Posts Tagged ‘prads’

prads-0.3.2: ya skipped that one

Monday, November 5th, 2012

Ever since HACK.LU (where we spoke about VSF), Ebf0 and I have had quite some activity on PRADS, wonder why?

We really enjoyed the design of POM-NG, we find this little program quite inspiring and will keep in touch with GMsoft.

This might be the right time to announce PRADS-me! at, a service to actively fingerprint your own self. Real useful even just for an IP check, geolocation or to see what types of fingerprints you are matching at any given time.

Some of you might recall that PRADS was the subject of a Masters thesis in 2011: “Investigating Passive Operating System Detection” by Petter Bjerke Falch from UiO. Well, it’s happened again.

Jostein Haukeli at the University of Oslo Department of Informatics has written a paper on “False positive reduction through IDS network awareness”. We are excited about the prospect that our work is being used in data correlation, and we would like to see more event correlation stuff done in a scalable context.

Last year PRADS was a featured ip6-ready tool at the ISC.
Furthermore, in July this year PRADS was included in OSSIM, the Open Source SIEM

In other news, PRADS is about to be baked into the next release of the Security Onion network monitoring linux distro. Version 12.04 beta already comes with PRADS included (replacing old-timers sancp and pads) but it did require some bug-squashing from our end. You know what that means? 0.3.2-rc1 was tagged in the tree recently. That’s right: a new PRADS release is coming up Real Soon Now.

PRADS 0.2.0 hits release

Monday, June 21st, 2010

PRADS – the Passive Realtime Asset Detection System has reached release with codename: “our two cents”.

It’s been far too long since last release and many things have happened that we thought we would share with you.
First off, PRADS has been rebuilt from scratch to handle high throughput and should work nicely on those fat pipes out there. This means it operates a little differently on the command line.
Our tool is now quite easy to use and has support for many more signature methods.

Changelog for prads 0.2.0-1
* PRADS release 0.2.0
* SYN,SYNACK,ACK,FIN,RST, IPv6, service, client, UDP, ICMP, ARP support
* added and fixed many signatures
* log to prads-asset.log
* eat pcaps (-r file.pcap)
* dump statistics on exit
* wirefuzz script
* prads2snort and other fun tools
* better IPv6 support
* better OS guessing
* awesome memory usage and stability
* l337 optimizations for high thruput
* code refactoring, cleanups & bugfixes and more

Quick start:
root@machine# prads -D
[*] Running prads 0.2.0
[*] Using libpcap version 1.1.1
[*] Using PCRE version 7.8 2008-09-05
[*] OS checks enabled: SYN SYNACK RST FIN ACK
[*] Service checks enabled: TCP-SERVER TCP-CLIENT UDP-SERVICES ARP
[*] Device: eth0
[*] Daemonizing...

To see the raw asset log file:

root@machine# tail -f /var/log/prads-asset.log
asset,vlan,port,proto,service,[service-info],distance,discovered,0,1268,6,ACK,[65392:118:1:0:.:A:Windows:XP],10,1277044697,0,56393,6,ACK,[16425:114:1:0:.:A:Windows:XP],14,1277044697,0,38359,6,SYN,[S4:64:1:60:M1460,S,T,N,W7:.:Linux:2.6 (newer, 7):link:ethernet/modem:uptime:2630hrs],0,1277044698,0,48065,6,ACK,[54:64:1:0:N,N,T:ZAT:Linux:2.6:uptime:2630hrs],0,1277044697,0,55834,6,ACK,[33069:48:1:0:N,N,T:AT:Linux:2.4(newer)/2.6:uptime:307hrs],16,1277044697,0,48747,6,ACK,[259:114:1:0:N,N,T:AT:unknown:unknown:uptime:20hrs],14,1277044697

Remember that ACK mode is and always will be rather unreliable.

To get a better view of the detected systems, run the following command:

prads-asset-report | less
13 ------------------------------------------------------
OS: Windows Server 2008 (R2 Standard 64-bit) (60%) 1
104 -----------------------------------------------------
OS: Linux 2.6 (newer, 7) (100%) 3
MAC(s): 00:DE:AD:BE:EF:2F (2010/06/20 16:39:00)

Port Service TCP-Application
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
80 CLIENT @www
80 CLIENT Mozilla/5.0 (X11; U; Linux x86_64; en (US) AppleWebKit/533.4 (K
HTML, like Gecko) Chrome/5.0.375.70
443 CLIENT TLS 1.0 Client Hello
443 CLIENT TLS 1.0 Client Hello
3218 CLIENT rtorrent/0.8.6/0.12.6
6667 CLIENT @irc
6667 CLIENT @irc
6667 CLIENT SSL 2.0 Client Hello
50005 SERVER Bittorrent
50005 SERVER Bittorrent

Port Service UDP-Application
53 CLIENT @domain
53 CLIENT @domain
123 CLIENT @ntp

105 ------------------------------------------------------


Packages are available for debian and ubuntu, for everyone else there is source.
Get PRADS now!

Report issues and feature requests to:

For suggestions, help, contributions and general banter go to the PRADS mailing list.

brilliant fools – hackers update

Monday, March 1st, 2010

cracks are on the rise. so are hacks, and I haven’t posted a thing since December. So what’s up with you?

Good news is that Con Kolivas might have managed to defeat his carpal tunnel and swallow his spite for kernel dev elitism, and is again churning out solid kernel code to improve desktop usability – which the kernel devs aren’t too interested in – something he is quite right to say!

Hopefully ubuntu will pick up CK’s scheduling patches, because they are uber and with ubuntu’s momentum they might topple the stack. Too bad their kernel team can’t follow the churn. Wish I had time to compile it for you or even post some interbench stats with pretty graphs, but there is a BFQ PPA available already so you can test it out on your ubuntu or debian machine. Bonus? Some random dudes wrote a simple IO scheduler which is included there. Ain’t that reasonable?

All that at least until we have time to write our own OS which gets rid of all suckage, is super flexible and of course incorporates all our favorite patches.

Valgrind is pretty neat, and with that we have working stray acks in PRADS, the stealthy host and service detection system. More features and even a new release might come soon, which is to say – when it’s ready. In the mean time I welcome you to try breaking it in any and every way possible.

Also, if everything you do is motivated by monetary gains then you sir are a shame to the human race. Go back to step 1 and have a good day now.