SourceFiles.org - Use the Source, Luke

Overview

RogueScanner is the open-source component of Network Chemistry's RFProtect Scanner product line which has been released under the GPL. RogueScanner will automatically spider your network and identify the vendor and model of device's attached to it with an emphasis on wireless APs.

RogueScanner accomplishes this through a various fingerprinting and scanning techniques to discover devices and gather their uniquely identifying characteristics. These characteristics are then sent to Network Chemistry's classification server where they are matched against known sets of device characteristics in order to arrive at the best possible match. This information is encrypted via SSL while in transit and no information is collected which can link the data to the agent or the network that it is collected from.

2. Building

The instructions provided below refer to Linux and other UNIX-like systems. However, it is possible to build RogueScanner and all of its dependencies under Windows. Currently it's recommended that Windows users wanting to use RogueScanner download the Windows binary at http://roguescanner.networkchemistry.net though.

2.1. Prerequisites

The following libraries and their header files must be installed to successfully build RogueScanner:

The three packages listed above should be available with most common Linux and *BSD distributions. However, they can be installed from source obtained from the listed website if necessary.

Additionally, RogueScanner requires the two following packages:

SNMP++ 3.x (http://www.agentpp.com/snmp_pp3_x/snmp_pp3_x.html)
gSOAP (http://www.cs.fsu.edu/~engelen/soap.html)

Notes on building these to work with RogueScanner follows.

2.1.1. Building SNMP++ 3.x

In general, building SNMP++ isn't very difficult.

Download the tarball from the website listed above and unpack it.
Change to the "snmp++" directory that is extracted.
Change to the "src" directory and locate the Makefile most appropriate for your platform (e.g., Makefile.linux for Linux).
Open the Makefile and add the following defines to the "COPTIONS" line:

-DSNMP_PP_NAMESPACE -D_USE_OPENSSL

5. Compile by running make -f <Makefile name> (e.g., make -f Makefile.linux)

Once compiliation has completed you can run "make install" to install the libraries and header files, so that they are accessible system-wide. However, it's not necessary to do so. If you opt not to install SNMP++, you will need to specify the locations of the libraries and header files when running RogueScanner's configure script. Use the --with-snmp-libs and --with-snmp-headers options to do this.

2.1.2. Building gSOAP

Building gSOAP is much simpler than building SNMP++. Just download the tarball from the gSOAP website, change to the directory that is extracted and run ./configure && make. After compilation has completed you can then run make install if you'd like the libraries, headers, and binaries to be available system-wide.

Otherwise you can use the --with-gsoap-imports, --with-gsoap-libs, --with-gsoap-headers, --with-wsdl2h-path and --with-soapcpp2-path options to specify their locations when running RogueScanner's configure script.

2.2. Building RogueScanner

Once the pre-requisites are out of the way, building the RogueScanner is as easy as running configure and telling it where all the files it needs are located.

This can be done by using the following options:

  --with-pcap-libs=DIR        Path to libpcap
  --with-pcap-headers=DIR     Path to pcap.h
  --with-openssl-libs=DIR     Path to OpenSSL libraries
  --with-snmp-libs=DIR        Path to SNMP++ library
  --with-snmp-headers=DIR     Path to SNMP++ headers
  --with-gsoap-imports=DIR    Directory containing gSOAP import headers
  --with-gsoap-libs=DIR       Path to gSOAP libraries
  --with-gsoap-headers=DIR    Path to gSOAP headers
  --with-wsdl2h-path=DIR      Path to gSOAP's wsdl2h program
  --with-soapcpp2-path=DIR    Path to gSOAP's soapcpp2 program
  --with-ruby-libs=DIR        Path to libruby
  --with-ruby-headers=DIR     Path to ruby.h

Ex

./configure --with-gsoap-imports=/home/andrew/src/RogueScanner/gsoap-2.7/soapcpp2/import \ --with-ruby-headers=/usr/lib/ruby/1.8/i386-linux-gnu

After the configure script has completed, compile RogueScanner by running 'make'. Once compilation has finished, you can install it by becoming root and running 'make install'. RogueScanner will be installed in $PREFIX/sbin (e.g., /usr/local/sbin if --prefix wasn't used).

