[ description : features : download : dependencies : news-letter ]
[ changelog : contact : bugs : license : screen shots ]
IMPORTANT!!!
Hi all! Sorry for this very long silent period.Embyte and me (Snifth) had a lot of business to do (work, university exames :// and some extra)
so NAST is still waiting for our work. But we have some problems...
1) Very few time...
2) Too much work and study...
3) Look for other things (such kernel programming and others...)
So NAST is crying for these!
The only solution we got found is this:
--- CALL FOR IDEAS --- CALL FOR PARTECIPATION --- CALL FOR IDEAS --- CALL FOR PARTECIPATION ---
If you like NAST and have new ideas about features and others, please, mail us!
If you want (better) write code and see it includes in the tree, please, mail us! NAST WANTS YOU ;)
Well, that's all...have a nice day :)
Snifth & Embyte
DESCRIPTION
Nast is a packet sniffer and a LAN analyzer based on
Libnet and Libpcap.
It can sniff in normal mode or in promiscuos mode the packets on a network interface and log it. It dumps the headers of packets and
the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file.
As analyzer tool, it has many features like:
* Build LAN hosts list
* Follow a TCP-DATA stream
* Find LAN internet gateways
* Discorver promiscous nodes
* Reset an established connection
* Perform a single half-open portscanner
* Perform a multi half-open portscanner
* Find link type (hub or switch)
* Catch daemon banner of LAN nodes
* Control arp answers to discover possible arp-spoofings
* Byte couting with an optional filter
* Write reports logging
It also provides a new ncurses interface.
It can sniff in normal mode or in promiscuos mode the packets on a network interface and log it. It dumps the headers of packets and
the payload in ascii or ascii-hex format. You can apply a filter. The sniffed data can be saved in a separated file.
As analyzer tool, it has many features like:
* Build LAN hosts list
* Follow a TCP-DATA stream
* Find LAN internet gateways
* Discorver promiscous nodes
* Reset an established connection
* Perform a single half-open portscanner
* Perform a multi half-open portscanner
* Find link type (hub or switch)
* Catch daemon banner of LAN nodes
* Control arp answers to discover possible arp-spoofings
* Byte couting with an optional filter
* Write reports logging
It also provides a new ncurses interface.
FEATURES
| FLAG |
FEATURE |
DESCRIPTION
AND COMMENT |
| -ipdxf |
Packet sniffer with filter
and other options. |
Nast can sniff and log the packets
caputerd in ASCII or ASCII-HEX format. You can use a pcap-filter and set
promiscuous mode. |
| -T -R |
Save and load in tcpdump
format. |
Use -T to save and -R to load
caputered packets in Tcpdump format from/to <filename>. |
| --ld |
Log captured data to <filename>
(only payload). |
Use -l to log all packet instead,
useful with -B. |
| -m |
Create a host LAN list. |
Map the LAN by performing a series
of arp request to sequential subnet ip addresses. |
| -s |
Follow a TCP stream. |
Can follow a TCP/IP stream and
view all data in transfer. You must specify the IP addresses of the
ends. |
| -g |
Try to find possible internet-gateways. |
We send a syn packet to a public
host on port 80 through sequential host-lan and if a syn-ack return we have
find the gateway. |
| -P |
Check other NIC on the LAN with
the promisc flag set. |
By performing a fake ARP broadcast,
we can determine if a NIC is in promiscuous mode or not. If the checked
host is in prmisc mode it will respons with an ARP response otherwise it
drop the packet. Note: This metod doesn't work with all OS. Use -P all to query all network NIC. |
| -r |
Destroy an established connection. |
You must specify the IP addresses
of the ends and at least one port . Please, pay attention
when use this function. This feature works only if we can read SEQ and ACK numbers, becouse RST mechanism works with them. |
| -S |
Performs a half-open port scanning
on the selected host. |
It tries also to determine some
firewall (just iptables) rules. About this technique nmap says: This technique is often referred to as "half-open" scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listening. A RST is indicative of a non-listener. If a SYN|ACK is received, a RST is immediately sent to tear down the connection (actually our OS kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets. |
| -M |
Performs a multi port scanning. |
Same as above but done on all hosts
of the lan. |
| -L |
Tries to determine what type of
link is used in the LAN (Hub or switch). |
In the LAN segment is there a HUB
or a SWITCH? We can find it by sending a spoofed ICMP echo-request (to
work there must be at least 3 host in LAN and at least ont of them must
reply with a icmp echo-reply). |
| -b |
Catch Daemon banner. |
Checks the most famous daemon banner
on the LAN's hosts. You can customize ports database adding them to ports[] variabile in main.c |
| -c |
Verify is someone is making arp-poisoning
comparing arp responses. |
Are you a sysadmin and do you want
to look for possible arp-poisoning in your lan? This option is for you!
