Description of Promqry 1.0 and PromqryUI 1.0

Background information

A network "sniffer" is software and hardware that is designed to collect data that is flowing across a network. The data that a sniffer collects can be useful for many purposes, including troubleshooting, network traffic analysis, and security purposes. This type of data can also be used for illegitimate purposes, including data theft, password cracking, and networking mapping (reconnaissance). This type of passive network attack can be difficult to detect.

A network sniffer can run in one of two modes:

• Non-promiscuous mode
• Promiscuous mode

Network sniffers that do not run in Promiscuous mode typically collect data from the network that is destined to or sent from the computer that is running the sniffer. This traffic may include unicast, broadcast, and multicast traffic.

Promiscuous mode is a state in which a network adapter card copies all the frames that pass over the network to a local buffer, regardless of the destination address. This mode enables network sniffers to capture all network traffic on the sniffer's local subnet or virtual local area network (VLAN). Again, this traffic may include unicast, broadcast, and multicast traffic. You can configure a switch to limit this activity so that the network sniffer can collect only data sent to and from the computer that is running the sniffer (for example, the switch port that the computer that is running the sniffer is plugged into). If a computer has network interfaces that are running in Promiscuous mode, a network sniffer may be running on the computer.

Promqry and PromqryUI

Promqry and PromqryUI are two tools that detect network interfaces that are running in Promiscuous mode. Promqry is a command-line tool, and PromqryUI is a tool that has a Windows graphical user interface. Both tools have the same basic functionality. They can accurately determine whether a managed computer has network interfaces that are running in Promiscuous mode if the computer is running Windows 2000 or a later version. These tools cannot detect stand-alone sniffers or sniffers that are running on non-Microsoft Windows-based computers.

How to obtain the tools

Download the Promqry package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=4DF8EB90-83BE-45AA-BB7D-1327D06FE6F5&displaylang=en)

Download the PromqryUI package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=1A10D27A-4AA5-4E96-9645-AA121053E083&displaylang=en)

Common features

Both Promqry and PromqryUI can do the following things:

• Query the local computer's network interfaces
• Query a single remote computer's interfaces
• Query a range of remote computers' interfaces

When a range of computers is queried, both tools will ping (by using the ICMP protocol) each remote computer in the specified range. If the ping fails, for example, if the remote computer is not online or is behind a firewall, the computer's network interfaces will not be queried. This feature allows both tools to query the specified range quicker because they will not spend time attempting to query unreachable computers. This ping feature can be disabled for networks that filter ICMP, if it is required.

By default, both tools provide verbose output. Verbose output can be toggled off so that only summary data is provided.

Requirements

• Both tools require the .NET Framework in order to run. Therefore, you must have the .NET Framework installed on the computer from which you run Promqry or PromqryUI. However, the .NET Framework does not have to be installed on the remote computers that you want to query. For more information about the .NET Framework, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/netframework/aa569265.aspx (http://msdn2.microsoft.com/en-us/netframework/aa569265.aspx)
• To use either tool to successfully query a computer, you must run the tools under the security context of an administrator on the computer that you are querying.
• Both tools use Windows Management Instrumentation (WMI) to query computers for information when an interface is found to be running in Promiscuous mode. By default, WMI is included in Windows 2000, Windows XP, and Windows Server 2003.
  For more information about WMI, visit the following Microsoft Web site:http://msdn2.microsoft.com/en-us/library/aa384642.aspx (http://msdn2.microsoft.com/en-us/library/aa384642.aspx)
• Because Promqry and PromqryUI use WMI (and DCOM), the tools must have access to various TCP/UDP ports, including TCP port 135, when they query remote computers.
  For information about connecting to remote computers through a firewall by using WMI, visit the following Microsoft Web site: http://msdn2.microsoft.com/en-us/library/aa389286.aspx (http://msdn2.microsoft.com/en-us/library/aa389286.aspx)

Known limitations

Promqry and PromqryUI have some limitations, including the following limitations:

• The tools cannot detect stand-alone sniffers, for example, devices that are manufactured for the sole purpose of sniffing network traffic. These devices can use different types of hardware and software.
• The tools cannot detect sniffers that are running on operating systems other than Windows 2000, Windows XP, Windows Server 2003, and later Windows operating systems.
• The tools cannot remotely detect sniffers that are running on Windows-based computers where the network hardware has been modified specifically to avoid detection. For example, the hardware may be modified so that the network interface card or a network cable allows the computer to receive traffic from the network, but not to send traffic to the network. In this scenario, the computer receives a query to determine whether it has interfaces that are running in Promiscuous mode, but its response does not make it back across the network to the computer that sent the query. However, Promqry and PromqryUI can be used to query these computers locally, instead of remotely, to determine whether interfaces are running in Promiscuous mode.

