1 / 32

Hybrid Approaches Towards Optimized Network Discovery Techniques

Hybrid Approaches Towards Optimized Network Discovery Techniques. By David Meltzer. Preface Download the tool I’m presenting about: http://www.cambia.com/papmap. The Premise

lynda
Download Presentation

Hybrid Approaches Towards Optimized Network Discovery Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Hybrid Approaches Towards Optimized Network Discovery Techniques By David Meltzer

  2. Preface Download the tool I’m presenting about: http://www.cambia.com/papmap

  3. The Premise A tool that gave you a constantly updated real-time view of the devices on a network would be a really useful thing to have.

  4. Agenda • Active vs. passive network discovery • Hybrid discovery • Introduce PAPMap • DEMO • Conclusions

  5. Network Discovery Defined: Answer These Questions: • What hosts are on the network? • What ports are open? • What services are running? • What is the configuration state of those services? • As deep as you want to go…

  6. Assumptions No host-based tools No access to routers or switches Network changes

  7. Active vs. Passive Discovery Active: Directly probe devices by sending packets to them. nmap. Passive: Listen silently to network traffic. sniffers, ids, p0f, etc. Some commercial tools.

  8. Passive Discovery History Passive vulnerability signatures in RealSecure IDS – Meltzer ’97 “Passive Vulnerability Detection” – Gula ’99 “Target-Based IDS” - Roesch ’00 “Vulnerability Detection Systems (VDS)” - Meltzer ’02 “Passive Vulnerability Scanner (PVS)” - Gula ’03 “Passive Network Discovery Systems (PNDS)” – Roesch ’04

  9. Comparing Discovery Techniques The Metrics: • Turbidity Disruptiveness to network/hosts • Speed Time-to-Detect • Coverage What can it tell you? • Accuracy False positives/negatives?

  10. Passive Discovery Analysis:Turbidity Listening is safe (mostly). Why people like IDS. Why people like anything passive.

  11. Passive Discovery Analysis:Speed Real-Time But… At first use

  12. Passive Discovery Analysis:Coverage Good for discovering the ‘basics’ Bad for discovering the ‘details’ Some things only/better discovered passively Some things discovered equally well passively or actively MANY things only discovered actively

  13. Passive Discovery Analysis:Accuracy Depends… IF you are content with poor coverage, you can have perfectly accurate passive scanning.

  14. Hybrid Discovery Approach Realizing active and passive discovery are complementary techniques… Why should you have to choose?

  15. Hybrid Network Discovery Defined Gathering network inventory data using both active and passive techniques integrated into a single system.

  16. Hybrid Advantages Independent active/passive engines: • Double the hassle • Substantially more turbidity • Waste resources • Manually resolve conflicts Hybrid approach: • Single configuration • Uses less bandwidth than pure active • Single output

  17. Hybrid Discovery: Introducing PAPMap Combines passive and active scanning techniques for network discovery. Operates as a drop-in replacement for nmap. Utilizes nmap for active discovery. A complete and functional hybrid scanner.

  18. PAPMap v1.0 Requirements R-1. Takes same command line as nmap. R-2. Produces almost same output as nmap. R-3. Runs nmap scan then switches to passive listening mode and updates output anytime a change in TCP port open/closed state detected.

  19. PAPMap v2.0 Requirements v1.0 plus… R-1. Linux version R-2. UDP port discovery R-3. Passive app-layer service detection R-4. Hybrid Features: a. Integrated active port scans b. Integrated active service detection c. Scheduled active rescans d. Optimized active rescans e. Passive-first mode

  20. PAPMap History V1.0 released July 2004 @ ruxcon.au • “Proof of concept” • Windows only • TCP port discovery only • V2.0 released… now. • Ready for primetime…

  21. PAPMap Basic Usage: Part I nmap: % nmap –oX nmap-results.xml 192.168.1.0/24 papmap: % papmap –oX nmap-results.xml 192.168.1.0/24

  22. PAPMap Basic Usage: Part II • Executes nmap • Loads nmap XML output into in-memory database • Starts listening promiscuously on network

  23. PAPMap Basic Usage: Part III • Line output to stdout indicating new status of the port. • Nmap XML file is updated to reflect real-time state of network being mapped (but updates cached to avoid flailing disk). • Monitoring continues until user quits.

  24. PAPMap Features: TCP Port Discovery Port is listening IF… SYN sent TO port AND SYN/ACK reply FROM port Port is NOT listening IF… SYN sent TO port AND RST reply FROM port No reply to a SYN:Is port closed? Did I drop a packet? Was SYN malformed? Firewall?

  25. PAPMap Features: UDP Port Discovery UDP Is Always Hard… Port is active IF… Traffic coming from port BUT Is it listening or just a client? And how do I know if it closes? Evidence… ICMP Unreachables Sending to multiple destinations Active probing results

  26. PAPMap Features: Service Detection 1. Reassemble TCP Stream 2. Grab initial banner prior to client-side command 3. Match against null probe signature database 4. Match client-side command to client probe command database 5. Grab subsequent banner 6. Match against probe signature database 7. Output identified service in same format as-if nmap had actively probed for it. Uses same file format as nmap services probes.

  27. PAPMap Features: Hybrid Host/Port Scans IF a new host is detected passively… Launch nmap scan against host to determine open ports IF a new port is detected passively… Launch nmap service detection against port to identify service

  28. PAPMap Features: Active rescans On a scheduled time interval… Relaunch nmap and rescan to update with newest active information Optimization… Any port state determined passively within N seconds of active rescan, do not actively probe.

  29. PAPMap Features: Passive-first/only mode Start building discovery database in passive mode without first actively scanning from nmap. Combine with active rescans or use as a pure passive tool.

  30. PAPMap v2.0 Demo

  31. PAPMap Status v2.0 released at Pacsec ’04 Source and binaries freely available right now at: http://www.cambia.com/papmap

  32. Questions ?

More Related