Scapy with WiFi monitor (rfmon) mode on OS X

April 13th, 2014 by admin

After taking the 617 SANS class in Orlando I got curious and wanted to get Scapy working natively on OS X rather than messing about with a Virtual Linux image. A key motivator was the fact that I was running out of space on my Macbook Air and not only had to carry around an external USB WiFi adapter, but also a USB hard drive.

Studying the man pages of tcpdump it turned out that it’s possible to put the Airport adapter in rfmon mode by using the -I flag. This seemed to work fairly well for reading raw 802.11 frames and got around using the builtin airport command. This is what I used to get packet capturing working in rfmon mode on my Macbook Air running Mavericks:

To change channels use the built-in airport command with the -c argument. In order to change channels it has to be launched as root using sudo. To view the current channel no root access is needed.

The following command sets the card to channel 40

The following command shows what channel the card is listening on

Looking through the tcpdump source code it seems that instead of simply calling pcap_open_live the -I argument triggers a code path that calls two other functions pcap_set_rfmon and pcap_activate. Using this I was able to patch both pylibpcap and scapy itself to run those functions when determined to be running under OS X. For a number of reasons I decided to create a brew package to install the patched code on my, or any other, system. I did go down the path of trying to add the patches to MacPorts but after installing dependencies for 30 minutes I gave up. Someone familiar with MacPorts should likely be able to apply the same patches to that package manager.

While rfmon mode works well so far, I have had no luck with injecting (writing) raw packets to the airport interface.
In order to try these patches and get Scapy running with monitor (rfmon) mode in OS X Mavericks you first need to install the brew package manager. If you are running another package manager such as Fink or MacPorts, installing Brew could potentially cause conflicts or problems. I do run both MacPorts and Brew and have not had any issues so far. The only conflict I have is running multiple Python versions and that I have to remember initiating Python as /usr/local/bin/python when I’m working with Scapy so that the correct modules are loaded. Below are the steps needed to get this running:

1. Install Homebrew by following the instructions at the bottom of the page
2. Once installed, add the Scapy formula by

3. Install Scapy with dependencies (pcap, python, …)

4. Download the sniff.py Python script
5. Run the sniff.py Python script to capture some 802.11 frames

Metasploit password capturing modules

July 12th, 2012 by admin

I recently finished writing three Metasploit modules for capturing passwords for VNC, SQL Server and DB2 (and other DRDA based databases). Being new to the Metasploit project (from a development perspective), Ruby and Git I can honestly say it was a challenge. I probably spent more time understanding Git and Ruby than implementing the actual network services. Having contributed a lot of “client” scripts to the Nmap project I decided it was time to implement some server components and the Metasploit project seemed to be a good option. All in all, it was a fun project and the review process went very smoothly and the modules were merged quickly.

In terms of the modules, they’re pretty straight forward;

  • vnc.rb allows capturing challenge/response pairs for authentication suitable to send to JTR
  • mssql.rb allows capturing both NTLM challenge/response authentication and the weaker “encoded” passwords
  • drda.rb allows capturing and decoding EBDIC encoded username and passwords

I have a few more modules I hope to implement ones I finish some other stuff I’m currently working on.

Nmap 6 is out

May 21st, 2012 by admin

Be sure to get it at http://nmap.org/6 !

Oracle query support in Nmap

August 11th, 2011 by admin

I’ve just committed an updated version of the TNS library to Nmap, adding support for running Oracle database queries from Nmap scripts. I’ve put a considerable amount of work into trying to understand how the protocol works, due to the lack of documentation, and think that I’ve finally succeeded.

In addition I’ve posted two new scripts to the nmap-dev mailing list that make use of this new functionality:

  • oracle-query – runs a given query against the Oracle database server and returns the results
  • oracle-hash-dump – dumps the password hashes from an Oracle database server

In case you have the possibility to test this new code against Oracle 10g and 11g, please let me know how it works out. I’ll hopefully commit the two scripts to Nmap within the next few days.