3. Configuring

3.1. RogueScanner's Configuration File
RogueScanner settings are stored in a configuration file. A sample configuration is provided in scanner.conf-example. This file is fully commented and explains all of the configuration settings. Below are a list of options that can be set in the configuration file:

iface -- The interface to use for sniffing

Ex: iface=\Device\NPF_{91A6EED2-4C07-426C-84A8-FB17CECDF9B3} OR iface=eth0

iface_address -- The interface's IP address (used if multiple addresses are aliased)

Ex: iface_address=192.168.0.5

iface_netmask -- The interface's netmask (used if multiple addresses are aliased)

Ex: iface_netmask=255.255.255.0

promisc -- Sniff in promiscuous mode (needs to be set to false for wireless interfaces under Windows)
Ex: promisc=true OR promisc=false
home_net -- Additional networks to scan specified as CIDR blocks

Ex: home_net=10.0.0.0/24,192.168.0.0/23,...

ignore_hosts -- This is list of devices that you do not want to be scanned. This could be for a variety
of reasons such as the device ceases to function when scanned. Devices are separated by commas and can be specified as an IP address, MAC address, or hostname.
Ex: ignore_hosts=192.168.0.1,www.example.com,00:DE:AD:C0:DE:00
logfile -- File to log to

Ex: logfile=./myfile.log

scan_threads -- Number of threads to use for scanning. More threads equals faster scanning
at the expense of increased bandwidth utilization

Ex: scan_threads=20

bw_limit -- Maximum amount of outgoing bandwidth that RogueScanner is allowed to use specified in Kbps.
RogueScanner will monitor it's outgoing bandwidth usage and throttle packet transmission in order to keep the average outgoing bandwidth utilization below the value set here. Otherwise the default value is 100 Kbps.

Ex: bw_limit=256

debug -- Debug level. Can only be used when compiled with --enable-debug (See Debug.h for values)

Ex: debug=0x4088

enable_cli -- Enable the interactive CLI
Ex: enable_cli=true OR enable_cli=false
switch_dir -- Directory to read managed switch/router configuration files from
Ex: switch_dir=C:\Program Files\Network Chemistry\RogueScanner\Switches
proxy_host -- IP address of the HTTP proxy to connect to Network Chemistry's classification server through.

Ex: proxy_host=192.168.1.1

proxy_port -- Port that the HTTP proxy is accepting connections on.

Ex: proxy_port=3128

proxy_userid -- Username to use when connecting through an HTTP proxy that requires authentication.
Ex: proxy_userid=proxyuser
proxy_passwd -- Password to use when connecting through an HTTP proxy that requires authentication.

Ex: proxy_passwd=myproxypassword

3.2. Router/Switch Configuration

In addition to its network scanning, RogueScanner can also query your managed switches and routers for network device information. However, to do this you'll need to give RogueScanner the SNMP/SSH/telnet credentials to your infrastructure devices in order for it to be able to connect to them. Each switch or router configuration is specified in a YAML file and placed in the directory you specified with the switch_dir option in your configuration file.

These files look like the following for SNMP devices:

--- !ruby/object:SwitchQuerySNMPBridgeAt host: 10.0.0.1
community: public

Configuration files for Telnet/SSH access have some additional parameters:

--- !ruby/object:SwitchQueryShellJuniper host: 10.0.0.1
comm: ssh
username: user
password: pass

The first line is used to tell RogueScanner how the device is to be accessed. Valid values for this are:

SwitchQuerySNMPBridge - Retrieve information from SNMP BRIDGE-MIB
SwitchQuerySNMPBridgeAt - Retrieve information from SNMP BRIDGE-MIB with indexed community
SwitchQueryShellCisco - Retrieve information from Cisco devices using a Telnet/SSH connection
SwitchQueryShellExtreme - "" Extreme ""
SwitchQueryShellJuniper - "" Juniper ""
SwitchQueryShellNetgear - "" Netgear ""
SwitchQueryShellSymbolWS - "" Symbol ""

The rest of the lines are used to specify the device's IP address and the credentials to use. For shell access the communication method is also specified (i.e., "ssh" or "telnet"). Each file corresponds to s single device. When creating the files, be sure to save them with a .yaml extension.

4. Running

Once you've configured RogueScanner, you can run it by using a command like this:

/usr/local/sbin/RogueScanner -c /usr/local/etc/scanner.conf

You should begin to see log messages appear in scanner.log or the log file you specified in your configuration file. Additionally RogueScanner will create an output directory in the current working directory and output several .csv files describing the various devices that have been discovered.

If you have not disabled the interactive CLI via your configuration file, you will also be presented with a prompt. Using this, you can see what RogueScanner is doing and what devices it has found and classified in real-time.

Valid commands are:

classify <IPADDR> | <MACADDR> This command enables you to override the classification provided by the server if you know what the device really is. By using the command, the server will be updated with the correction.
config This command displays the current configuration settings.
device detail <IPADDR> | <MACADDR> This command displays the information gathered about a device as well as it's classification.
device list Displays a list of all discovered devices. If a device has been classified, the vendor and model will be listed next to each device.
exit | quit Shutdown the program.
help Print an abbreviated list of CLI commands and their descriptions.
scan device <IPADDR> | <MACADDR> Manually scan a device at the specified IP or MAC address.
scan queue list List all pending scans against discovered devices.
scan queue size Display the number of scan requests that have been queued.
thread status Display what each scanning thread is doing. 5. Contact Us

If you have any questions, feature requests, or bug reports please don't hessitate to send them to roguescanner@networkchemistry.com. We welcome any feedback.

