search

chall32 / LDWin

Link Discovery for Windows
395 stars 51 forks source link

Only the switch IP found #6

Closed jnmills closed 8 years ago

jnmills commented 8 years ago

LDWIN 2.1; AutoIT 3.3.14.2

I have a Netgear Prosafe GS 108T and i tried ldwin with it.

It only returned the switch IP address - no MAC or Port id

I changed the code to make a copy of the data out of tcpdump, and it is as follows (the line numbers at the start are mine, not in the file)

0 12:21:24.443497 LLDP, length 46 1 Chassis ID TLV (1), length 7 2 Subtype MAC address (4): 2c:b0:5d:a1:ac:fd 3 Port ID TLV (2), length 3 4 Subtype Local (7): g1 5 Time to Live TLV (3), length 2: TTL 120s 6 Management Address TLV (8), length 20 7 Management Address length 5, AFI IPv4 (1): 192.168.1.253 8 Interface Index Interface Numbering (2): 13 9 OID length 8broadcom 10 End TLV (0), length 0

Also worth noting ...

AutoIt refused to run the file from github: I had to comment out the include of GUIHyperlink.au3 to get it working.

Norton Security removed the LDWin.exe file, saying it was a known threat. If you rename LDwin.exe to something else it runs (although it complains about it being potentially abusing, but does label it low risk)

ldwin snap

tenox7 commented 8 years ago

"I changed the code". Is LDWin source code available anywhere?

jnmills commented 8 years ago

https://github.com/chall32/LDWin ?

From: Antoni Sawicki [mailto:notifications@github.com] Sent: 25 September 2015 21:11 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)

"I changed the code". Is LDWin source code available anywhere?

— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143340789 .

tenox7 commented 8 years ago

oh wait... this is in autoit... I was looking for .c files ;)

chall32 commented 8 years ago

OK, so looks like 2 issues here:

  1. AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular I'll follow this up.
  2. Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf): image port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...

Thanks

Chris

jnmills commented 8 years ago

Chris

That was the (text) output from the tcpdump command – are you actually looking for the binary dump? I can capture that with wireshark

I am just about to go out: I will return this in a few hours I expect

Jonathan

From: Chris Hall [mailto:notifications@github.com] Sent: 26 September 2015 11:11 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)

OK, so looks like 2 issues here:

  1. AV wrongly picking LDWin.exe up as a false positive; indeed it looks like 3 out of 43 vendors are wrongly identifying LDWin as malicious: https://www.metascan-online.com/#!/results/file/1dadd140ccbb4ca4870075131ea7166c/regular

    I'll follow this up.

  2. Only switch IP returned. Looking at the LLDP RFC (http://standards.ieee.org/getieee802/download/802.1AB-2009.pdf):

    https://cloud.githubusercontent.com/assets/1158765/10116979/6c6f5c48-643e-11e5-8b76-f8d2f476c934.png port id and chassis id are listed as mandatory TLV's so should be the same across all devices.... Would it be possible to let me have a (sanitised if you prefer) tcpdump output as discussed here: https://github.com/chall32/LDWin/wiki/What-To-Do-If-LDWin-Captures-No-Data To return port ID into the GUI, LDWin is looking for the text "Port Description TLV (4)" in the output of tcpdump. I'm wondering if there is some difference in the return from the Netgear switch which is causing LDWin not to pick up the correct info...

Thanks

Chris

— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143416964 . https://github.com/notifications/beacon/AHwr-Wek6p-lAi06wSVs9QOW_xA12lIDks5o1ma0gaJpZM4GDxdU.gif

chall32 commented 8 years ago

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151
    Chassis ID TLV (1), length 7
      Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown)
    Port ID TLV (2), length 4
      Subtype Local (7): 185
    Time to Live TLV (3), length 2: TTL 120s
    Port Description TLV (4), length 3: H17
    System Name TLV (5), length 11: Switch_System_Name
    System Description TLV (6), length 90
      HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02
        (/sw/code/build/gamo(m03))
    System Capabilities TLV (7), length 4
      System  Capabilities [Bridge, Router] (0x0014)
      Enabled Capabilities [Bridge] (0x0004)
    Management Address TLV (8), length 12
      Management Address length 5, AFI IPv4 (1): switch_hostname.net
      Interface Index Interface Numbering (2): 0
    End TLV (0), length 0

Would be good.

