Full Disclosure mailing list archives

By Date By Thread How to detect a promiscuous interface by using WMIC From: Eiji James Yoshida <ptrs-ejy () bp iij4u or jp>

Date: Fri, 15 May 2015 02:52:49 +0900

Hello all, You can detect a promiscuous interface if you use Windows Management Instrumentation Command-line (WMIC). You don't need PromiscDetect and Promqry. # Command wmic /NAMESPACE:\\root\wmi PATH MSNdis_CurrentPacketFilter GET # NDIS_PACKET_TYPE 00000001 1 DIRECTED 00000010 2 MULTICAST 00000100 4 ALL_MULTICAST 00001000 8 BROADCAST 00010000 16 SOURCE_ROUTING 00100000 32 PROMISCUOUS 00001011 11 DIRECTED(1), MULTICAST(2), BROADCAST(8) 00101011 43 DIRECTED(1), MULTICAST(2), BROADCAST(8), PROMISC(32) # Non-promisc C:\>wmic /NAMESPACE:\\root\wmi PATH MSNdis_CurrentPacketFilter GET Active InstanceName NdisCurrentPacketFilter TRUE Microsoft ISATAP Adapter 0 TRUE Teredo Tunneling Pseudo-Interface 0 TRUE Intel(R) PRO/1000 MT Network Connection 11 <- Non-promisc TRUE WAN Miniport (Network Monitor) 0 TRUE WAN Miniport (IP) 0 TRUE WAN Miniport (IPv6) 0 TRUE RAS Async Adapter 0 # Promisc C:\>wmic /NAMESPACE:\\root\wmi PATH MSNdis_CurrentPacketFilter GET Active InstanceName NdisCurrentPacketFilter TRUE Microsoft ISATAP Adapter 0 TRUE Teredo Tunneling Pseudo-Interface 0 TRUE Intel(R) PRO/1000 MT Network Connection 43 <- Promisc!!! TRUE WAN Miniport (Network Monitor) 0 TRUE WAN Miniport (IP) 0 TRUE WAN Miniport (IPv6) 0 TRUE RAS Async Adapter 0 - How to detect a promiscuous interface by using WMIC http://d.hatena.ne.jp/EijiYoshida/20150514/1431621603 -- Eiji James Yoshida Security Professionals Network Inc. http://www.sec-pro.net/ http://d.hatena.ne.jp/EijiYoshida/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: How to detect a promiscuous interface by using WMIC Eiji James Yoshida (May 14)