I’ve ported mbenum to Nmap

August 10th, 2011 by admin

Thank’s to some great effort put into the smb libraries by the folks over at nmap-dev, porting mbenum to Nmap wasn’t as hard as I’ve imagined. A first version has been committed to subversion a while ago but I forgot to publish this blog post at the time. Feel free to try it out! If you haven’t used mbenum before it’s a tool that allows you to get a good picture of a network by querying a single system.

Mbenum or the Nmap script smb-mbenum relies on being able to query the master browser for a particular domain or workgroup. You can find the master browser by sending a netbios query for the __MSBROWSE__  name. The Nmap script broadcast-netbios-master-browser can be used to identify the master browser for your broadcast domain by sending a netbios query to the broadcast address.

Using Nmap for pentesting eDirectory

June 5th, 2011 by admin

While doing a security review the other day I came across Novell eDirectory running on Windows. It’s been a while since I looked at eDirectory and while it’s a lot of LDAP, the servers were also running the Netware Core Protocol (NCP). I noticed that there wasn’t any NCP support in Nmap so I decided that I would implement some basic support. I ended up writing a NCP library and the following two scripts:

  • ncp-enum-users – enumerates eDirectory users
  • ncp-serverinfo – lists some basic server information

The scripts should work against NCP running on both Netware, Linux and Windows. Here’s some sample output from both scripts:

In addition to the NCP scripts I wrote a LDAP script (ldap-novell-getpass) that extract the plain-text password of a given user, in case the “Allow admin to retrieve passwords” option is enabled in the password policy. On success, the script returns the following result:

All of the scripts have been committed to Nmap and are available through subversion.

Using Nmap to audit your MySQL database

June 5th, 2011 by admin

I’ve been working on a Nmap script for auditing MySQL databases against the CIS 1.0.2 benchmark for a while. I haven’t committed it to subversion yet, but it’s available to download for anyone who feels up to testing it. While it isn’t perfect nor does it contain all CIS controls, it provides Nmap users with the possibility to quickly scan a database to see whether it complies with the CIS recommendations or not.

Read the rest of this entry »

Pulling Cisco configs with Nmap

February 22nd, 2011 by Patrik Karlsson

A few hours ago I committed a new script created by Vikas Singhal to Nmap. It implements the functionality to initiate a tftp transfer of a Cisco configuration through SNMP. In order to do so, the device obviously needs to support this functionality, and you need to know the private SNMP-community string.

The script can either save the configuration to a file in a directory specified as a script argument or displays it on screen. In order to achieve this, I’ve contributed with a minimal tftp server, implemented as a Nmap NSE library. This eliminates the need to setup and configure a separate tftp-server as it’s all being taken care of transparently by Nmap.

In order to try it out you can either update from subversion or download the tftp library and the snmp-ios-config script and place them in nselib and the scripts directory. For more information on how to run the script, check out the documentation.

Nmap mssql scripts feature boost

February 22nd, 2011 by Patrik Karlsson

Chris Woodbury and I have been working on some new exciting features and enhancements to the ms-sql scripts and library in Nmap lately. We’ve been working in a separate branch which will hopefully get merged to trunk really soon. Chris work has been of high quality and very inspiring! It got me to pick up some of the stuff I meant to implement, but hadn’t got to, and has brought a number of new great ideas. For a good summary of changes consult the following nmap-dev mailing list thread.

Among the many new features and enhancements I’m really happy to see are:

  • Support for more precise version checking, by using the prelogin packet (same technique as SQLPing)
  • Support for connections using named pipes, rather than tcp-sockets
  • Support for integrated authentication (Ntlmv1) in addition to the existing SQL authentication
  • Support for connecting to named instances in addition to specific tcp ports
  • Support for running each of the ms-sql scripts against all instances detected by the discovery mechanisms

If you would like to give the scripts a run they’re available from here, and will hopefully be merged to trunk really soon.

Nmap 5.50 is out

January 28th, 2011 by admin

Nmap 5.50 is out, make sure to check it out. It contains a lot of new NSE stuff, including support for broadcast, pre- and post-rules and most of the scripts I, and many others, have created during the last year. For more information check out the official post http://seclists.org/nmap-hackers/2011/0