Nmap 5.0 has been released, with a bunch of improvments : look at the changelog.
Author Archives: phocean
Yersinia : patch to compile under openSUSE (11.1)
Yet another post in the series of compilation failures due to unexpected libraries paths.
This time, it is about Yersinia and the ncurses library. I made the following yersinia-opensuse11.1 patch which should work for openSUSE 11.1 and maybe other versions or distros.
Compilation of PackETH on openSUSE
PackETH is a nice gkt tool to play with Ethernet packet.
I encountered some path issues with the Makefile and openSUSE 11.1 64 bits to compile it, so here is the packETH-opensuse patch to compile correctly.
If you are on a 32 bits system, all you will have to do is editing the CPPFLAGS line and replace all lib64 occurences with lib.
I hope one will find it useful.
“Why Mono doesn’t suck”
For the sake, a nice post which I hope will contribute to stop the FUD against Mono.
ARPFreeze
ARPFreeze is a nice GUI for Windows that allows to configure static ARP entries very easily, and makes these changes persistent after reboot.
Thus does it protect the client machine against ARP flooding.
It works for both Windows Vista and prior versions (support of arp -s and netsh).
Promiscuous mode detection
Detectpromisc is a python script based on Scapy, that allows to detect if a computer is sniffing the network.
By nature, it is quite difficult to detect if a machine is sniffing, because it operates passively, receiving all packets from the wire but, normaly, answering only to packets destinated to itself.
There are however several methods that make the detection possible.
Some are based on the latency, because in promiscuous mode a machine will take more time to answer (packets have to be processed by the kernel, not the network card only).
Another imply to generate some tricky packets, with a correct IP but a wrong MAC address. The machine should answer only if it is in spoofing mode.
It is also possible to use source-routing with a host on the path that doesn’t route. If an answer comes back anyway, the target is sniffing.
Other methods are implemented by IDS and based on the volume of DNS requests.
Most of these methods are not necessarily reliable, easy to implement. All the ones based on IP routing are quite easy to workaround by the attacker.
Detectpromisc works exclusively at the ARP level.
According to the OS, it sends out some specific ARP packets (multicast, fake broadcast…).
In normal mode, the network card will discard theses illegitimate packets : they call it the hardware filter.
In promiscuous mode, there is no hardware filter : packets reaches directly the kernel (software filter).
Of course, according to the OS, the kernel will behave differently, but some tricked ARP packets generated by Detectpromisc will cause the sniffing machine to send an answer.
It is therefore possible to differenciate a sniffing machine from a normal machine. Plus, as it is quite reliable and OS specific, it is possible to fingerprint the target.
In practice, it has worked very well so far :
% sudo ./detect.py -i eth0 -O 192.168.222.25 Scan right index finger on UPEK TouchStrip WARNING: No route found for IPv6 destination :: (no default route?) 192.168.222.25 : promiscuous mode card detected probably: Linux 2.2/2.4/2.6 % sudo ./detect.py -i eth0 -O 192.168.222.26 WARNING: No route found for IPv6 destination :: (no default route?) 192.168.222.26 : promiscuous mode card detected probably: Windows 2k/NT4
A full paper on how it works is there. Great tool, isn’t it ?