From OSSEC Wiki
Promqry is a Windows tool for detecting when Windows computers on your network have network interfaces operating in promiscuous mode (sniffing network traffic). It has both a command line and a gui version. One can run the command line version and dump its output to a text file.
For example, the following command would run the promqry command to check the 192.168.32.0/24 network and send its output (verbose) to a file named promqry.log:
promqry 192.168.32.1:192.168.32.254 > promqry.log
The following command would run the promqry application to check the 192.168.32.0/24 network, and send its output (non-verbose) to a file named promqrynv.log
promqry 192.168.32.1:192.168.32.254 -nv > promqrynv.log
This could be scheduled using the AT command or the Windows Task Scheduler, so that routine checks of the network can be performed.
The format of the output is shown below:
For the verbose output:
pinging 192.168.100.38...success Querying 192.168.100.38... Active: True InstanceName: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible) #2 NEGATIVE: Promiscuous mode currently NOT enabled Active: True InstanceName: WAN Miniport (IP) NEGATIVE: Promiscuous mode currently NOT enabled System Summary NEGATIVE: no interfaces on system found in promiscuous mode =========================== pinging 192.168.100.39...success Querying 192.168.100.39... Error: The RPC server is unavailable. Some possible causes for this failure: - the system being queried is not online - the network connection between this client and the system being queried is filtered - the system being queried is behind a firewall which is blocking the connection attempt Ensure the target system is online and network connectivity is available. ====================================== pinging 192.168.100.40...success Querying 192.168.100.40... Error: The RPC server is unavailable. Some possible causes for this failure: - the system being queried is not online - the network connection between this client and the system being queried is filtered - the system being queried is behind a firewall which is blocking the connection attempt Ensure the target system is online and network connectivity is available. ====================================== pinging 192.168.100.41...failed 192.168.100.41 no response - skipping query pinging 192.168.100.42...success Querying 192.168.100.42... Active: True InstanceName: SMC EZ Card 10/100 (SMC1211TX) POSITIVE: Promiscuous mode enabled! Active: True InstanceName: WAN Miniport (Network Monitor) NEGATIVE: Promiscuous mode currently NOT enabled Active: True InstanceName: WAN Miniport (IP) NEGATIVE: Promiscuous mode currently NOT enabled System Summary POSITIVE: at least one interface on system was found in promiscuous mode Computer name: ACME-q Domain: ACME Computer manufacturer: Gateway Computer model: TABOR_II Primary owner: ACMECo User currently logged on: Operating system: Microsoft Windows 2000 Server Organization: ACME Labs =========================== pinging 192.168.100.43...success Querying 192.168.100.43... Error: Access is denied. Promqry must be run in the context of an administrator on the system being queried. ====================================== pinging 192.168.100.44...failed 192.168.100.44 no response - skipping query pinging 192.168.100.45...success Querying 192.168.100.45... Error: Invalid namespace ====================================== pinging 192.168.100.46...success Querying 192.168.100.46... Active: True InstanceName: Broadcom NetXtreme Gigabit Ethernet #2 NEGATIVE: Promiscuous mode currently NOT enabled Active: True InstanceName: WAN Miniport (IP) NEGATIVE: Promiscuous mode currently NOT enabled Active: True InstanceName: Broadcom NetXtreme Gigabit Ethernet NEGATIVE: Promiscuous mode currently NOT enabled System Summary NEGATIVE: no interfaces on system found in promiscuous mode
The non-verbose output is as follows:
pinging 192.168.100.38...success Querying 192.168.100.38... System Summary NEGATIVE: no interfaces on system found in promiscuous mode =========================== pinging 192.168.100.39...success Querying 192.168.100.39... Error: The RPC server is unavailable. Ensure the target system is online and network connectivity is available. ====================================== pinging 192.168.100.40...success Querying 192.168.100.40... Error: The RPC server is unavailable. Ensure the target system is online and network connectivity is available. ====================================== pinging 192.168.100.41...failed 192.168.100.41 no response - skipping query pinging 192.168.100.42...success Querying 192.168.100.42... POSITIVE: Promiscuous mode enabled! System Summary POSITIVE: at least one interface on system was found in promiscuous mode Computer name: ACME-q Domain: ACME Computer manufacturer: Gateway Computer model: TABOR_II Primary owner: ACMECo User currently logged on: Operating system: Microsoft Windows 2000 Server Organization: ACME Labs =========================== pinging 192.168.100.43...success Querying 192.168.100.43... Error: Access is denied. Promqry must be run in the context of an administrator on the system being queried. ======================================