Notes on Virtual PC and Virtual Server

Promqry and PromqryUI may report that the physical interface is running in Promiscuous mode on a Windows-based computer that is running Microsoft Virtual PC and/or Microsoft Virtual Server. Virtual PC and Virtual Server will configure the host's physical interface to run in Promiscuous mode.

Promqry and PromqryUI report that the host's interface is running in Promiscuous mode in any one of the following conditions:

• A virtual PC or server is configured to use the host's physical interface. For example, the virtual PC or server is directly connected to the host's network instead of being configured on its own local network or configured to be behind an interface that is configured to perform Network Address Translation (NAT).
• An application such as a network sniffer has configured the host computer's network interface to run in Promiscuous mode. When the host computer is queried, it reports that one of the host computer's interfaces is running in Promiscuous mode.

Promqry and PromqryUI report that the host's interface is not running in Promiscuous mode under the following conditions:

• A virtual PC or server is configured to use its own local network or is configured to use a shared NAT connection. For example, the virtual PC or server is not configured to use the host's physical interface. In one of these configurations, even when the virtual PC or server is running a network sniffer that configures the interface to run in Promiscuous mode, Promqry and PromqryUI report that the interface is not running in Promiscuous mode. Although the interface of the virtual PC or server is running in Promiscuous mode, the interface will only be able to sniff network traffic that is sent to and from its own IP address. It will not be able to sniff all the traffic on the subnet that it is connected to.

Promqry 1.0 usage

Promqry is a command-line tool that can also be used in scripts. Promqry queries computers for interfaces that are running in Promiscuous mode.

To query a local computer's interfaces, run the promqry.exe command.

Notes

• Returns zero (0) if any interfaces are found to be running in Promiscuous mode.
• Returns 1 if no interfaces are found to be running in Promiscuous mode.
• Returns 99 if an error is encountered.
• The np and nv options are not valid for a local query.

To query a remote computer's interfaces, run the promqry.exe remote_IP | remote_name [-nv]

Notes

• Returns zero (0) if any interfaces are found to be running in Promiscuous mode.
• Returns 1 if no interfaces are found to be running in Promiscuous mode.
• Returns 99 if an error is encountered.
• The nv option means that there is no verbose output. The option only reports errors and computers with interfaces that are running in Promiscuous mode.

To query a range of remote computers' interfaces, run the promqry.exe start_remote_IP:end_remote_IP [-np] [-nv] command.

Notes

• The value of start_remote_IP must be lower than the value of end_remote_IP.
• np means that there is no ping before the query.
• np is valid only when querying a range of computers.
• nv means that there is no verbose output. The option only reports errors and computers with interfaces that are running in Promiscuous mode.

PromqryUI 1.0 usage

The PromqryUI interface has two panes. The left pane lists the systems to query, and the right pane displays the output that is generated when the START QUERY button is clicked.


To add systems to the list of systems to query, click Add. You will be asked whether you want to add a single system or a range of systems to the list.


Single systems can be added by IP address or by name. If a name is added, PromqryUI attempts to resolve the name to an IP address when you click the START QUERY button. If the name fails to resolve to an IP address, the query fails.


When you add a range of systems to the list of systems to query, the start IP address must be less than the end IP address.


After you add systems, click to select the box next to each or range to select the systems that you want to query. Systems and ranges that are not selected will not be queried when you click the START QUERY button.


Any systems that you have added to the list will be automatically saved when you exit PromqryUI in the usual manner (by using the File, Exit menu item or by using the control box). The next time you start PromqryUI, the Systems To Query list is automatically populated with the systems and ranges that were saved.

You can use the Edit menu to set the ping option and the verbose option that were described earlier.


Press the START QUERY button to start to query the selected systems. In verbose mode, each interface is listed and whether each interface is running in Promiscuous mode.

If no interfaces are found to be running in Promiscuous mode, you will receive a message similar to the message displayed in the graphic below.



If an interface is found to be running in Promiscuous mode, you will receive a message similar to the one displayed in the graphic below.



When PromqryUI (or Promqry) finds a host that has an interface that is running in Promiscuous mode, PromqryUI uses WMI to query the host for additional information to make it easier to identify that host. The following is an example of this data: