today i wrote a thing for that tabletop im doing next week.its just a tcpdump parser, but its functionally an inventory/asset discovery tool.
-
today i wrote a thing for that tabletop im doing next week.
its just a tcpdump parser, but its functionally an inventory/asset discovery tool. it builds a list of discovered hosts and nabs additional packets from them that leaks what they are and what they do.the endpoint its running on is a gl.inet slate-ax. inside of 30 seconds its told me more about the lan than nmap could in ten times as long.
im blown away
-
R relay@relay.infosec.exchange shared this topic
-
today i wrote a thing for that tabletop im doing next week.
its just a tcpdump parser, but its functionally an inventory/asset discovery tool. it builds a list of discovered hosts and nabs additional packets from them that leaks what they are and what they do.the endpoint its running on is a gl.inet slate-ax. inside of 30 seconds its told me more about the lan than nmap could in ten times as long.
im blown away
-
today i wrote a thing for that tabletop im doing next week.
its just a tcpdump parser, but its functionally an inventory/asset discovery tool. it builds a list of discovered hosts and nabs additional packets from them that leaks what they are and what they do.the endpoint its running on is a gl.inet slate-ax. inside of 30 seconds its told me more about the lan than nmap could in ten times as long.
im blown away
@Viss Does it need to be listening on that host, or do you just feed it pcaps from whatever's listening?
-
@Viss Does it need to be listening on that host, or do you just feed it pcaps from whatever's listening?
@tim_lavoie well at present you pipe tcpdump srdout into it, so in theory if you pcapped the right way you could totally play back a pcap into it
-
@tim_lavoie well at present you pipe tcpdump srdout into it, so in theory if you pcapped the right way you could totally play back a pcap into it
@Viss Ah, OK. I did some work on a fun side-project through work a few years back, with the idea of flagging any attempts to use unallocated (dark) IP space. Basically something that would run as a Docker container on one interface, but noting details to be syslogged somewhere on another. Not sure it got used, but did work.
-
today i wrote a thing for that tabletop im doing next week.
its just a tcpdump parser, but its functionally an inventory/asset discovery tool. it builds a list of discovered hosts and nabs additional packets from them that leaks what they are and what they do.the endpoint its running on is a gl.inet slate-ax. inside of 30 seconds its told me more about the lan than nmap could in ten times as long.
im blown away
@Viss interesting! I haven't considered that I could write custom "things" for my router.
-
today i wrote a thing for that tabletop im doing next week.
its just a tcpdump parser, but its functionally an inventory/asset discovery tool. it builds a list of discovered hosts and nabs additional packets from them that leaks what they are and what they do.the endpoint its running on is a gl.inet slate-ax. inside of 30 seconds its told me more about the lan than nmap could in ten times as long.
im blown away
So kind of like @lcamtuf 's p0f but using tcpdump as the backend instead of a custom libpcap-based tool?
Way back in the day, I also remember there was a commercial tool called Beacon from a company called Great Bay. I never got to use it personally, but some friends of mine did and said it worked great.
It's a shame these kinds of tools haven't caught on more. A lot of IT inventory approaches seem to assume that most of your hosts are actively managed general purpose computers that can accommodate an endpoint agent. That was never a great assumption, and it has only gotten worse over time.
-
So kind of like @lcamtuf 's p0f but using tcpdump as the backend instead of a custom libpcap-based tool?
Way back in the day, I also remember there was a commercial tool called Beacon from a company called Great Bay. I never got to use it personally, but some friends of mine did and said it worked great.
It's a shame these kinds of tools haven't caught on more. A lot of IT inventory approaches seem to assume that most of your hosts are actively managed general purpose computers that can accommodate an endpoint agent. That was never a great assumption, and it has only gotten worse over time.
@DaveMWilburn @Viss
Yeah, tons of services love to tell you what they are. We've had quite a bit of success with it as part of runZero. We support pap imports as well as live capture. It is great for easing into networks, such as OT, where active scanning is a concern.
