Wednesday, November 11, 2009

Sample Program--Stroke












Sample Program—Stroke


Stroke is a simple, passive reconnaissance tool that highlights the libpcap component. Stroke sits quietly on a network and captures every IP packet it sees and displays the packet's source MAC address and the corresponding Organizationally Unique Identifier (OUI) label. An OUI is an Institute of Electrical and Electronics Engineers (IEEE) assigned 3-byte value referenced by various standards, including the 802 LAN protocols such as Ethernet where the OUI composes the first 3 bytes of the Media Access Control (MAC) address. Corresponding to every OUI is a "company id" string describing the manufacturer of the network interface.


Stroke is useful for performing network device enumeration for a variety of purposes. From a security practitioner's perspective, it is useful to learn about any new devices as they appear on the network and to check them against what is allowable. From a security consultant's perspective, it is useful to silently list devices across the network and perform rudimentary operating system (OS) and architecture detection. To be useful, you should run Stroke on a non-switched local network; otherwise, you will only capture broadcast traffic. For those of you in the know, Stroke is a simple, scaled-down, arpwatch-like tool.


Stroke uses the live packet capturing, packet filtering, and statistics functionality of libpcap, which is (generally speaking) the most useful functionality. The program keeps a hashtable of all the MAC addresses it sees across the network and only reports a given MAC address once. The program sorts the large OUI table and searches for entries with a binary search algorithm. The program directly keys the hashtable and accesses it in O(1) time. You can search a balanced binary tree (which we can assume in this case) in roughly O(log N) time. Stroke has run on an extremely large and busy layer-2 switched network, resulting in about 4 million packets captured and about 2500 unique entries in a 24-hour run. Stroke accepts two optional command-line arguments: -I to specify that the program should print IP addresses along with MAC addresses and -i <device> to specify a device to use. If no device is specified, libpcap tries to find one on its own. A sample invocation across a college campus network is as follows:



tradecraft:~# stroke
Stroke 1.0 [passive MAC -> OUI mapping tool]
<ctrl-c> to quit
00:a0:c9:e5:65:0a -> INTEL CORPORATION - HF1-06
00:50:04:0b:72:33 -> 3COM CORPORATION
00:06:5b:19:31:ac -> Dell Computer Corp.
00:02:2d:38:b8:40 -> Agere Systems
00:02:2d:00:3a:39 -> Agere Systems
00:01:03:7d:0f:87 -> 3COM CORPORATION
00:04:00:14:12:ca -> LEXMARK INTERNATIONAL, INC.
00:02:2d:39:41:39 -> Agere Systems
00:10:a4:fe:63:3b -> XIRCOM
^CInterrupt signal caught

Packets received by libpcap: 54
Packets dropped by libpcap: 0
Unique MAC addresses stored: 9

As you can see, Stroke found nine unique MAC addresses on the network. Some of the OUI strings are indicative of the types of machines across the network. The 3COM and Intel strings are probably PCI network cards in PCs; the Dell string almost certainly refers to a Dell desktop computer with onboard Ethernet; and the Lexmark OUI probably refers to a networked printer.















No comments: