Promiscuous mode scan
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
Promiscuous mode scan
by Hans Nilsson
::
Rate this Message:
Hello! I've recently read the paper "Detection of Promiscuous Nodes
Using ARP Packets" [1] that lists various ways you can detect network cards that are set on promiscuous mode on your local network using custom built ARP-packets, thereby finding computers that run sniffer software like Wireshark. I was just thinking that it would be nice to have such a scanner in Nmap, as far as I know the only program that incorporates the techniques mentioned in the paper is "Cain and Abel" [2] and that's for Windows only. A cool thing about this is that as an added benefit different operating systems respond differently to these special ARP-packets so it could potentially be used for OS detection too. There's also talk about a "DNS test", "ICMP etherping test" and perhaps even more ways but I haven't delved further into that. [1] http://www.securityfriday.com/promiscuous_detection_01.pdf [2] http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm -- Hans Nilsson hasse_gg@... -- http://www.fastmail.fm - Send your email first class _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org |
|
|
Re: Promiscuous mode scan
by Hans Nilsson
::
Rate this Message:
No replies? Anyways I looked into this a bit more. Initially I thought
that the only way you could tell different operating systems apart from the replies was when the NIC was in promiscuous mode. But after doing some experiments it looks like different operating systems do respond to these kinds of packets differently even when the NIC is in normal mode. For example: ________________________B31_______B16______B8_______Gr_______M0_______M1_______M3 Windows XP SP2__________X_________X________0________0________0________X________0 Linux Kernel 2.6.15_____0_________0________0________0________0________X________X X = Got ARP Reply 0 = Did not get ARP Reply B31 = ARP destination FF:FF:FF:FF:FF:FE B16 = ARP destination FF:FF:00:00:00:00 B8 = ARP destination FF:00:00:00:00:00 Gr = ARP destination 01:00:00:00:00:00 M0 = ARP destination 01:00:5e:00:00:00 M1 = ARP destination 01:00:5e:00:00:01 M3 = ARP destination 01:00:5e:00:00:03 Read the PDF from my previous post for more clarification: http://www.securityfriday.com/promiscuous_detection_01.pdf On Fri, 13 Oct 2006 13:58:01 -1100, "Hans Nilsson" <hasse_gg@...> said: > Hello! I've recently read the paper "Detection of Promiscuous Nodes > Using ARP Packets" [1] that lists various ways you can detect network > cards that are set on promiscuous mode on your local network using > custom built ARP-packets, thereby finding computers that run sniffer > software like Wireshark. > > I was just thinking that it would be nice to have such a scanner in > Nmap, as far as I know the only program that incorporates the techniques > mentioned in the paper is "Cain and Abel" [2] and that's for Windows > only. A cool thing about this is that as an added benefit different > operating systems respond differently to these special ARP-packets so it > could potentially be used for OS detection too. > > There's also talk about a "DNS test", "ICMP etherping test" and perhaps > even more ways but I haven't delved further into that. > > [1] > http://www.securityfriday.com/promiscuous_detection_01.pdf > [2] > http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm > -- > Hans Nilsson > hasse_gg@... > > -- > http://www.fastmail.fm - Send your email first class > > > _______________________________________________ > Sent through the nmap-dev mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-dev > Archived at http://SecLists.Org Hans Nilsson hasse_gg@... -- http://www.fastmail.fm - Accessible with your email software or over the web _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org |
| Free embeddable forum powered by Nabble | Forum Help |
