Passer

Passer

A Passive Sniffer and Inventory Tool

About Passer

As a network security professional, one of my biggest frustrations has been knowing what’s on my network. In addition to the normal laptops, desktops, and servers that should be there, people can add their own devices as soon as they have the wifi password or access to an ethernet port. I’d like to know what’s connected – both approved and non-approved devices – so we can identify systems that may need to be patched, hardened, or removed.

Agent-based software can’t completely perform this kind of inventory – we need to know what’s there before we can install an agent, and may not have agents (or be able to install software at all) for many devices. The better approaches are active scans and passive detection.

Here’s where Passer steps in – it can give you an inventory of what’s on your network entirely passively.

 

Primary Features

  • Identifies systems and services on a network
  • Extracts multiple types of system names
  • Identification of the application and operating system from service banners
  • Automatically tracks some malicious activity
  • Passive – no outbound traffic generated by default
  • Runs on MacOS and Linux
  • Can analyze packet capture files and live network feeds
  • No configuration needed
  • Multiprocessor support
  • Simple output format designed for easy import into other systems

 

Download Details

Passer is available at https://github.com/activecm/passer and http://www.stearns.org/passer

How To Run:

Passer is available as a docker image with all necessary support files preinstalled:

sudo docker pull quay.io/activecm/passer

That will install the current image – rerun this if you want to check for an updated image. Now run:

sudo docker run --rm -i --name=passer --net=host quay.io/activecm/passer

This will listen on all network interfaces. Within a few seconds, you should see records going to your screen describing systems on your network that broadcast their presence. If you start up a web browser and go to a system on the Internet, you should also see records for that DNS lookup and that connection.

To stop the sniffing, run:

docker kill passer

from another window on that system.

If running under docker isn’t appropriate, you can install from source. See https://github.com/activecm/passer/ , which has install instructions for both Debian-based and rpm-based Linux systems. That page also has the additional options to use to either read packets from a pcap file or save the output lines to a csv file.

 

Additional Resources

Blog Posts:

Passer, a Passive Sniffer and Inventory Tool

Webcasts:

Passer – Effortless Network Knowledge!

Our Threat Hunting Tools

 

Bill Stearns, the author of this page, is also Passer’s author. Many thanks to Active Countermeasures, Chris Brenton, Ethan Robish, and John Strand for their support of this project.

You may also be interested in: