Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Promiscuous mode scan

From: "Hans Nilsson" <hasse_gg () ftml net>
Date: Mon, 16 Oct 2006 10:41:59 -1100
No replies? Anyways I looked into this a bit more. Initially I thought
that the only way you could tell different operating systems apart from
the replies was when the NIC was in promiscuous mode. But after doing
some experiments it looks like different operating systems do respond to
these kinds of packets differently even when the NIC is in normal mode.
For example:

________________________B31_______B16______B8_______Gr_______M0_______M1_______M3
Windows XP
SP2__________X_________X________0________0________0________X________0
Linux Kernel
2.6.15_____0_________0________0________0________0________X________X

X = Got ARP Reply
0 = Did not get ARP Reply
B31 = ARP destination FF:FF:FF:FF:FF:FE
B16 = ARP destination FF:FF:00:00:00:00
B8  = ARP destination FF:00:00:00:00:00
Gr  = ARP destination 01:00:00:00:00:00
M0  = ARP destination 01:00:5e:00:00:00
M1  = ARP destination 01:00:5e:00:00:01
M3  = ARP destination 01:00:5e:00:00:03

Read the PDF from my previous post for more clarification:
http://www.securityfriday.com/promiscuous_detection_01.pdf


On Fri, 13 Oct 2006 13:58:01 -1100, "Hans Nilsson" <hasse_gg () ftml net>
said:

Hello! I've recently read the paper "Detection of Promiscuous Nodes
Using ARP Packets" [1] that lists various ways you can detect network
cards that are set on promiscuous mode on your local network using
custom built ARP-packets, thereby finding computers that run sniffer
software like Wireshark.

I was just thinking that it would be nice to have such a scanner in
Nmap, as far as I know the only program that incorporates the techniques
mentioned in the paper is "Cain and Abel" [2] and that's for Windows
only. A cool thing about this is that as an added benefit different
operating systems respond differently to these special ARP-packets so it
could potentially be used for OS detection too.

There's also talk about a "DNS test", "ICMP etherping test" and perhaps
even more ways but I haven't delved further into that.

[1]
http://www.securityfriday.com/promiscuous_detection_01.pdf
[2]
http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
-- 
  Hans Nilsson
  hasse_gg () ftml net

-- 
http://www.fastmail.fm - Send your email first class


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

-- 
  Hans Nilsson
  hasse_gg () ftml net

-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: