Archive for June, 2010

PRADS 0.2.0 hits release

Monday, June 21st, 2010

PRADS – the Passive Realtime Asset Detection System has reached release with codename: “our two cents”.

It’s been far too long since last release and many things have happened that we thought we would share with you.
First off, PRADS has been rebuilt from scratch to handle high throughput and should work nicely on those fat pipes out there. This means it operates a little differently on the command line.
Our tool is now quite easy to use and has support for many more signature methods.

Changelog for prads 0.2.0-1
* PRADS release 0.2.0
* SYN,SYNACK,ACK,FIN,RST, IPv6, service, client, UDP, ICMP, ARP support
* added and fixed many signatures
* log to prads-asset.log
* eat pcaps (-r file.pcap)
* dump statistics on exit
* wirefuzz script
* prads2snort and other fun tools
* better IPv6 support
* better OS guessing
* awesome memory usage and stability
* l337 optimizations for high thruput
* code refactoring, cleanups & bugfixes and more

Quick start:
root@machine# prads -D
[*] Running prads 0.2.0
[*] Using libpcap version 1.1.1
[*] Using PCRE version 7.8 2008-09-05
[*] OS checks enabled: SYN SYNACK RST FIN ACK
[*] Service checks enabled: TCP-SERVER TCP-CLIENT UDP-SERVICES ARP
[*] Device: eth0
[*] Daemonizing...

To see the raw asset log file:

root@machine# tail -f /var/log/prads-asset.log
asset,vlan,port,proto,service,[service-info],distance,discovered,0,1268,6,ACK,[65392:118:1:0:.:A:Windows:XP],10,1277044697,0,56393,6,ACK,[16425:114:1:0:.:A:Windows:XP],14,1277044697,0,38359,6,SYN,[S4:64:1:60:M1460,S,T,N,W7:.:Linux:2.6 (newer, 7):link:ethernet/modem:uptime:2630hrs],0,1277044698,0,48065,6,ACK,[54:64:1:0:N,N,T:ZAT:Linux:2.6:uptime:2630hrs],0,1277044697,0,55834,6,ACK,[33069:48:1:0:N,N,T:AT:Linux:2.4(newer)/2.6:uptime:307hrs],16,1277044697,0,48747,6,ACK,[259:114:1:0:N,N,T:AT:unknown:unknown:uptime:20hrs],14,1277044697

Remember that ACK mode is and always will be rather unreliable.

To get a better view of the detected systems, run the following command:

prads-asset-report | less
13 ------------------------------------------------------
OS: Windows Server 2008 (R2 Standard 64-bit) (60%) 1
104 -----------------------------------------------------
OS: Linux 2.6 (newer, 7) (100%) 3
MAC(s): 00:DE:AD:BE:EF:2F (2010/06/20 16:39:00)

Port Service TCP-Application
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
80 CLIENT @www
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
443 CLIENT TLS 1.0 Client Hello
443 CLIENT TLS 1.0 Client Hello
3218 CLIENT rtorrent/0.8.6/0.12.6
6667 CLIENT @irc
6667 CLIENT @irc
6667 CLIENT SSL 2.0 Client Hello
50005 SERVER Bittorrent
50005 SERVER Bittorrent

Port Service UDP-Application
53 CLIENT @domain
53 CLIENT @domain
123 CLIENT @ntp

105 ------------------------------------------------------


Packages are available for debian and ubuntu, for everyone else there is source.
Get PRADS now!

Report issues and feature requests to:

For suggestions, help, contributions and general banter go to the PRADS mailing list.