ass - autonomous system scanner
ass [-v[v[v]]] -i <interface> [-p] [-c] [-A] [-M] [-P IER12] -a
<autonomous system start> -b <autonomous system stop> [-S
<spoofed source IP>] [-D <destination ip>] [-T <packets per
delay>]
This manual page documents briefly the
ass command. This manual page was
written for the Debian distribution because the original program does not have
a manual page.
ASS, the autonomous system scanner, is designed to find the AS of the router. It
supports the following protocols: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP
and OSPF.
In passive mode (./ass -i eth0), it just listens to routing protocol packets
(like broadcast and multicast hellos).
In active mode (./ass -i eth0 -A), it tries to discover routers by asking for
information. This is done to the appropriate address for each protocol (either
broadcast or multicast addresses). If you specify a destination address, this
will be used but may be not as effective as the defaults.
EIGRP scanning is done differently: While scanning, ASS listens for HELLO
packets and then scans the AS directly on the router who advertised himself.
You can force EIGRP scanning into the same AS-Scan behavior as IGRP uses by
giving a destination or into multicast scanning by the option -M.
For Active mode, you can select the protocols you want to scan for. If you don't
select them, all are scanned. You select protcols by giving the option -P and
any combination of the following chars: IER12, where:
I = IGRP
E = EIGRP
R = IRDP
1 = RIPv1
2 = RIPv2
ASS output might look a little strange, but has it's meanings:
Routers are identified by the sender's IP address of the packet. This may lead
to several routers showing up as more then one since they used different
sender interfaces. In the brackets, the protocols this router runs are shown.
Routing protocols are shown as one or more indented lines. First, there is the
routing protocol name (like EIGRP), followed by the autonomous system number
in brackets. Aligned to the right is the target network if applicable.
IGRP routing info shows the target network and in brackets the following values:
Delay, Bandwidth, MTU, Reliability, Load and Hopcount.
The IRDP info is limmited to the announced gateway (router) and it's preference
RIPv1 info just gives you the classified target network (remember RIPv1 network
boundaries) and it's metric
RIPv2 info contains after the target network the following infos: Netmask, next
hop, arbitrary tag, and the metric. An additional line may appear on the
routers section that gives you the authentication if enabled in the protocol.
For text auth, the password is there.
The basic EIGRP just gives you the autonomous system number, the IOS and EIGRP
version as found in the HELLO packet
The EIGRP routes section depends on the type of route. All of them include the
fields destination network, destination mask and in the last line (in
brackets) the values for Delay, Bandwidth, MTU, Reliability, Load and
Hopcount. External routes also include the originating router, the originating
autonomous system, the external metric and the source of this route.
HSRP info is not routing, therefore the third field is the virtual IP address of
the standby group, followed by the state, the auth string, Hello, Hold and
priority values.
OSPF info includes the destination network as well as the Area in IP format, the
authentication used (and, if applicable the auth string), netmask, designated
and backup router and the values for Dead, Priority and Hello.
A summary of options is included below.
- -h
- Show summary of options.
- -i <interface>
- interface
- -v
- verbose mode
- -A
- Active mode scanning
- -P <protocols>
- Select protocols to scan
- -M
- EIGRP systems are scanned using the multicast address and
not by HELLO enumeration and direct query
- -a <autonomous system>
- autonomous system to start from
- -b <autonomous system>
- autonomous system to stop with
- -S <spoofed source IP>
- maybe you need this
- -D <destination IP>
- If you don't specify this, the appropriate address per
protocol is used
- -p
- don't run in promiscuous mode (bad idea)
- -c
- terminate after scanning. This is not recommended since
answers may arrive later and you could see some traffic that did not show
up during your scans
- -T <packets per delay>
- how many packets should we wait some milliseconds (-T 1 is
the slowest scan -T 100 begins to become unreliable)
This manual page was written by Vince Mulhollon <
[email protected]>, for the
Debian GNU/Linux system (but may be used by others).