Nmap Development mailing list archives

Re: [NSE] A network sniffing/decoding script

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 25 Jul 2011 11:12:38 +0200

Hi list,

Did anyone have the time/possibility to test this.
I would like help on deciding whether to commit this or get it off my todo list.
So I basically need to know whether:
a) it sucks, throw it away.
b) it's cool, go ahead and commit it.

Personally, I think it's kind of cool, adds value and expands on the targets-sniffer script.
It does not yet add discovered targets, but that's not a lot of additional work.

//Patrik

On Jul 9, 2011, at 4:04 PM, Patrik Karlsson wrote:


On Jul 2, 2011, at 10:45 PM, Patrik Karlsson wrote:

Hi all,

I started implementing some broadcast listeners, similar to broadcast-dropbox-listener.
I thought I would write them as a single script listening on a bunch of ports.
After discussing this a bit with a colleague I ended up taking another approach.
Instead I wrote a small script that uses pcap to sniff traffic on a given interface.
It does so by setting a filter that excludes all traffic intended for the ip of that interface.

For each captured packet, it then checks if it's ip based (decodes using the packet library) or not.
If the packet is ip-based it checks the destination port against a table containing valid decoders and executes a
decoder if there is a match.
For non-ip based packets it attempts to match a part of the packet against a table of matches and executes a decoder
if there is a match.
Each decoder is started as it's own thread which allows the script to continue processing incoming packet while also
preventing the script from crashing if one decoder were to crash.
Where, possible (DNS, DHCP, Netbios) I've used existing libraries to do the decoding. I've also ripped the code from
broadcast-dropbox-listener.
The decoding effort varies across the protocols which can be seen in the following sample output:

I'm attaching the current version of the script, along with the file containing the decoders (packetdecoders.lua)
which goes in nselib/data/.
Implementing support for adding new targets should be pretty simple and could be added in each decoder.
Anyway, I don't know if this has a place in Nmap or not.
Any opinions, comments, questions or suggestions are most welcome.

<broadcast-listener.nse><packetdecoders.lua><dhcp_parse-local.patch>

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77



Here's the missing @usage in case that's whats holding people off from testing ;)
sudo ./nmap -e <interface> --script broadcast-listener

This should give you 30 seconds of listening which could be enough.
The script doesn't send any data, so it should be pretty safe to run in most networks.

//Patrik

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] A network sniffing/decoding script Patrik Karlsson (Jul 02)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 09)
  - unsubscribe Ryon Skaggs (Jul 09)
    - Re: unsubscribe Luis MartinGarcia. (Jul 09)
  - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Daniel Miller (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Luis MartinGarcia. (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Toni Ruottu (Jul 25)
  - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Toni Ruottu (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Aug 10)