[prads-users] [release] PRADS 0.2.0

Kacper Wysocki kacperw at gmail.com
Mon Jun 21 14:05:16 CEST 2010 

PRADS - the Passive Realtime Asset Detection System has reached
release  with codename: "our two cents".

It's been far too long since last release and many things have
happened that we thought we would share with you.
First off, PRADS has been rebuilt from scratch to handle high
throughput and should work nicely on those fat pipes out there. This
means it operates a little differently on the command line.
Our tool is now quite easy to use and has support for many more
signature methods.

Changelog for prads 0.2.0-1
  * PRADS release 0.2.0
  * SYN,SYNACK,ACK,FIN,RST, IPv6, service, client, UDP, ICMP, ARP support
  * added and fixed many signatures
  * log to prads-asset.log
  * eat pcaps (-r file.pcap)
  * dump statistics on exit
  * wirefuzz script
  * prads2snort and other fun tools
  * better IPv6 support
  * better OS guessing
  * awesome memory usage and stability
  * l337 optimizations for high thruput
  * code refactoring, cleanups & bugfixes and more

Quick start:
<code>root at machine# prads -D
[*] Running prads 0.2.0
[*] Using libpcap version 1.1.1
[*] Using PCRE version 7.8 2008-09-05
[*] OS checks enabled: SYN SYNACK RST FIN ACK
[*] Service checks enabled: TCP-SERVER TCP-CLIENT UDP-SERVICES ARP
[*] Device: eth0
[*] Daemonizing...
</code>

To see the raw asset log file:
<code>
root at machine# tail -f /var/log/prads-asset.log
asset,vlan,port,proto,service,[service-info],distance,discovered
84.24.154.213,0,1268,6,ACK,[65392:118:1:0:.:A:Windows:XP],10,1277044697
109.87.38.106,0,56393,6,ACK,[16425:114:1:0:.:A:Windows:XP],14,1277044697
192.168.2.43,0,38359,6,SYN,[S4:64:1:60:M1460,S,T,N,W7:.:Linux:2.6
(newer, 7):link:ethernet/modem:uptime:2630hrs],0,1277044698
192.168.2.43,0,48065,6,ACK,[54:64:1:0:N,N,T:ZAT:Linux:2.6:uptime:2630hrs],0,1277044697
76.99.73.67,0,55834,6,ACK,[33069:48:1:0:N,N,T:AT:Linux:2.4(newer)/2.6:uptime:307hrs],16,1277044697
65.191.159.39,0,48747,6,ACK,[259:114:1:0:N,N,T:AT:unknown:unknown:uptime:20hrs],14,1277044697
</code>
Remember that ACK mode is and always will be rather unreliable.

To get a better view of the detected systems, run the following command:
<code>
prads-asset-report | less
13 ------------------------------------------------------
IP:   109.87.38.106
OS:   Windows Server 2008 (R2 Standard 64-bit) (60%) 1
[..crop..]
104 -----------------------------------------------------
IP:   192.168.2.43
OS:   Linux 2.6 (newer, 7) (100%) 3
MAC(s):   00:DE:AD:BE:EF:2F  (2010/06/20 16:39:00)

Port  Service    TCP-Application
80    CLIENT     Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
80    CLIENT     @www
80    CLIENT     Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
443   CLIENT     TLS 1.0 Client Hello
443   CLIENT     TLS 1.0 Client Hello
3218  CLIENT     rtorrent/0.8.6/0.12.6
6667  CLIENT     @irc
6667  CLIENT     @irc
6667  CLIENT     SSL 2.0 Client Hello
50005 SERVER     Bittorrent
50005 SERVER     Bittorrent

Port  Service    UDP-Application
53    CLIENT     @domain
53    CLIENT     @domain
123   CLIENT     @ntp

105 ------------------------------------------------------

[..snip..]

</code>

Packages are available for debian and ubuntu, for everyone else there
is source.Get PRADS now at http://github.com/gamelinux/prads/downloads

Report issues and feature requests to:http://github.com/gamelinux/prads/issues

For suggestions, help, contributions and general banter: discuss on this list.

-K

More information about the prads-users mailing list