Skip to content

Commit

Permalink
version2.6
Browse files Browse the repository at this point in the history
  • Loading branch information
@casterbyte
casterbyte committed Apr 14, 2024
1 parent af50094 commit 7d6b50d
Show file tree
Hide file tree
Showing 4 changed files with 807 additions and 456 deletions.
164 changes: 115 additions & 49 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,17 @@

Invisible protocol sniffer for finding vulnerabilities in the network. Designed for pentesters and security engineers.

Author: Magama Bazarov
![](/banner/banner.png)

![](/cover/kali-above.png)
```
Above: Invisible network protocol sniffer
Designed for pentesters and security engineers
Author: Magama Bazarov, <[email protected]>
Pseudonym: Caster
Version: 2.6
Codename: Introvert
```

# Disclaimer

Expand All @@ -18,23 +26,28 @@ Author: Magama Bazarov

Above is a invisible network sniffer for finding vulnerabilities in network equipment. It is based entirely on network traffic analysis, so it does not make any noise on the air. He's invisible. Completely based on the Scapy library.

> Above allows pentesters to automate the process of finding vulnerabilities in network hardware. Discovery protocols, dynamic routing, FHRP, STP, LLMNR/NBT-NS, etc.
> Above allows pentesters to automate the process of finding vulnerabilities in network hardware. Discovery protocols, dynamic routing, 802.1Q, ICS Protocols, FHRP, STP, LLMNR/NBT-NS, etc.
## Supported protocols

Detects up to 22 protocols:
Detects up to 27 protocols:

```
MACSec
EAPOL
ARP (Passive ARP)
MACSec (802.1X AE)
EAPOL (Checking 802.1X versions)
ARP (Passive ARP, Host Discovery)
CDP (Cisco Discovery Protocol)
DTP (Dynamic Trunking Protocol)
LLDP (Link Layer Discovery Protocol)
802.1Q Tags (VLAN)
S7COMM (Siemens)
OMRON
TACACS+
ModbusTCP
STP (Spanning Tree Protocol)
OSPF (Open Shortest Path First)
EIGRP (Enhanced Interior Gateway Routing Protocol)
BGP (Border Gateway Protocol)
VRRP (Virtual Router Redundancy Protocol)
HSRP (Host Standby Redundancy Protocol)
GLBP (Gateway Load Balancing Protocol)
Expand All @@ -59,41 +72,41 @@ The tool is very simple in its operation and is driven by arguments:

- Interface: Specifying the network interface on which sniffing will be performed
- Timer: Time during which traffic analysis will be performed
- Output pcap: Above will record the listened traffic to `.pcap` file, its name you specify yourself
- Input pcap: The tool takes an already prepared `.pcap` as input and looks for protocols in it
- Input: The tool takes an already prepared `.pcap` as input and looks for protocols in it
- Output: Above will record the listened traffic to `.pcap` file, its name you specify yourself
- Passive ARP: Detecting hosts in a segment using Passive ARP

```
usage: above.py [-h] [--interface INTERFACE] [--timer TIMER] [--output-pcap OUTPUT_PCAP] [--input-pcap INPUT_PCAP] [--passive-arp]
usage: above.py [-h] [--interface INTERFACE] [--timer TIMER] [--output OUTPUT] [--input INPUT] [--passive-arp]
options:
-h, --help show this help message and exit
--interface INTERFACE
Interface to capture packets on
--timer TIMER Time in seconds to capture packets
--output-pcap OUTPUT_PCAP
Output filename for pcap file
--input-pcap INPUT_PCAP
Path to the input PCAP file for analysis
--passive-arp Host discovery (Passive ARP)
Interface for traffic listening
--timer TIMER Time in seconds to capture packets, if not set capture runs indefinitely
--output OUTPUT File name where the traffic will be recorded
--input INPUT File name of the traffic dump
--passive-arp Passive ARP (Host Discovery)
```

---

## Information about protocols

The information obtained will be useful not only to the attacker, but also to the security engineer, he will know what he needs to pay attention to.
The information obtained will be useful not only to the pentester, but also to the security engineer, he will know what he needs to pay attention to.

When Above detects a protocol, it outputs the necessary information to indicate the attack vector or security issue:

- Impact: What kind of attack can be performed on this protocol;

- Tools: What tool can be used to launch an attack;

- Technical information: Required information for the attacker, sender IP addresses, FHRP group IDs, OSPF/EIGRP domains, etc.
- Technical information: Required information for the pentester, sender MAC/IP addresses, FHRP group IDs, OSPF/EIGRP domains, etc.

- Mitigation: Recommendations for fixing the security problems

- Source/Destination Addresses: For protocols, Above displays information about the source and destination MAC addresses and IP addresses

---

# Installation
Expand Down Expand Up @@ -140,66 +153,119 @@ P:\above>python above.py --help

> The development of this version of Above was based on Python version **3.11.6**, Scapy version **2.5.0.dev212**
# Windows Compatibility

Above can also work on Windows, provided the winpcap driver is installed, without which sniffing with Scapy is impossible.

You can use [auto-py-to-exe](https://pypi.org/project/auto-py-to-exe/) to compile the .py script

# How to Use

First, it's worth switching the interface to promiscuous mode
## Hot mode

> Above requires root access for sniffing
Above can be run with or without a timer:

```bash
caster@kali:~$ sudo ip link set eth0 promisc on
caster@kali:~$ sudo above --interface eth0 --timer 120
```
> To stop traffic sniffing, press CTRL + С
>
> WARNING! Above is not designed to work with tunnel interfaces (L3) due to the use of filters for L2 protocols. Tool on tunneled L3 interfaces may not work properly.
Above requires at least an interface and a timer at startup. Choose the timer from your calculations.
Example:

```bash
caster@kali:~$ sudo above --interface eth0 --timer 120

-----------------------------------------------------------------------------------------
[+] Start sniffing...