When run, Nast make a database of all network node (ip and MAC address),
then sniff ARP response and verify the correctness of ip-mac address assocation.
Remember to execute Nast when you are sure that nobody is making arp-poisoning,
than relax and check program output :-) |
| -C |
Byte couting. |
Apply traffic counting to <"filter">
(see FILTER SYNTAX section in manpage for syntax) Use -C any if you don't want to use a filter. |
| -G |
Ncurses interface. |
Run Nast with the ncurses
interface (only if compiled with ncurses support). |
| -l |
Basic logging. |
Use -l flag to specify a logfile
to log reports to. Work with many features. |
| -B |
Run in background like daemon. |
Run in background like daemon and
turn off stdout (very usefull for sniffer/stream/arp control logging). |
DOWNLOAD
Do you need SOURCES ?
| VERSION | DESCRIPTION |
DATE |
FILE
SIZE |
MD5 |
| 0.2.0 |
Major features enhancements |
2004.02.16 |
147568 |
77cbab45f5850d6cdb7ecb10e291bfa7 |
| 0.1.7e |
Major bugfixes |
2003.05.21 |
126478 |
52a64ff9d02dabc70de15dc1cb5e4528 |
| 0.1.7d |
Major bugfixes |
2003.04.23 |
128113 |
9470ca94be6cd7a359212f1d5888b58e |
| 0.1.7 |
Major features enhancements |
2003.04.16 |
126866 |
6778674533c9497b382520c6491831df |
| 0.1.6 |
Major bugfixes |
2003.02.17 |
79991 |
9c4c3f404febb9d28a880fda84d4badd |
| 0.1.5.1 |
Minor features enhancements |
2003.01.27 |
76415 |
c5c54e9397cec836231a9af68a448c63 |
| 0.1.5 |
First public release,
just a good Beta Release |
2003.01.20 |
79476 |
4a0568d5c5597e187c027ac1a1c37ff2 |
CVS:
CVS repository is not more available...
Do you need binary packages?
You can find RMPS here:
RedHat 7.3 RPM: http://wrack.telelev.net/redhat/7.3/RPMS.main/
RedHat 7.3 SRPM: http://wrack.telelev.net/redhat/7.3/SRPMS.main/
Note: Use RedHat 7.3 Libpcap package (backport): http://wrack.telelev.net/redhat/7.3/RPMS.devel/
The packages are maintained from thirds party, we don't assume no responsibility in case of problems/errors.
Thanks to Sven Hoexter <shoexter@gmx.de>
Debian (DEB) package is available here
FreeBSD port:
Get here: http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/nast/
Thanks to Kirill Ponomarew <ponomarew@oberon.net>
DEPENDENCIES
Libnet 1.1.1 (required)Libpcap 0.8.1 (required)
Pthread support (required)
Libncurses (raccomanded)
AUTHORS AND CONTACTS
Embyte <embyte@madlab.it>Snifth <snifth@box.it>
IRC @ irc.azzurra.org
NEWSLETTER
Subscribe to the newsletter in order to comfortably receive in email information about updates and developments of the project.Just add your email address in the form you find here !
BUGS
Our software never has bugs.It just develops random features. ;)
Please send bug reports to authors.