:00:00:00:00 Gr = ARP destination 01:00:00:00:00:00 M0 = ARP destination 01:00:5e:00:00:00 M1 = ARP destination 01:00:5e:00:00:01 M3 = ARP destination 01:00:5e:00:00:03 Read the PDF from my previous post for more clarification: http://www.securityfriday.com/promiscuous_detection_01.pdf On Fri, 13 Oct 2006 13:58:01 -1100, "Hans Nilsson" <hasse_gg () ftml net> said:
Hello! I've recently read the paper "Detection of Promiscuous Nodes Using ARP Packets" [1] that lists various ways you can detect network cards that are set on promiscuous mode on your local network using custom built ARP-packets, thereby finding computers that run sniffer software like Wireshark. I was just thinking that it would be nice to have such a scanner in Nmap, as far as I know the only program that incorporates the techniques mentioned in the paper is "Cain and Abel" [2] and that's for Windows only. A cool thing about this is that as an added benefit different operating systems respond differently to these special ARP-packets so it could potentially be used for OS detection too. There's also talk about a "DNS test", "ICMP etherping test" and perhaps even more ways but I haven't delved further into that. [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm -- Hans Nilsson hasse_gg () ftml net -- http://www.fastmail.fm - Send your email first class _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
-- Hans Nilsson hasse_gg () ftml net -- http://www.fastmail.fm - Accessible with your email software or over the web _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Promiscuous mode scan Hans Nilsson (Oct 13)
- Re: Promiscuous mode scan Hans Nilsson (Oct 16)