Who’s Being Promiscuous in Your Active Directory?
I’m always a fan of more queries and peaks at what is going on in my AD domain, especially at what is happening on the workstations. I was working on some WMI queries to get information about network interfaces using the Win32_NetworkAdapterConfiguration class, and thought about promqry.exe. Promqry is a tool provided by Microsoft to query a computer’s network interfaces and return if it is running in promiscuous mode.
This information can be handy for several reasons:
- An interface running in promiscuous mode may be due to the user running network sniffer such as Wireshark.
- An interface running in promiscuous mode may be due to the user running virtualization software, such as Virtual PC.
- An interface running in promiscuous mode may be due to malicious code.
I definitely want to know if users are running network sniffers, or virtualization software (likely the guests are not licensed or managed causing rogue workstations in the environment). Of course any potential activity that may be caused by malware or malicious code is a concern as well.
You could very easily download promqry and run a for loop against your machines. I wanted to use WMI for this task instead and rather than a text file, use the directoryservices object to query my AD for computers.
I couldn’t find any property in Win32_NetworkAdapterConfiguration to check for this, but I found this post on promqry which tracked down the WMI classes it uses. That led me in the right direction. The other key to this is what MSNdis_CurrentPacketFilter returns. Microsoft documents this here and we are checking if the NDIS_PACKET_TYPE_PROMISCUOUS bit is enabled.
Below is a quick Powershell script which will grab computer objects from AD, then use WMI and the MSNdis_CurrentPacketFilter class to check for promiscuous mode. You can incorporate this WMI query with Win32_NetworkAdapterConfiguration and get a better picture of the interface network settings:
$ErrorActionPreference = "SilentlyContinue"
$PingTest = New-Object System.Net.NetworkInformation.Ping
$Filter = "(&(ObjectCategory=computer))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)
ForEach ($comp in $Searcher.Findall()) {
$strComputer = $comp.properties.item("Name")
write-host "Checking: $strComputer"
if ($PingTest.Send($strComputer).Status -eq "Success") {
$colComputer = get-wmiObject -class "MSNdis_CurrentPacketFilter" -namespace "root\WMI" -comp $strComputer
if ($colComputer -eq $null) {
write-host "Couldn't connect to WMI" }
else {
foreach ($comp in $colcomputer) {
$val = $comp.NdisCurrentPacketFilter
if ($val -band 0x00000020) {
$inst = $comp.InstanceName
write-host "Interface: $inst"
write-host "The NDIS_PACKET_TYPE_PROMISCUOUS value is set" -foregroundcolor red -backgroundcolor yellow
}
}
}
}
else { write-host "Could not ping, machine not queried." }
}
The following screenshot shows the results. I don’t like waiting for RPC to time out when the machine is off or not reachable, so a quick ping check before querying WMI speeds things up. Also, when an interface has the bit set, the output is highlighted with red text and a yellow foreground. You could wrap an email function and schedule this so that you are alerted when it comes up.
You will need proper access to the workstations to query root\WMI so when you run this in a domain, your account should have local administrator privileges to the computers it will query. If it doesn’t, the command will return “Couldn’t connect to WMI”.
Finally, if you haven’t looked at the MSNdis class yet, I suggest taking a look, especially at MSNdis_80211 which will query various wireless information that may be of interest. There isn’t a whole lot of documentation on it, so I’ll work on getting some details together and maybe draft a Powershell script to find wireless adapters and networks they are connected to or available networks close enough to connect to. Until then, enjoy finding those promiscuous mode adapters in your domain.
Related Posts:
- Security and IT Pros, I need your help
- Application-aware Firewalls – A Leap Forward or an Evolutionary Pit Stop?
- iPhone 4 Ordering and Session Switching
- May’s Patch Tuesday
- First Patch Tuesday of 2010
Filed Under: Administration • Network Security • Security • Tools
[...] been a while since my last post regarding Powershell which showed how to scan hosts for network interfaces in promiscuous mode. This time around, [...]