Author Archives: phocean

Prads – a new passive scanner !

Edward Bjarte Fjellskål contacted me to let me know about a new program he, Kacper Wysocki and Jan Henning Thorsen made, called Prads.

Prads is a fingerprinting scanner, coded in Perl. I am fond of this kind of tool, so I enjoyed checking it out.

Prads operates differently from Nmap or SinFP that I already introduced on this blog. It works passively, meaning that it aims to scan systems without sending out a single packet. It does this by capturing the traffic silently though an interface in promiscuous mode.
The advantage, of course, is that it is much more stealth than a classic scanner, which leaves usually a lot of log entries in firewalls or IDS.
It works on several layers and is based on all the common protocols, that should make it efficient and fast : TCP, UDP, ICMP, ARP.

Using Prads is very simple, just look at prads –help for more info.

There is a sample output, after running it a few seconds on my network :

% sudo perl prads.pl -d eth0 --os --service
Starting prads.pl...
Using eth0
DBD::SQLite::db prepare failed: table asset already exists(1) at dbdimp.c line 271 at prads.pl line 320.
 1243801518 [SYN       ] ip:  192.168.222.23 - Linux - 2.6 (newer, 7) [S4:64:1:60:M1460,S,T,N,W7:.] distance:0 link:"ethernet/modem"
 1243801518 [SYNACK    ] ip: 192.168.222.254 - Linux - 2.6 (newer, 0) [5792:64:1:60:M1460,S,T,N,W0:ZA] distance:0 link:"ethernet/modem"
; 3.0.10-1.1.1 Firefox [192.168.222.23:44555] distance:1 link:SERVICE
 1243801518 [SERVICE   ] ip: 192.168.222.254 - Unknown HTTP - HTTP;  [192.168.222.254:80] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44556] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44557] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44558] distance:1 link:SERVICE
; 3.0.10-1.1.1 Firefox [192.168.222.23:44559] distance:1 link:SERVICE
 1243801536 [SYNACK    ] ip:    91.121.56.96 - Linux - 2.6 (newer, 5) [5792:64:1:60:M1380,S,T,N,W5:ZA] distance:7 link:"GPRS, T1, FreeS/WAN"
 1243801536 [SERVICE   ] ip:    91.121.56.96 - Generic TLS 1.0 SSL - ;  [91.121.56.96:443] distance:1 link:SERVICE
 1243801438 [UDP       ] ip:  192.168.222.23 - @Linux - 2.6 [20:64:1:.:2:0] distance:0 link:ethernet [OLD]
 1243801438 [UDP       ] ip:        89.2.0.1 - @Linux - 2.6 [20:64:1:.:2:0] distance:2 link:ethernet [OLD]
 1243801544 [SERVICE   ] ip:        89.2.0.1 - - - DNS; - [89.2.0.1:53] distance:1 link:SERVICE
 1243801549 [SYNACK    ] ip:   192.168.222.1 - Cisco - 7200, Catalyst 3500, etc [4096:255:0:44:M1460:A] distance:0 link:"ethernet/modem"
 1243801549 [SERVICE   ] ip:   192.168.222.1 - Cisco SSH - Protocol 1.5; 1.25 [192.168.222.1:22] distance:1 link:SERVICE
 1243801549 [SERVICE   ] ip:  192.168.222.23 - OpenSSH - Protocol 1.5; 5.1 [192.168.222.23:42208] distance:1 link:SERVICE
 1243801600 [SYN       ] ip:  192.168.222.23 - Linux - 2.6 (newer, 7) [S4:64:1:60:M1460,S,T,N,W7:.] distance:0 link:"ethernet/modem"  [OLD]
 1243802459 [SYNACK    ] ip:   192.168.222.2 - UNKNOWN - UNKNOWN [8192:128:1:60:M1460,N,W8,S,T:A] distance:0 link:"ethernet/modem"
 1243802459 [SERVICE   ] ip:  192.168.222.23 - Windows SMB - ;  [192.168.222.23:37748] distance:1 link:SERVICE
 1243802459 [SERVICE   ] ip:   192.168.222.2 - Windows SMB - ;  [192.168.222.2:445] distance:1 link:SERVICE
 1243801596 [SYNACK    ] ip:    91.121.56.96 - Linux - 2.6 (newer, 5) [5792:64:1:60:M1380,S,T,N,W5:ZA] distance:7 link:"GPRS, T1, FreeS/WAN"  [OLD]
 1243801596 [SERVICE   ] ip:    91.121.56.96 - Generic TLS 1.0 SSL - ;  [91.121.56.96:443] distance:1 link:SERVICE [OLD]
 1243801367 [UDP       ] ip:   192.168.222.2 - @Windows - MS [20:128:0:.:0:0] distance:0 link:ethernet [OLD]

