lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5554E0F1.3020705@bp.iij4u.or.jp>
Date: Fri, 15 May 2015 02:52:49 +0900
From: Eiji James Yoshida <ptrs-ejy@...iij4u.or.jp>
To: fulldisclosure@...lists.org
Subject: [FD] How to detect a promiscuous interface by using WMIC

Hello all,

You can detect a promiscuous interface if you use Windows Management 
Instrumentation Command-line (WMIC).

You don't need PromiscDetect and Promqry.

# Command
wmic /NAMESPACE:\\root\wmi PATH MSNdis_CurrentPacketFilter GET

# NDIS_PACKET_TYPE
00000001     1      DIRECTED
00000010     2      MULTICAST
00000100     4      ALL_MULTICAST
00001000     8      BROADCAST
00010000     16     SOURCE_ROUTING
00100000     32     PROMISCUOUS

00001011     11     DIRECTED(1), MULTICAST(2), BROADCAST(8)
00101011     43     DIRECTED(1), MULTICAST(2), BROADCAST(8), PROMISC(32)

# Non-promisc
C:\>wmic /NAMESPACE:\\root\wmi PATH MSNdis_CurrentPacketFilter GET
Active  InstanceName                             NdisCurrentPacketFilter
TRUE    Microsoft ISATAP Adapter                 0
TRUE    Teredo Tunneling Pseudo-Interface        0
TRUE    Intel(R) PRO/1000 MT Network Connection  11 <- Non-promisc
TRUE    WAN Miniport (Network Monitor)           0
TRUE    WAN Miniport (IP)                        0
TRUE    WAN Miniport (IPv6)                      0
TRUE    RAS Async Adapter                        0

# Promisc
C:\>wmic /NAMESPACE:\\root\wmi PATH MSNdis_CurrentPacketFilter GET
Active  InstanceName                             NdisCurrentPacketFilter
TRUE    Microsoft ISATAP Adapter                 0
TRUE    Teredo Tunneling Pseudo-Interface        0
TRUE    Intel(R) PRO/1000 MT Network Connection  43 <- Promisc!!!
TRUE    WAN Miniport (Network Monitor)           0
TRUE    WAN Miniport (IP)                        0
TRUE    WAN Miniport (IPv6)                      0
TRUE    RAS Async Adapter                        0

- How to detect a promiscuous interface by using WMIC
   http://d.hatena.ne.jp/EijiYoshida/20150514/1431621603

-- 
Eiji James Yoshida
Security Professionals Network Inc.
http://www.sec-pro.net/
http://d.hatena.ne.jp/EijiYoshida/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