Re: [PATCH] Pcap support for NSE, Promiscuous nodes detection

["Hans Nilsson" <hasse_gg () ftml net>]

Nice that you did implement that!


On Sun, 4 Feb 2007 01:58:54 +0100, "majek04"
<majek04+nmap-dev () gmail com> said:
> Good news everyone!
>
> I created patch[1] for nmap that gives some interesting features to NSE:
>  - sending raw ethernet packets
>  - reading raw packets
>
> To show you how it works I prepared sample script.
>
> It can scan hosts in local ethernet and it checks if theirs network
> cards are in promiscuous mode. In other words it checks if someone
> is sniffing in your network.
>
> Technique I used is described in [2].
>
> Sample usage: (Port number doesn't matter. It's used just to trigger
> scripts)
>
> # sudo ./nmap -sS -p1 -n --script=promiscuous.nse 192.168.0.0/24
> Starting Nmap 4.21ALPHA2 ( http://insecure.org ) at 2007-02-04 01:08 CET
> Interesting ports on 192.168.0.1:
> Host script results:
> |_ Promiscuous detection: PROMISCUOUS (tests: "11111111")
> Interesting ports on 192.168.0.3:
> Host script results:
> |_ Promiscuous detection: Win98/Win2K/WinXP with pcap installed. I'm
> unsure if they're sniffing. (tests: "1_1___1_")
>
>
>
> The promiscuous test is correctly guesing NIC mode on these systems:
>        - BSD
>        - MacOSX
>        - Linux
> It's not possible to guess Solaris.
> I need more data about windows results.
> And these tests don't work on wireless.
>
>
>
> Well, now the details.
>
> 1. NSOCK
> To make possble integration pcap into scripts I had to do changes
> in core nsock, and I've added pcap support to it.
>
> New nsock_pcap functions are described in nsock.h and usage is simmilar
> to
> original pcap functions.
> Simple example can be found in nsock/examples/nsock_pcap.c
>
> Unfortunately windows doesn't fully support pcap. In windows there are
> issues with timings. But except that, everything should work.
>
>
>
> 2. NSE
> New features in NSE:
> I extended host structure:
>     host.directly_connected  (boolean)
>         - whether the host is directly connected
>
>     host.mac_addr (6 byte binary string)
>         - 48bit ethernet address of destination or nil if
>             host is not directly connected
>
>     host.mac_addr_src (6 byte binary string)
>         - 48bit ethernet address of our network card (or spoffed)
>             we are going to send packets from this MAC address
>
>     host.interface (string)
>         - dnet-style interface name through which we are connecting to
>         the host
>
>
> New dnet structure:
>     dnet:get_interface_link(interface_name) (string)
>         interface_name  - dnet style interface name
>         - it returns link layer2 name. Currently result can be one of
>         this:
>             'ethernet' 'loopback' 'p2p' nil
>
>     dnet:open_ethernet(interface_name)
>         interface_name  - dnet style interface name
>         - openes ethernet device to send packets from it
>
>     dnet:send_ethernet(packet)
>         packet   - binary string with layer2 headers +upper layers
>         - sends ethernet packet using current dnet device
>
>     dnet:close_ethernet()
>         - closes ethernet device
>
>     Dnet devices are cached. So if you'll open some interface in more
>     than
>     one lua thread, they use one phisical descriptor.
>     Descriptor is closed only when no process is using it.
>
> Extended nsock structure:
>     nsock:pcap_open(device, snaplen, promisc, test_off, test_len, bpf)
>         device  - dnet-style interface name
>         snaplen - max length of packet to be captured (like '-s' in
>         tcpdump)
>         promisc - 1 if device should be opened in promiscuous mode, 0
>         otherwise
>         test_off - offset in received packets from which we'll run test
>         test_len - length of test to be done on received packets
>         bpf     - Berkeley packet filter expression (like in tcpdump)
>         - openes pcap device
>
>     nsock:pcap_close()
>         - closes pcap device
>
>     nsock:pcap_receive(test_data)
>         test_data - binary string that would be compared with received
>         packet
>                     if the test will succeed than we'll receive packet
>                     if you want to receive all packets just pass empty
>                     string
>         - result is tuple that contains
>         if the packet is received
>             true, packet_len, l2_data, l3_data
>                 - packet_len is length of original packet (but you can
> receive less data depending on snaplen)
>                 - l2_data  is data from second OSI layer, like ethernet
>                 headers
>                 - l3_data  is data from third OSI layer, like ipv4
>                 headers
>                   (remember that length(l2_data) + length(l3_data) ==
> MIN(packet_len, snaplen),)
>         if error occured
>             nil, error_description, nil, nil
>
>     Pcap devices are also cached.
>     It would be performance nightmare if we'll open single pcap
> descriptor for every
>     lua thread. So please don't use host specific pcap filters.
>
>     To distribute packets to specific lua threads we created the idea od
>     'test'.
>     Every received packet is binary-tested with data your lua thread
> provided (test_data).
>     Lua thread will be restored when it's test will fit to some received
>     packet.
>
>     Of course it's possible that one packet will trigger many
> lua-processes, that's perfectly okay.
>
>     For example let's set test for source on ip packets
>       (test offset is: ethernet offset + source ip offset)
>         (test length is 4 bytes)
>     # nsock:pcap_open(host.interface, 64, 0, 14 + 12  , 4, 'ip')
>
>     Okay, after we registered pcap let's sniff packets that are from
> our current target host:
>     # nsock:pcap_read(host.bin_ip)
>     That's it. Every packet we receive will be from our host.
>
>
>
>
> I guess you guys would like to send raw IP packets rather than ethernet.
> I'm considering implementing this if there is demand.
>
> Cheers!
>  Marek Majkowski
>
>
> [1] http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap/
>         nmap-4.21A1-nse-pcap.diff    - patch almost fits 4.21Alpha1
> (only example file doesn't work)
>       nmap-4.21A1-nse-pcap.tar.bz2 - full sources
>       nmap-4.21A1-nse-pcap.exe     - windows installer
>       
> [2] http://www.securityfriday.com/promiscuous_detection_01.pdf
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
-- 
  Hans Nilsson
  hasse_gg () ftml net

-- 
http://www.fastmail.fm - Access your email from home and the web


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org