Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: Promiscuous mode scan

Re: Promiscuous mode scan

From: Hans Nilsson <hasse_gg_at_ftml.net>
Date: Mon, 16 Oct 2006 10:41:59 -1100

No replies? Anyways I looked into this a bit more. Initially I thought
that the only way you could tell different operating systems apart from
the replies was when the NIC was in promiscuous mode. But after doing
some experiments it looks like different operating systems do respond to
these kinds of packets differently even when the NIC is in normal mode.
For example:

________________________B31_______B16______B8_______Gr_______M0_______M1_______M3
Windows XP
SP2__________X_________X________0________0________0________X________0
Linux Kernel
2.6.15_____0_________0________0________0________0________X________X

X = Got ARP Reply
0 = Did not get ARP Reply
B31 = ARP destination FF:FF:FF:FF:FF:FE
B16 = ARP destination FF:FF:00:00:00:00
B8 = ARP destination FF:00:00:00:00:00
Gr = ARP destination 01:00:00:00:00:00
M0 = ARP destination 01:00:5e:00:00:00
M1 = ARP destination 01:00:5e:00:00:01
M3 = ARP destination 01:00:5e:00:00:03

Read the PDF from my previous post for more clarification:
http://www.securityfriday.com/promiscuous_detection_01.pdf

On Fri, 13 Oct 2006 13:58:01 -1100, "Hans Nilsson" <hasse_gg_at_ftml.net>
said:
> Hello! I've recently read the paper "Detection of Promiscuous Nodes
> Using ARP Packets" [1] that lists various ways you can detect network
> cards that are set on promiscuous mode on your local network using
> custom built ARP-packets, thereby finding computers that run sniffer
> software like Wireshark.
>
> I was just thinking that it would be nice to have such a scanner in
> Nmap, as far as I know the only program that incorporates the techniques
> mentioned in the paper is "Cain and Abel" [2] and that's for Windows
> only. A cool thing about this is that as an added benefit different
> operating systems respond differently to these special ARP-packets so it
> could potentially be used for OS detection too.
>
> There's also talk about a "DNS test", "ICMP etherping test" and perhaps
> even more ways but I haven't delved further into that.
>
> [1]
> http://www.securityfriday.com/promiscuous_detection_01.pdf
> [2]
> http://www.oxid.it/ca_um/topics/promiscuous-mode_scanner.htm
> --
> Hans Nilsson
> hasse_gg_at_ftml.net
>
> --
> http://www.fastmail.fm - Send your email first class
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org 

-- 
  Hans Nilsson
  hasse_gg_at_ftml.net
-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Oct 16 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]