[*] After the protocol is detected - all necessary information about it will be displayed
--------------------------------------------------
[+] Detected SSDP Packet
[*] Attack Impact: Potential for UPnP Device Exploitation
[*] Tools: evil-ssdp
[*] SSDP Source IP: 192.168.0.251
[*] SSDP Source MAC: 02:10:de:64:f2:34
[*] Mitigation: Ensure UPnP is disabled on all devices unless absolutely necessary, monitor UPnP traffic
--------------------------------------------------
[+] Detected MDNS Packet
[*] Attack Impact: MDNS Spoofing, Credentials Interception
[*] Tools: Responder
[*] MDNS Spoofing works specifically against Windows machines
[*] You cannot get NetNTLMv2-SSP from Apple devices
[*] MDNS Speaker IP: fe80::183f:301c:27bd:543
[*] MDNS Speaker MAC: 02:10:de:64:f2:34
[*] Mitigation: Filter MDNS traffic. Be careful with MDNS filtering
--------------------------------------------------
```
> To stop traffic sniffing, press CTRL + С

If you need to record the sniffed traffic, use the `--output-pcap` argument
If you need to record the sniffed traffic, use the `--output` argument

```bash
caster@kali:~$ sudo above --interface eth0 --timer 120 --output-pcap dump.pcap
caster@kali:~$ sudo above --interface eth0 --timer 120 --output above.pcap
```
> By specifying only the --interface and --output-pcap - Above will also be able to start, without a timer
> If you interrupt the tool with CTRL+C, the traffic is still written to the file
## Cold mode

If you already have some recorded traffic, you can use the `--input-pcap` argument to look for potential security issues
If you already have some recorded traffic, you can use the `--input` argument to look for potential security issues

```bash
caster@kali:~$ above --input-pcap dump.pcap
caster@kali:~$ above --input ospf-md5.cap
```

Example:

```bash
caster@kali:~$ sudo above --input ospf-md5.cap

[+] Analyzing pcap file...

--------------------------------------------------
[+] Detected OSPF Packet
[+] Attack Impact: Subnets Discovery, Blackhole, Evil Twin
[*] Tools: Loki, Scapy, FRRouting
[*] OSPF Area ID: 0.0.0.0
[*] OSPF Neighbor IP: 10.0.0.1
[*] OSPF Neighbor MAC: 00:0c:29:dd:4c:54
[!] Authentication: MD5
[*] Tools for bruteforce: Ettercap, John the Ripper
[*] OSPF Key ID: 1
[*] Mitigation: Enable passive interfaces, use authentication
--------------------------------------------------
[+] Detected OSPF Packet
[+] Attack Impact: Subnets Discovery, Blackhole, Evil Twin
[*] Tools: Loki, Scapy, FRRouting
[*] OSPF Area ID: 0.0.0.0
[*] OSPF Neighbor IP: 192.168.0.2
[*] OSPF Neighbor MAC: 00:0c:29:43:7b:fb
[!] Authentication: MD5
[*] Tools for bruteforce: Ettercap, John the Ripper
[*] OSPF Key ID: 1
[*] Mitigation: Enable passive interfaces, use authentication
```

> WARNING! Above is not designed to work with tunnel interfaces (L3) due to the use of filters for L2 protocols. Tool on tunneled L3 interfaces may not work properly.


# Passive ARP

The tool can detect hosts without noise in the air by processing ARP frames in passive mode

```bash
caster@kali:~$ sudo above --interface eth0 --passive-arp
caster@kali:~$ sudo above --interface eth0 --passive-arp --timer 10

[+] Host discovery using Passive ARP

┌─────────────────────────────────────┐
Detected Host │
├─────────────────────────────────────┤
│ Host IP Address: 192.168.0.251 │
│ Host MAC Address: 02:10:de:64:f2:32 │
└─────────────────────────────────────┘
┌─────────────────────────────────────┐
Detected Host │
├─────────────────────────────────────┤
│ Host IP Address: 192.168.0.213 │
│ Host MAC Address: 00:0c:27:7f:2b:c6 │
└─────────────────────────────────────┘

--------------------------------------------------
[+] Detected ARP Reply
[*] Attack Impact: ARP Spoofing
[*] Tools: Ettercap
[*] ARP Reply for IP: 192.168.1.88
[*] MAC Address: 00:00:0c:07:ac:c8
--------------------------------------------------
[+] Detected ARP Reply
[*] Attack Impact: ARP Spoofing
[*] Tools: Ettercap
[*] ARP Reply for IP: 192.168.1.40
[*] MAC Address: 00:0c:29:c5:82:81
--------------------------------------------------
```

# Outro
Expand Down
Loading

0 comments on commit 7d6b50d

Please sign in to comment.