Nmap Development mailing list archives

Re: [NSE] A network sniffing/decoding script

From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 25 Jul 2011 23:38:10 +0200

Hi Toni,

Sounds like a cool idea, but I think it would probably fit better into a dedicated script.
Shouldn't be that difficult to write based on the information in this article:
http://research.zscaler.com/2010/11/detecting-firesheep.html

At the moment the broadcast-listener script is a purely passive discovery script.

//Patrik

On Jul 25, 2011, at 11:15 PM, Toni Ruottu wrote:

Is this something you would want to use for detecting Firesheep? See
https://secwiki.org/w/Nmap_Script_Ideas#firesheep-discovery Detecting
Firesheep requires sending out some probes, and listening for
reactions to those probes. I am wondering what the correct place for
sending the probes would be. You'd need to have the listener in place
before sending probes, but obviously you'd want to send probes before
listening ends.

On Sat, Jul 2, 2011 at 11:45 PM, Patrik Karlsson <patrik () cqure net> wrote:

Hi all,

I started implementing some broadcast listeners, similar to broadcast-dropbox-listener.
I thought I would write them as a single script listening on a bunch of ports.
After discussing this a bit with a colleague I ended up taking another approach.
Instead I wrote a small script that uses pcap to sniff traffic on a given interface.
It does so by setting a filter that excludes all traffic intended for the ip of that interface.

For each captured packet, it then checks if it's ip based (decodes using the packet library) or not.
If the packet is ip-based it checks the destination port against a table containing valid decoders and executes a
decoder if there is a match.
For non-ip based packets it attempts to match a part of the packet against a table of matches and executes a decoder
if there is a match.
Each decoder is started as it's own thread which allows the script to continue processing incoming packet while also
preventing the script from crashing if one decoder were to crash.
Where, possible (DNS, DHCP, Netbios) I've used existing libraries to do the decoding. I've also ripped the code from
broadcast-dropbox-listener.
The decoding effort varies across the protocols which can be seen in the following sample output:

I'm attaching the current version of the script, along with the file containing the decoders (packetdecoders.lua)
which goes in nselib/data/.
Implementing support for adding new targets should be pretty simple and could be added in each decoder.
Anyway, I don't know if this has a place in Nmap or not.
Any opinions, comments, questions or suggestions are most welcome.

//Patrik
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] A network sniffing/decoding script Patrik Karlsson (Jul 02)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 09)
  - unsubscribe Ryon Skaggs (Jul 09)
    - Re: unsubscribe Luis MartinGarcia. (Jul 09)
  - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Daniel Miller (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Luis MartinGarcia. (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Toni Ruottu (Jul 25)
  - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Toni Ruottu (Jul 25)
    - Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Aug 10)