Nmap Development mailing list archives
Re: [NSE] A network sniffing/decoding script
From: Patrik Karlsson <patrik () cqure net>
Date: Mon, 25 Jul 2011 23:38:10 +0200
Hi Toni, Sounds like a cool idea, but I think it would probably fit better into a dedicated script. Shouldn't be that difficult to write based on the information in this article: http://research.zscaler.com/2010/11/detecting-firesheep.html At the moment the broadcast-listener script is a purely passive discovery script. //Patrik On Jul 25, 2011, at 11:15 PM, Toni Ruottu wrote:
Is this something you would want to use for detecting Firesheep? See https://secwiki.org/w/Nmap_Script_Ideas#firesheep-discovery Detecting Firesheep requires sending out some probes, and listening for reactions to those probes. I am wondering what the correct place for sending the probes would be. You'd need to have the listener in place before sending probes, but obviously you'd want to send probes before listening ends. On Sat, Jul 2, 2011 at 11:45 PM, Patrik Karlsson <patrik () cqure net> wrote:Hi all, I started implementing some broadcast listeners, similar to broadcast-dropbox-listener. I thought I would write them as a single script listening on a bunch of ports. After discussing this a bit with a colleague I ended up taking another approach. Instead I wrote a small script that uses pcap to sniff traffic on a given interface. It does so by setting a filter that excludes all traffic intended for the ip of that interface. For each captured packet, it then checks if it's ip based (decodes using the packet library) or not. If the packet is ip-based it checks the destination port against a table containing valid decoders and executes a decoder if there is a match. For non-ip based packets it attempts to match a part of the packet against a table of matches and executes a decoder if there is a match. Each decoder is started as it's own thread which allows the script to continue processing incoming packet while also preventing the script from crashing if one decoder were to crash. Where, possible (DNS, DHCP, Netbios) I've used existing libraries to do the decoding. I've also ripped the code from broadcast-dropbox-listener. The decoding effort varies across the protocols which can be seen in the following sample output: -- | broadcast-listener: -- | udp -- | Netbios -- | ip query -- | 192.168.0.60 \x01\x02__MSBROWSE__\x02\x01 -- | DHCP -- | srv ip cli ip mask gw dns -- | 192.168.0.1 192.168.0.5 255.255.255.0 192.168.0.1 192.168.0.18, 192.168.0.19 -- | DropBox -- | displayname ip port version host_int namespaces -- | 39000860 192.168.0.107 17500 1.8 39000860 28814673, 29981099 -- | HSRP -- | ip version op state prio group secret virtual ip -- | 192.168.0.254 0 Hello Active 110 1 cisco 192.168.0.253 -- | ether -- | CDP -- | ip id platform version -- | ? Router cisco 7206VXR 12.3(23) -- | ARP Request -- | sender ip sender mac target ip -- | 192.168.0.101 00:04:30:26:DA:C8 192.168.0.60 -- |_ 192.168.0.1 90:24:1D:C8:B9:AE 192.168.0.60 I'm attaching the current version of the script, along with the file containing the decoders (packetdecoders.lua) which goes in nselib/data/. Implementing support for adding new targets should be pretty simple and could be added in each decoder. Anyway, I don't know if this has a place in Nmap or not. Any opinions, comments, questions or suggestions are most welcome. //Patrik -- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
-- Patrik Karlsson http://www.cqure.net http://www.twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 02)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 09)
- unsubscribe Ryon Skaggs (Jul 09)
- Re: unsubscribe Luis MartinGarcia. (Jul 09)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Daniel Miller (Jul 25)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Luis MartinGarcia. (Jul 25)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- unsubscribe Ryon Skaggs (Jul 09)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 09)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Jul 25)
- Re: [NSE] A network sniffing/decoding script Toni Ruottu (Jul 25)
- Re: [NSE] A network sniffing/decoding script Patrik Karlsson (Aug 10)