About Above
Above is a network protocol sniffing tool designed specifically for Red Team researchers. This tool has strong stealth capabilities, which can help researchers search for relevant security vulnerabilities within target networks.
Above can assist penetration testers and security experts in searching for security vulnerabilities within target network devices. The tool executes security analysis based entirely on network traffic, therefore it does not produce any noise in the network system. Above is developed in pure Python and implements its functionality based on the Scapy library. The primary task of Above is to search within the target network’s L2/L3 protocols, utilizing traffic sniffing to identify and discover security issues present in configurations.
Supported Protocols
The current version of Above supports detecting the following 12 network protocols:
1. CDP 2. DTP 3. Dot1Q 4. OSPF 5. EIGRP 6. VRRPv2 7. HSRPv1 8. STP 9. LLMNR 10. NBT-NS 11. MDNS 12. DHCPv6
It is important to note that the tool implements a threading mechanism, allowing all protocol analysis to be conducted synchronously.
Operation Mechanism
The above supports the following two operating modes: Traffic sniffing
1. Hot Mode: Conducts real-time sniffing on the target interface periodically; 2. Cold Mode: Conducts offline analysis of previously dumped traffic data;
We only need to provide the script with the appropriate parameters to control the task execution of Above:
Interface: Specify the target network interface to sniff; Timer: Set the time interval for executing traffic analysis; Output pcap: Above will record the monitored traffic data into a pcap file, with customizable file names; Input pcap: The tool supports using a prepared .pcap file as an input parameter for conducting security audit analysis;
Supported Protocol Information Collection
Impact: The types of attacks that can be executed against the protocol; Tools: Tools that can be used to attack the protocol; Technical Information: Relevant information needed by the attacker, such as IP addresses, FHRP group ID, OSPF/EIGRP domain, etc.;
Tool Installation
Since this tool is developed based on pure Python 3, we first need to install and configure a Python 3 environment on the local device. Subsequently, researchers can use the following command to clone the project source code locally:
caster@kali:~$ git clone https://github.com/wearecaster/Above(Swipe right to see more)
Then switch to the project directory and execute the tool installation script:
caster@kali:~$ cd Above/
caster@kali:~/Above$ sudo python3 setup.py installTool Parameters
usage: above [-h] [--interface INTERFACE] [--timer TIMER] [--output-pcap OUTPUT_FILE] [--input-pcap INPUT_FILE]
options:
-h, --help Display help information and exit
--interface INTERFACE Specify the target network interface
--timer TIMER Set a time interval (in seconds)
--output-pcap OUTPUT_FILE Specify the path for the output pcap file recording traffic
--input-pcap INPUT_FILE Specify the input pcap file path for analyzing traffic(Swipe right to see more)
Tool Usage
Firstly, we need to switch the interface to promiscuous mode and run the Above script with root privileges:
caster@kali:~$ sudo ip link set eth0 promisc onAt startup, Above needs to specify at least a target interface and a timer:
caster@kali:~$ sudo above --interface eth0 --timer 120If you wish to record the sniffed network traffic, please use the –output-pcap parameter:
caster@kali:~$ sudo above --interface eth0 --timer 120 --output-pcap dump.pcap(Swipe right to see more)
If you have stored recorded sniffed traffic, you can use the –input-pcap parameter to search for potential security issues:
caster@kali:~$ above --input-pcap dump.pcapLicense Agreement
This project is developed and released under the Apache-2.0 open source license agreement.
Project Address