Thanks

Chris

jnmills commented 8 years ago

I thought I attached one to the original comment in the Issue: But here it is. The line numbers are my own.

12:21:24.443497 LLDP, length 46

            Chassis ID TLV (1), length 7

              Subtype MAC address (4): 2c:b0:5d:a1:ac:fd

            Port ID TLV (2), length 3

              Subtype Local (7): g1

            Time to Live TLV (3), length 2: TTL 120s

            Management Address TLV (8), length 20

              Management Address length 5, AFI IPv4 (1): 192.168.1.253

              Interface Index Interface Numbering (2): 13

              OID length 8broadcom

            End TLV (0), length 0

It may be that the Netgear ProSafe switch isn’t that compliant with a standard. I have to admin the only thing I really want out of it was the Port ID which tells me where I am connected to (in this case g1)

From: Chris Hall [mailto:notifications@github.com] Sent: 26 September 2015 11:29 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151 Chassis ID TLV (1), length 7 Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown) Port ID TLV (2), length 4 Subtype Local (7): 185 Time to Live TLV (3), length 2: TTL 120s Port Description TLV (4), length 3: H17 System Name TLV (5), length 11: Switch_System_Name System Description TLV (6), length 90 HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02 (/sw/code/build/gamo(m03)) System Capabilities TLV (7), length 4 System Capabilities Bridge, Router Enabled Capabilities Bridge Management Address TLV (8), length 12 Management Address length 5, AFI IPv4 (1): switch_hostname.net Interface Index Interface Numbering (2): 0 End TLV (0), length 0

Would be good.

Thanks

Chris

— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143418071 . https://github.com/notifications/beacon/AHwr-eei7C5VuQLL1lOs3h3O4z0wPXMFks5o1mr3gaJpZM4GDxdU.gif

jnmills commented 8 years ago

Hi Chris.

Just a quick comment.

I did a bit of reading about LLDP. Afaict the only mandatory fields are port ID, chassis ID and time to live. You don't /have/ to send the textual descriptions?

What about displaying the description if you have it, otherwise the raw I'd?

Jonathan

Sent from my iPad

On 26 Sep 2015, at 11:29, Chris Hall notifications@github.com wrote:

Hey Jonathan,

No problem. The full output from a LLDP packet capture, something like (as found on the internet):

09:15:04.185692 LLDP, length 151 Chassis ID TLV (1), length 7 Subtype MAC address (4): 00:15:60:85:74:12 (oui Unknown) Port ID TLV (2), length 4 Subtype Local (7): 185 Time to Live TLV (3), length 2: TTL 120s Port Description TLV (4), length 3: H17 System Name TLV (5), length 11: Switch_System_Name System Description TLV (6), length 90 HP J4865A ProCurve Switch 4108GL, revision G.07.93, ROM G.05.02 (/sw/code/build/gamo(m03)) System Capabilities TLV (7), length 4 System Capabilities Bridge, Router Enabled Capabilities Bridge Management Address TLV (8), length 12 Management Address length 5, AFI IPv4 (1): switch_hostname.net Interface Index Interface Numbering (2): 0 End TLV (0), length 0 Would be good.

Thanks

Chris

— Reply to this email directly or view it on GitHub.

chall32 commented 8 years ago

Have a test of v2.2 :+1:

Release 2.2 - 28 Sept 2015

Yeah, probably should have supported them from the get go, but hey they are supported now!

Let me know how you get on

Chris

jnmills commented 8 years ago

That’s cool …. It identifies my port not! And the switch name … Brill, thanks.

Jonathan

From: Chris Hall [mailto:notifications@github.com] Sent: 28 September 2015 17:43 To: chall32/LDWin LDWin@noreply.github.com Cc: jnmills jonathan.n.mills@gmail.com Subject: Re: [LDWin] Only the switch IP found (#6)

Have a test of v2.2 https://assets-cdn.github.com/images/icons/emoji/unicode/1f44d.png

Release 2.2 - 28 Sept 2015

Yeah, probably should have supported them from the get go, but hey they are supported now!

Let me know how you get on

Chris

— Reply to this email directly or view it on GitHub https://github.com/chall32/LDWin/issues/6#issuecomment-143800263 . https://github.com/notifications/beacon/AHwr-Yw6bdRSl3yOpNPcGDxVBZ3Lybwuks5o2WWvgaJpZM4GDxdU.gif

chall32 commented 8 years ago

Excellent :smile: Issue closed