Nice that you did implement that!
On Sun, 4 Feb 2007 01:58:54 +0100, "majek04"
<majek04+nmap-dev_at_gmail.com> said:
> Good news everyone!
>
> I created patch[1] for nmap that gives some interesting features to NSE:
> - sending raw ethernet packets
> - reading raw packets
>
> To show you how it works I prepared sample script.
>
> It can scan hosts in local ethernet and it checks if theirs network
> cards are in promiscuous mode. In other words it checks if someone
> is sniffing in your network.
>
> Technique I used is described in [2].
>
> Sample usage: (Port number doesn't matter. It's used just to trigger
> scripts)
>
> # sudo ./nmap -sS -p1 -n --script=promiscuous.nse 192.168.0.0/24
> Starting Nmap 4.21ALPHA2 ( http://insecure.org ) at 2007-02-04 01:08 CET
> Interesting ports on 192.168.0.1:
> Host script results:
> |_ Promiscuous detection: PROMISCUOUS (tests: "11111111")
> Interesting ports on 192.168.0.3:
> Host script results:
> |_ Promiscuous detection: Win98/Win2K/WinXP with pcap installed. I'm
> unsure if they're sniffing. (tests: "1_1___1_")
>
>
>
> The promiscuous test is correctly guesing NIC mode on these systems:
> - BSD
> - MacOSX
> - Linux
> It's not possible to guess Solaris.
> I need more data about windows results.
> And these tests don't work on wireless.
>
>
>
> Well, now the details.
>
> 1. NSOCK
> To make possble integration pcap into scripts I had to do changes
> in core nsock, and I've added pcap support to it.
>
> New nsock_pcap functions are described in nsock.h and usage is simmilar
> to
> original pcap functions.
> Simple example can be found in nsock/examples/nsock_pcap.c
>
> Unfortunately windows doesn't fully support pcap. In windows there are
> issues with timings. But except that, everything should work.
>
>
>
> 2. NSE
> New features in NSE:
> I extended host structure:
> host.directly_connected (boolean)
> - whether the host is directly connected
>
> host.mac_addr (6 byte binary string)
> - 48bit ethernet address of destination or nil if
> host is not directly connected
>
> host.mac_addr_src (6 byte binary string)
> - 48bit ethernet address of our network card (or spoffed)
> we are going to send packets from this MAC address
>
> host.interface (string)
> - dnet-style interface name through which we are connecting to
> the host
>
>
> New dnet structure:
> dnet:get_interface_link(interface_name) (string)
> interface_name - dnet style interface name
> - it returns link layer2 name. Currently result can be one of
> this:
> 'ethernet' 'loopback' 'p2p' nil
>
> dnet:open_ethernet(interface_name)
> interface_name - dnet style interface name
> - openes ethernet device to send packets from it
>
> dnet:send_ethernet(packet)
> packet - binary string with layer2 headers +upper layers
> - sends ethernet packet using current dnet device
>
> dnet:close_ethernet()
> - closes ethernet device
>
> Dnet devices are cached. So if you'll open some interface in more
> than
> one lua thread, they use one phisical descriptor.
> Descriptor is closed only when no process is using it.
>
> Extended nsock structure:
> nsock:pcap_open(device, snaplen, promisc, test_off, test_len, bpf)
> device - dnet-style interface name
> snaplen - max length of packet to be captured (like '-s' in
> tcpdump)
> promisc - 1 if device should be opened in promiscuous mode, 0
> otherwise
> test_off - offset in received packets from which we'll run test
> test_len - length of test to be done on received packets
> bpf - Berkeley packet filter expression (like in tcpdump)
> - openes pcap device
>
> nsock:pcap_close()
> - closes pcap device
>
> nsock:pcap_receive(test_data)
> test_data - binary string that would be compared with received
> packet
> if the test will succeed than we'll receive packet
> if you want to receive all packets just pass empty
> string
> - result is tuple that contains
> if the packet is received
> true, packet_len, l2_data, l3_data
> - packet_len is length of original packet (but you can
> receive less data depending on snaplen)
> - l2_data is data from second OSI layer, like ethernet
> headers
> - l3_data is data from third OSI layer, like ipv4
> headers
> (remember that length(l2_data) + length(l3_data) ==
> MIN(packet_len, snaplen),)
> if error occured
> nil, error_description, nil, nil
>
> Pcap devices are also cached.
> It would be performance nightmare if we'll open single pcap
> descriptor for every
> lua thread. So please don't use host specific pcap filters.
>
> To distribute packets to specific lua threads we created the idea od
> 'test'.
> Every received packet is binary-tested with data your lua thread
> provided (test_data).
> Lua thread will be restored when it's test will fit to some received
> packet.
>
> Of course it's possible that one packet will trigger many
> lua-processes, that's perfectly okay.
>
> For example let's set test for source on ip packets
> (test offset is: ethernet offset + source ip offset)
> (test length is 4 bytes)
> # nsock:pcap_open(host.interface, 64, 0, 14 + 12 , 4, 'ip')
>
> Okay, after we registered pcap let's sniff packets that are from
> our current target host:
> # nsock:pcap_read(host.bin_ip)
> That's it. Every packet we receive will be from our host.
>
>
>
>
> I guess you guys would like to send raw IP packets rather than ethernet.
> I'm considering implementing this if there is demand.
>
> Cheers!
> Marek Majkowski
>
>
> [1] http://ai.pjwstk.edu.pl/~majek/private/nmap/nse-pcap/
> nmap-4.21A1-nse-pcap.diff - patch almost fits 4.21Alpha1
> (only example file doesn't work)
> nmap-4.21A1-nse-pcap.tar.bz2 - full sources
> nmap-4.21A1-nse-pcap.exe - windows installer
>
> [2] http://www.securityfriday.com/promiscuous_detection_01.pdf
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org
--
Hans Nilsson
hasse_gg_at_ftml.net
--
http://www.fastmail.fm - Access your email from home and the web
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Feb 04 2007
Intro
