Tool for silent portscanning and pcap file analysis

[nfatchris]

UPDATE - Python version now available at http://netgrab.co.uk/netsleuth-console/

Hi,

I knocked up a quick tool that I have been using for "portscanning without sending packets" (as per the talks at last years DefCon). It's free download under the GPL and you can get it here.

I have been using it to ID (often Operating System and type) and fingerprint machines of interests during a pentest where I need to be careful not to trigger IDS. The tool can also read .pcap files which I've been using for incident response in analysing data.

It can also read the .pcapdump files outputted from Kismet and has been very useful to me for Wireless pentesting (network broadcast traffic is by far the most common traffic you will be able to see by using Kismet).

I normally have Windows and BT side by side in a pentest. Currently the tool needs Windows, but I am doing a few fixes to make it run natively on Backtrack. The code or installer is available at http://www.netgrab.co.uk/.

Let me know what you think and happy to put your suggestions into the tool.

Thanks!

[ShadowMaster]

I await the native backtrack version. I'm hoping that nmap adds this option in, but your tool is great as well. When do you think the native BT version will be out? Do you have formatting options for the output?

[scottm99]

Thanks, nfatchris I too, await the BT version!

[nfatchris]

Thanks, nfatchris I too, await the BT version!

Many thanks. Sorry for the late reply, I thought I had done - but it must have got chewed up in the system.

I'm about to do a modification to the application to allow it to run as a command line application. That will make it easily compatible with backtrack after a 'apt-get install mono'. Longer term, I'll look at a Python script but I do expect performance to suffer slightly on larger pcap files.

What export formats would you like? Let me know and I'll code it in

[ShadowMaster]

Running from the command line is perfect. Better for most (i.e. me ) people. As for output options, why not use the nmap output options? Those are extensive and well-liked?

[scottm99]

I'm with ShadowMaster...the output options from nmap would be perfect. Might I suggest using the same switches as nmap? -oG for greppable output, -oX for XML, etc

[thorin]

Ok I haven't had a chance to play with it but just reading this thread I immediately think: what's the difference between this and p0f?

http://lcamtuf.coredump.cx/p0f3/
http://en.wikipedia.org/wiki/P0f

[ShadowMaster]

The output is more port oriented as opposed to whatever that one is. Think nmap as a ninja.

[nfatchris]

Hi All,

I've been away alot recently, but I'm about 2/3 of the way to porting the functionality to a python script. This should make it easier for Backtrack users.

The NMAP output makes alot of sense, I'll implement that in addition to a standard CSV to console style output.

I'll post a beta version up here in the next few days.

[nfatchris]

Hi,

So I've listened to some of the requests and created a command line version of this tool - you can get it here

It's written in Python and you won't need to do anything other than download and unzip to run it on Backtrack 5 R2. It pipes CSV output to the command line, but will also (on program exit) create an xml file in the NMAP format. This can be imported into Metasploit for pen testing.

It's very early alpha, so please contact me with any bugs or new ideas while I develop it further.

Thanks