Network auditing and monitoring with nast

From Cryptolife

Jump to: navigation, search



Nast is a network and LAN analyzer and sniffer tool. It can perform sniffing in normal mode or in promiscuous mode.

As analyzer tool, it has many features like:
* Build LAN hosts list
* Follow a TCP-DATA stream
* Find LAN Internet gateways
* Discover promiscuous nodes
* Reset an established connection
* Perform a single half-open portscanner
* Perform a multi half-open portscanner
* Find link type (hub or switch)
* Catch daemon banner of LAN nodes
* Control ARP answers to discover possible ARP-spoofing
* Byte counting with an optional filter
* Write reports logging

To install it:

apt-get install nast


To build a network map:

root@firewall:/root# nast -i wlan0 -m

Nast V. 0.2.0

Mapping the Lan for 255.255.255.0 subnet ... please wait

MAC address Ip address (hostname)
===========================================================
00:1D:E0:B6:24:E9 192.168.1.1 (firewall.local) (*)
00:14:D7:02:4F:54 192.168.1.2 (server1.local)
00:01:E3:CD:D6:EE 192.168.1.3 (server2.local)
00:1F:E0:00:0F:CD 192.168.1.4 (server3.local)
00:24:9F:07:0F:D8 192.168.1.5 (server4.local)
00:02:1F:03:D4:D8 192.168.1.6 (server5.local)
00:1D:45:01:C2:24 192.168.1.7 (server6.local)
00:1F:2C:04:C9:D8 192.168.1.8 (server7.local)
00:1F:8F:01:0F:D8 192.168.1.9 (server8.local)
(*) This is localhost


Finished


Check for remote sniffers or other NIC on the LAN with the promiscuous flag set:

root@firewall:/root#nast -i wlan0 -P all

Nast V. 0.2.0

This check can have false response, pay attention!
Probe for hosts...done

192.168.1.7 (server6.local) ---------> Found!


Finished



Find LAN Internet gateway:

root@firewall:/root#nast -i wlan0 --find-gateway

Nast V. 0.2.0

Finding suitable hosts (excluding localhost) -> Done

Trying 192.168.1.1 (00:1D:E0:B6:24:E9)-> Yep!
Trying 192.168.1.2 (00:14:D7:02:4F:54)-> Bad
Trying 192.168.1.3(00:01:E3:CD:D6:EE)-> Bad
Trying 192.168.1.4 (00:1F:E0:00:0F:CD)-> Bad


Finished



Discover promiscuous network interfaces:

root@firewall:/root#nast -i wlan0 --check-arp-poisoning

Nast V. 0.2.0

I'll build a truly MAC-IP list...

(Press a key)

- Waiting please...
- Now let me sniff arp-response on the network...

Verifing: 192.168.1.252 Is 00:1D:E0:B6:24:E9 ? Correct




Retrieved from "http://www.cryptolife.org/index.php/Network_auditing_and_monitoring_with_nast"
Personal tools
Creative Commons License