Passer, a Passive Sniffer and Inventory Tool
What’s on my network?
As a network security professional, one of my biggest frustrations has been knowing what’s on my network. In addition to the normal laptops, desktops, and servers that should be there, people can add their own devices as soon as they have the wifi password or access to an ethernet port. I’d like to know what’s connected – both approved and non-approved devices – so we can identify systems that may need to be patched, hardened, or removed.
Agent-based software can’t completely perform this kind of inventory – we need to know what’s there before we can install an agent, and may not have agents (or be able to install software at all) for many devices. The better approaches are active scans and passive detection.
Here’s where Passer steps in – it can give you an inventory of what’s on your network entirely passively. Let’s first look at what kind of information it provides, then I’ll show you how to get running with it in under a minute.
What does it report?
Passer listens on a network interface of a Linux or Mac system1 and writes its output to the screen. If you use the “-l” option to “log to disk”, all these lines are saved to a text file as well.
Each line has 5 fields, separated by commas:
TS,22.214.171.124,TCP_80,listening,http://p/nginx/ v/1.4.6/ i/Ubuntu/ o/Linux/ cpe:/a:igor_sysoev:nginx:1.4.6/ cpe:/o:canonical:ubuntu_linux/ cpe:/o:linux:linux_kernel/a DN,2600:2000:1001:0000:0000:0000:0000:0015,AAAA,ns3.markmonitor.com., DN,fe80:0000:0000:0000:189f:545b:7d4c:eeb8,PTR,Apple TV._device-info._tcp.local.,model=J105aA
The first field is a two character record type; the lines above are reports of a TCP Server and DNS records. The second column is the IP address, the third is the resource we’re reporting on, and the fourth is its “state”. The 5th column contains any additional information on this record; in the TS line above, we get additional information on the specific server software and libraries being run on that machine.
The “resource” is some characteristic of that machine. In that first example line above, “TCP_80” is TCP port 80 on 126.96.36.199. The “listening” immediately to its right says the port is ready to accept connections, meaning this system is likely running a web server on port 80. The additional data in the 5 column supports this – it’s running Nginx 1.4.6, a popular web server, on Ubuntu Linux.
In the second example line, the “resource” is its the connection between a name and its IPv6 address: an “AAAA” record. Read this as “If I looked up ns3.markmonitor.com, I’d get the IPv6 address 2600:2000:1001:0000:0000:0000:0000:0015.
The third example line also associates this IPv6 address with a name, but goes in the other direction. The “PTR” example line can be read as “If I looked up which name is associated with fe80:0000:0000:0000:189f:545b:7d4c:eeb8, I’d get “Apple TV._device-info._tcp.local.”.
|Type||IPAddr||Proto||State||Optional description (may be empty)|
|‘IP’||IPaddr||‘IP’||dead or live||OS description|
|‘MA’||IPaddr||‘Ethernet’||MacAddr||Ethernet card manufacturer|
|‘TC’||IPaddr||‘TCP_’Port||closed or open||client description|
|‘TS’||IPaddr||‘TCP_’Port||closed or listening||server description|
|‘UC’||IPaddr||‘UDP_’Port||open or closed||udp client port description|
|‘US’||IPaddr||‘UDP_’Port||open or closed||udp server port description|
|‘DN’||IPaddr||‘A’ or ‘PTR’||hostname||possible extra info|
|‘RO’||IPaddr||‘TTLEx’||router||possible extra info|
We chose this record type not for its ease on human eyes, but because it’s easily imported and processed by tools you already have. Comma-separated (“csv”) files can be directly imported into spreadsheets, pulled into databases, sent in an email or text document, and processed by standard command line tools (see https://github.com/activecm/passer for some examples of this).
Passer can report on TCP and UDP Clients and Servers, DNS records (including local broadcasts that advertise services, like the Apple TV line above), Routers, Ethernet devices (many with the manufacturer identified to make it easier to find the device), other device names, and more.
How to run
Passer is available as a docker image with all necessary support files preinstalled:
sudo docker pull quay.io/activecm/passer
That will install the current image – rerun this if you want to check for an updated image. Now run:
sudo docker run --rm -i --name=passer --net=host quay.io/activecm/passer
This will listen on all network interfaces. Within a few seconds, you should see records going to your screen describing systems on your network that broadcast their presence. If you start up a web browser and go to a system on the Internet, you should also see records for that DNS lookup and that connection.
To stop the sniffing, run:
docker kill passer
from another window on that system.
If running under docker isn’t appropriate, you can install from source. See https://github.com/activecm/passer/ , which has install instructions for both Debian-based and rpm-based Linux systems. That page also has the additional options to use to either read packets from a pcap file or save the output lines to a csv file.
Taking this to the next level
Passer will report on whatever traffic shows up at your system’s Ethernet interface. The quirk is that not all your network traffic shows up at your system.
In our test run above, Passer was listening on your (wired or wireless) Ethernet port. This gives it access to 1) Outbound traffic originating at this system (and responses), 2) Inbound traffic destined to this system (and this system’s responses), and 3) Broadcast packets. Because switches won’t normally hand us packets destined to other machines, we won’t see traffic to and from the other hosts on this network (unless that traffic falls in one of the above categories).
To see all the traffic, including traffic to/from other network systems, you need to convince the network to send it all to you. To do this, you’ll need a port on your switch that gets a copy of all packets sent to all the other ports; this is called a span port or mirror port. You’ll connect an ethernet cable to this span port and an ethernet port on your system. Once you’ve told your switch to send all other packets to this port, you’ll start to see all switch traffic arriving at your sniffing system too.
Routers with this ability used to cost thousands of dollars; they can be bought for under $100 now2. The less expensive ones are more likely to drop packets, but they certainly can be used for small networks or for testing passer out on a large network before you commit to buying more capable gear.
Bill Stearns, the author of this blog, is also Passer’s author. Many thanks to Active Countermeasures, Chris Brenton, Ethan Robish, and John Strand for their support of this project.
1 As we’ll see in a minute, it stands a reasonably good chance of running on any system with Docker. If directly listening to a network interface isn’t possible or allowed, it runs equally well with a pcap file for input.
2 I’ve had good luck with the Netgear Prosafe GS108T ( https://www.amazon.com/gp/product/B003KP8VSK/ ). Note, you must get the managed switch.
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Bill has authored numerous articles and tools for client use. He also serves as a content author and faculty member at the SANS Institute, teaching the Linux System Administration, Perimeter Protection, Securing Linux and Unix, and Intrusion Detection tracks. Bill’s background is in network and operating system security; he was the chief architect of one commercial and two open source firewalls and is an active contributor to multiple projects in the Linux development effort. Bill’s articles and tools can be found in online journals and at http://github.com/activecm/ and http://www.stearns.org.