For updates to RogueScanner, visit http://roguescanner.networkchemistry.net.

6. Licenses

RogueScanner is licensed under the GNU General Public License. See the file COPYING. RogueScanner uses some other open source software under different licenses:

6.1 Ruby

Ruby is copyrighted free software by Yukihiro Matsumoto <matz@netlab.co.jp>. You can redistribute it and/or modify it under either the terms of the GPL (see COPYING.txt file), or the conditions below:

You may make and give away verbatim copies of the source form of the software without restriction, provided that you duplicate all of the original copyright notices and associated disclaimers.
You may modify your copy of the software in any way, provided that you do at least ONE of the following:
1. place your modifications in the Public Domain or otherwise make them Freely Available, such as by posting said modifications to Usenet or an equivalent medium, or by allowing the author to include your modifications in the software.
2. use the modified software only within your corporation or organization.
3. rename any non-standard executables so the names do not conflict with standard executables, which must also be provided.
4. make other distribution arrangements with the author.
You may distribute the software in object code or executable
form, provided that you do at least ONE of the following:
1. distribute the executables and library files of the software, together with instructions (in the manual page or equivalent) on where to get the original distribution.
2. accompany the distribution with the machine-readable source of the software.
3. give non-standard executables non-standard names, with instructions on where to get the original software distribution.
4. make other distribution arrangements with the author.
You may modify and include the part of the software into any other
software (possibly commercial). But some files in the distribution are not written by the author, so that they are not under this terms.
They are gc.c(partly), utils.c(partly), regex.[ch], st.[ch] and some files under the ./missing directory. See each file for the copying condition.
The scripts and library files supplied as input to or produced as output from the software do not automatically fall under the copyright of the software, but belong to whomever generated them, and may be sold commercially, and may be aggregated with this software.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

6.2 SNMP++

_# SNMP++v3.2.20
_ ----------------------------------------------- _ Copyright (c) 2001-2006 Jochen Katz, Frank Fock _
_ This software is based on SNMP++2.6 from Hewlett Packard: _
_ Copyright (c) 1996
_ Hewlett-Packard Company

ATTENTION: USE OF THIS SOFTWARE IS SUBJECT TO THE FOLLOWING TERMS. _ Permission to use, copy, modify, distribute and/or sell this software _ and/or its documentation is hereby granted without fee. User agrees _ to display the above copyright notice and this license notice in all _ copies of the software and any documentation of the software. User _ agrees to assume all liability for the use of the software; _ Hewlett-Packard and Jochen Katz make no representations about the _ suitability of this software for any purpose. It is provided _ "AS-IS" without warranty of any kind, either express or implied. User _ hereby grants a royalty-free license to any and all derivatives based _ upon this software code base.
_
_# Stuttgart, Germany, Sun Jan 15 23:12:08 CET 2006

6.3 libpcap/winpcap

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
This product includes software developed by the Computer Systems
Engineering Group at Lawrence Berkeley Laboratory.
4. Neither the name of the University nor of the Laboratory may be used
to endorse or promote products derived from this software without
specific prior written permission. *
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that: (1) source code distributions
retain the above copyright notice and this paragraph in its entirety, (2)
distributions including binary code include the above copyright notice and
this paragraph in its entirety in the documentation or other materials
provided with the distribution, and (3) all advertising materials mentioning
features or use of this software display the following acknowledgement:
``This product includes software developed by the Politecnico
di Torino, and its contributors.'' Neither the name of
the University nor the names of its contributors may be used to endorse
or promote products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

6.4 VirtualTreeView (in windows UI)

// Version 4.0.17
//
// The contents of this file are subject to the Mozilla Public License // Version 1.1 (the "License"); you may not use this file except in compliance // with the License. You may obtain a copy of the License at http://www.mozilla.org/MPL/ //
// Alternatively, you may redistribute this library, use and/or modify it under the terms of the // GNU Lesser General Public License as published by the Free Software Foundation; // either version 2.1 of the License, or (at your option) any later version. // You may obtain a copy of the LGPL at http://www.gnu.org/copyleft/. //
// Software distributed under the License is distributed on an "AS IS" basis, // WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License for the // specific language governing rights and limitations under the License. //
// The original code is VirtualTrees.pas, released September 30, 2000. //
// The initial developer of the original code is digital publishing AG (Munich, Germany, www.digitalpublishing.de), // written by Dipl. Ing. Mike Lischke (public@lischke-online.de, www.lischke-online.de). //
// Portions created by digital publishing AG are Copyright // (C) 1999-2001 digital publishing AG. All Rights Reserved.

6.4 pthreads-win32 (on windows)