I’m releasing version 0.01 of WOMAN (Who’s On Ma Network). I find myself creating fake access points often for penetration tests and created this very simple tool to fill a need of mine.
When clients associate to me I want a quick and dirty (and reliable) way to identify which systems are active and the details of the system including OS and which hosts they’re communicating with. Sure you could stick with OS fingerprinting, p0f, nmap scans, etc but I’ve found that for this style of attack it’s much more straightforward to just observe the clients DNS and HTTP requests. Typically you’ll get a very specific version in the Agent string which will really help to identify what OS and Device you’re observing. Recently I’ve been seeing a huge explosion of wifi enabled mobile devices like B&N nook, iPhones, iPads etc. This can help prevent you from wasting time trying attack clients that won’t get you anywhere or help you narrow your focus on which attacks to execute.
In the past I’ve used either tcpdump or wireshark and filter for the traffic I want, but even that is cumbersome. Enter WOMAN. WOMAN uses libpcap and prints out HTTP Agent strings, GET and PUT requests, DNS requests and DNS responses. You can enable and disable each one of these individually using command line arguments. Sure you have other options available to gather this information but I prefer a home grown utility designed to do one thing and do it well, it’s written in C and is very fast. You can also run this tool concurrently with other pcap/injection tools. I definitely plan on expanding the program to add handy features.
The current supported arguments are:
Woman Version 0.01
Who's On Ma Network - (http://leetsys.com/projects/woman/)
Passive Host & Communication Identification Tool
-A show HTTP User Agent
-G show HTTP Get Requests
-H show HTTP Host Header
-i set capture interface
-P show HTTP Post Requests
-r show DNS requests
-R show DNS responses
Here is an example screenshot of a very quick session, capturing only the HTTP User Agent and Host.
This is a perfect example showing that by simply observing the HTTP requests of a client we can get detailed information. We can see that the host is running Linux and the browser is Firefox 5.0.1. An interesting unintended bit of info is that we see the client querying two additional hosts although we only entered one website (www.leetsys.com). Again, this is great info to help identify the OS/Software and function of an end client.
There’s currently an issue with DNS responses with multiple answers, which I’ll be fixing shortly. DNS has been an extreme headache to work with but also extremely fun.
You can download the source and binary at http://www.leetsys.com/programs/woman/v0.01/
As always constructive feedback is welcomed.