D3Kby Chris "Gomi Maetrics" Gragsone
For the detection of hardware address filters
D3K is a utility that attempts to probe the local network searching for hosts with layer 2 firewalls. Layer 2 firewalls are like a regular firewalls, with the main difference being the type of host addresses they block. A regular firewall block hosts based on their IP (Internet Protocol) addresses. A layer 2 firewall blocks hosts based on their MAC (Machine Address Code) addresses, which can make them invisible to traditional ping sweeps. By finding hosts with layer 2 firewalls, we may uncover compromised hosts or hosts with an unauthorized network connection. In either cases it is likely possible that the administrator (legitmate or not) is trying to cloak the box from a traditional scan.
It is our hopes that a host with layer 2 firewalls will need to communicate with another host on the network and not with us. To find hosts with this configuration, D3K will query the network with arp requests and record any replies. D3K will then query the nonresponsive hosts using spoofed source addresses from responsive hosts. New hosts that are detected with this probe will then be added to a lists of suspected firewalled hosts.
To remove false positives, D3K will query the suspected box with a genuine arp request as a confirmation probe. If the suspected box fails to return an arp reply, the host will be reported as a firewalled host. False positives could be generated by a machine that was recently connected to the network, or a host with momentary connection lose. Administrators may still want to pay attention to these machines as they may be experiencing other performance issues.
Switch Safe Mode
These layer 2 scans may cause network problems and false readings on more advanced network topologies. It is possible D3K may not work well with Arp Proxies, flat routed networks, multicast groups, or VPNs. To accomodate the networks, D3K will have an optional swtich safe mode. In this mode D3K will daemon itself, and passively listen to the network for arp requests and replies that don't belong to the host. Everytime D3K detects an arp message, it will generate an arp request to the sender. This method will take longer, and has the possiblity for not detecting a firewalled hosts. However, in this mode D3K would only probe hosts known to "exist" and would not need to rely on any spoofing.
Appendix 1: Function Designs
arprequest() - Handles Arp queries
cidr2net() - Creates an ip address and netmask from cidr notation (Already Completed)
getroute() - Return route structure for specified destination network
hostlist() - Interface for placing host data into the list
myip() - Obtains the interface address for a specifc network
netlist() - Creates a list of ip addresses on the network
passv() - libpcap function for finding hosts passively (and actively probes them)
results() - Print the list of responcive hosts
scan() - Scan the network looking for responcive hosts
setoptflags() - Set options based from commandline arguments
spoof_scan() - Scan the network looking for responcive hosts using