Re: [NSE] A network sniffing/decoding script

[Patrik Karlsson <patrik () cqure net>]

On Jul 25, 2011, at 5:06 PM, Daniel Miller wrote:

> Patrik,
>
> I think this is a cool idea. I tested it, and it works pretty well with only one issue: the loadDecoders function 
> looks for packetdecoders.lua relative to the current working directory, not NMAPDIR. The nmap.fetchfile function 
> should be used to get the full path to the file.

Thanks! I've corrected this in the new version I'll be posting soon.

> I'd like to see it committed, since I've tried to do similar things in the past without much success.

Ok, great!

> Dan

//Patrik

> On 07/25/2011 04:12 AM, Patrik Karlsson wrote:
> > Hi list,
> >
> > Did anyone have the time/possibility to test this.
> > I would like help on deciding whether to commit this or get it off my todo list.
> > So I basically need to know whether:
> > a) it sucks, throw it away.
> > b) it's cool, go ahead and commit it.
> >
> > Personally, I think it's kind of cool, adds value and expands on the targets-sniffer script.
> > It does not yet add discovered targets, but that's not a lot of additional work.
> >
> > //Patrik
> >
> > On Jul 9, 2011, at 4:04 PM, Patrik Karlsson wrote:
> >
> > > On Jul 2, 2011, at 10:45 PM, Patrik Karlsson wrote:
> > >
> > > > Hi all,
> > > >
> > > > I started implementing some broadcast listeners, similar to broadcast-dropbox-listener.
> > > > I thought I would write them as a single script listening on a bunch of ports.
> > > > After discussing this a bit with a colleague I ended up taking another approach.
> > > > Instead I wrote a small script that uses pcap to sniff traffic on a given interface.
> > > > It does so by setting a filter that excludes all traffic intended for the ip of that interface.
> > > >
> > > > For each captured packet, it then checks if it's ip based (decodes using the packet library) or not.
> > > > If the packet is ip-based it checks the destination port against a table containing valid decoders and executes a 
> > > > decoder if there is a match.
> > > > For non-ip based packets it attempts to match a part of the packet against a table of matches and executes a 
> > > > decoder if there is a match.
> > > > Each decoder is started as it's own thread which allows the script to continue processing incoming packet while 
> > > > also preventing the script from crashing if one decoder were to crash.
> > > > Where, possible (DNS, DHCP, Netbios) I've used existing libraries to do the decoding. I've also ripped the code 
> > > > from broadcast-dropbox-listener.
> > > > The decoding effort varies across the protocols which can be seen in the following sample output:
> > > >
> > > > -- | broadcast-listener:
> > > > -- |   udp
> > > > -- |       Netbios
> > > > -- |         ip           query
> > > > -- |         192.168.0.60 \x01\x02__MSBROWSE__\x02\x01
> > > > -- |       DHCP
> > > > -- |         srv ip       cli ip       mask             gw           dns
> > > > -- |         192.168.0.1  192.168.0.5  255.255.255.0    192.168.0.1  192.168.0.18, 192.168.0.19
> > > > -- |       DropBox
> > > > -- |         displayname  ip            port   version  host_int  namespaces
> > > > -- |         39000860     192.168.0.107 17500  1.8      39000860  28814673, 29981099
> > > > -- |       HSRP
> > > > -- |         ip             version  op     state   prio  group  secret  virtual ip
> > > > -- |         192.168.0.254  0        Hello  Active  110   1      cisco   192.168.0.253
> > > > -- |   ether
> > > > -- |       CDP
> > > > -- |         ip  id      platform       version
> > > > -- |         ?   Router  cisco 7206VXR  12.3(23)
> > > > -- |       ARP Request
> > > > -- |         sender ip     sender mac         target ip
> > > > -- |         192.168.0.101 00:04:30:26:DA:C8  192.168.0.60
> > > > -- |_      192.168.0.1   90:24:1D:C8:B9:AE  192.168.0.60
> > > >
> > > > I'm attaching the current version of the script, along with the file containing the decoders (packetdecoders.lua) 
> > > > which goes in nselib/data/.
> > > > Implementing support for adding new targets should be pretty simple and could be added in each decoder.
> > > > Anyway, I don't know if this has a place in Nmap or not.
> > > > Any opinions, comments, questions or suggestions are most welcome.
> > > >
> > > > <broadcast-listener.nse><packetdecoders.lua><dhcp_parse-local.patch>
> > > >
> > > > //Patrik
> > > > --
> > > > Patrik Karlsson
> > > > http://www.cqure.net
> > > > http://www.twitter.com/nevdull77
> > >
> > > Here's the missing @usage in case that's whats holding people off from testing ;)
> > > sudo ./nmap -e<interface>  --script broadcast-listener
> > >
> > > This should give you 30 seconds of listening which could be enough.
> > > The script doesn't send any data, so it should be pretty safe to run in most networks.
> > >
> > > //Patrik
> > >
> > > --
> > > Patrik Karlsson
> > > http://www.cqure.net
> > > http://www.twitter.com/nevdull77
> > --
> > Patrik Karlsson
> > http://www.cqure.net
> > http://www.twitter.com/nevdull77
> >
> > _______________________________________________
> > Sent through the nmap-dev mailing list
> > http://cgi.insecure.org/mailman/listinfo/nmap-dev
> > Archived at http://seclists.org/nmap-dev/
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/