As you can see, there is already some interesting output.
It detected quite well my Linux laptop running Firefox (UPDATE : according to the author, it is a bug as client detection has not been implemented yet) and surfing a few website, the provider’s DNS servers, another Linux machine and a Windows desktop. Concerning the last two, I guess that a more completed signature database would have allowed a more precise fingerprinting. The Linux box is a wifi Linksys router and the Windows one runs Vista.
Also, the gateway curiously did not show up itself, but the presence of a SSH connection helped to find it.
Finally, there is a little incoherence between the distance shown for the DNS server (=2, correct) and for the service (=1).

To be honnest, so far, I had never found interest in the existing passive scanners. There were POf but it is now pretty outdated and seems not to be developped anymore. Ettercap could fingerprint the system seen while sniffing (profiles), but it was definitely too limited and not really furtive. Moreover, Nmap with the right options, or SinFP itself can be quite stealth.

But now Prads has a place among the tools I use. It is efficient, straight forward and provide some useful info, beyond the OS detection : service and client info, distance, etc. It is nice because, once again, all these data are obtained withou sending out any request at all.

As it is in its early stage, it is very promising and I am looking forward to Prads and its signature database improving. Please keep up the good job !

That’s all for today. This tour was short but I will write again about this tool, as I will be using it. The next post will probably introduce the way the signature database is built and how it can be extended. So keep wired and don’t forget to check the Prads homepage.

IOS : Configuration buffer full, can’t add command

This error message suddenly showed up on one of my router when I tried to save its running configuration.

service compress-config allowed me to workaround this buffer problem :

router#wr mem
Building configuration...

% Warning: Saving this config to nvram may corrupt any network management or security files stored at the end of nvram.
Continue? [no]: no
% Configuration buffer full, can't add command:
************************************************************************

%Aborting Save. Compress the config.[OK]
router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#service compress-config
router(config)#exit
router#wr mem
Building configuration...
Compressed configuration from 21787 bytes to 7991 bytes[OK]

Windows 7 UAC security design flaw

Video of a dummy vulnerability on Windows 7 . More info there.

It is incredible that Microsoft invests so much money in its security and that there are still such a bad security design for programs that in no way should be granted any administrator access (calc.exe or notepad.exe).

Also, I can’t imagine that no one could detect it in their teams during the quality process and security audit.

What the hell are they doing ?

SHA-1 vulnerable : consider SHA-2

Not long after md5, the computation progress has made another victim.

Last week, it was made public that the SHA-1 hash function should be now considered vulnerable. The discovery bring up that the computation to create a collision hash has been dramaticaly reduced. As a consequence, the SHA-1 function can’t warranty anymore the uniquity – and so the integrity – of the hashed object.

There are a few ressources :

This is the natural evolution of cryptography. Stronger cryptography is required against stronger CPU power. In this race, it is now suggested to migrate to SHA-2 whose digest lenghts range from 224 to 512 bits (instead of 160 bits for SHA-1). And until next time, where we will be urged to migrate to SHA-3 ;)

Debian, whose infrastructure was based on SHA-1 (package management, development) is quickly migrating all its keys right now. The procedure the Debian people should follow implies a transition period, where the new key will be signed with the former key, until the latter is revoked. Thus until all peers are updated too, to avoid breaking all the signing infrastruture.

Myself, I ugraded my keys from DSA/1024 bits to RSA/4096 bits (with SHA-2 hashing), so it should be ok for a while. You will find my new key here or linked from the contact page.