hybrid approaches towards optimized network discovery techniques by david meltzer
TRANSCRIPT
Hybrid Approaches Towards Optimized
Network Discovery Techniques
By David Meltzer
Preface
Download the tool I’m presenting about:http://www.cambia.com/papmap
The Premise
A tool that gave you a constantly updated real-time view of the devices on a network
would be a really useful thing to have.
Agenda
• Active vs. passive network discovery• Hybrid discovery• Introduce PAPMap
• DEMO
• Conclusions
Network Discovery Defined:
Answer These Questions:– What hosts are on the network?– What ports are open?– What services are running?– What is the configuration state of those
services?– As deep as you want to go…
Assumptions
No host-based tools
No access to routers or switches
Network changes
Active vs. Passive Discovery
Active: Directly probe devices by sending packets to them.
nmap.
Passive: Listen silently to network traffic.sniffers, ids, p0f, etc.
Some commercial tools.
Passive Discovery History
Passive vulnerability signatures in RealSecure IDS– Meltzer ’97
“Passive Vulnerability Detection” – Gula ’99
“Target-Based IDS”- Roesch ’00
“Vulnerability Detection Systems (VDS)”- Meltzer ’02
“Passive Vulnerability Scanner (PVS)”- Gula ’03
“Passive Network Discovery Systems (PNDS)” – Roesch ’04
Comparing Discovery Techniques
The Metrics:• Turbidity
Disruptiveness to network/hosts• Speed
Time-to-Detect• Coverage
What can it tell you?• Accuracy
False positives/negatives?
Passive Discovery Analysis:Turbidity
Listening is safe (mostly).
Why people like IDS.
Why people like anything passive.
Passive Discovery Analysis:Speed
Real-Time
But…At first use
Passive Discovery Analysis:Coverage
Good for discovering the ‘basics’
Bad for discovering the ‘details’
Some things only/better discovered passivelySome things discovered equally well passively or
actively MANY things only discovered actively
Passive Discovery Analysis:Accuracy
Depends…
IF you are content with poor coverage, you can have perfectly accurate passive scanning.
Hybrid Discovery Approach
Realizing active and passive discovery are complementary techniques…
Why should you have to choose?
Hybrid Network Discovery Defined
Gathering network inventory data using both active and passive techniques integrated
into a single system.
Hybrid Advantages
Independent active/passive engines:• Double the hassle• Substantially more turbidity• Waste resources• Manually resolve conflicts
Hybrid approach:• Single configuration• Uses less bandwidth than pure active• Single output
Hybrid Discovery: Introducing PAPMap
Combines passive and active scanning techniques for network discovery.
Operates as a drop-in replacement for nmap.
Utilizes nmap for active discovery.
A complete and functional hybrid scanner.
PAPMap v1.0 Requirements
R-1. Takes same command line as nmap.
R-2. Produces almost same output as nmap.
R-3. Runs nmap scan then switches to passive listening mode and updates output anytime a change in TCP port open/closed state detected.
PAPMap v2.0 Requirements
v1.0 plus…R-1. Linux versionR-2. UDP port discoveryR-3. Passive app-layer service detectionR-4. Hybrid Features:
a. Integrated active port scansb. Integrated active service detectionc. Scheduled active rescansd. Optimized active rescanse. Passive-first mode
PAPMap History
V1.0 released July 2004 @ ruxcon.au• “Proof of concept”• Windows only• TCP port discovery only
• V2.0 released… now.• Ready for primetime…
PAPMap Basic Usage: Part I
nmap:
% nmap –oX nmap-results.xml 192.168.1.0/24
papmap:
% papmap –oX nmap-results.xml 192.168.1.0/24
PAPMap Basic Usage: Part II
1. Executes nmap
2. Loads nmap XML output into in-memory database
3. Starts listening promiscuously on network
PAPMap Basic Usage: Part III
4. Line output to stdout indicating new status of the port.
5. Nmap XML file is updated to reflect real-time state of network being mapped (but updates cached to avoid flailing disk).
6. Monitoring continues until user quits.
PAPMap Features:TCP Port Discovery
Port is listening IF…
SYN sent TO port AND
SYN/ACK reply FROM port
Port is NOT listening IF…
SYN sent TO port AND
RST reply FROM port
No reply to a SYN:Is port closed?
Did I drop a packet?
Was SYN malformed?
Firewall?
PAPMap Features:UDP Port Discovery
UDP Is Always Hard…
Port is active IF…Traffic coming from port
BUTIs it listening or just a client?And how do I know if it closes?
Evidence…ICMP UnreachablesSending to multiple destinationsActive probing results
PAPMap Features:Service Detection
1. Reassemble TCP Stream
2. Grab initial banner prior to client-side command
3. Match against null probe signature database
4. Match client-side command to client probe command database
5. Grab subsequent banner
6. Match against probe signature database
7. Output identified service in same format as-if nmap had actively probed for it.
Uses same file format as nmap services probes.
PAPMap Features:Hybrid Host/Port Scans
IF a new host is detected passively…
Launch nmap scan against host to determine open ports
IF a new port is detected passively…
Launch nmap service detection against port to identify service
PAPMap Features:Active rescans
On a scheduled time interval…
Relaunch nmap and rescan to update with newest active information
Optimization…
Any port state determined passively within N seconds of active rescan, do not actively probe.
PAPMap Features:Passive-first/only mode
Start building discovery database in passive mode without first actively scanning from nmap.
Combine with active rescans or use as a pure passive tool.
PAPMap v2.0 Demo
PAPMap Status
v2.0 released at Pacsec ’04
Source and binaries freely available right now at:http://www.cambia.com/papmap
Questions
?