Hybrid Approaches Towards Optimized

Network Discovery Techniques

By David Meltzer

Preface

Download the tool I’m presenting about:http://www.cambia.com/papmap

The Premise

A tool that gave you a constantly updated real-time view of the devices on a network

would be a really useful thing to have.

Agenda

• Active vs. passive network discovery• Hybrid discovery• Introduce PAPMap

• DEMO

• Conclusions

Network Discovery Defined:

Answer These Questions:– What hosts are on the network?– What ports are open?– What services are running?– What is the configuration state of those

services?– As deep as you want to go…

Assumptions

No host-based tools

No access to routers or switches

Network changes

Active vs. Passive Discovery

Active: Directly probe devices by sending packets to them.

nmap.

Passive: Listen silently to network traffic.sniffers, ids, p0f, etc.

Some commercial tools.

Passive Discovery History

Passive vulnerability signatures in RealSecure IDS– Meltzer ’97

“Passive Vulnerability Detection” – Gula ’99

“Target-Based IDS”- Roesch ’00

“Vulnerability Detection Systems (VDS)”- Meltzer ’02

“Passive Vulnerability Scanner (PVS)”- Gula ’03

“Passive Network Discovery Systems (PNDS)” – Roesch ’04

Comparing Discovery Techniques

The Metrics:• Turbidity

Disruptiveness to network/hosts• Speed

Time-to-Detect• Coverage

What can it tell you?• Accuracy

False positives/negatives?

Passive Discovery Analysis:Turbidity

Listening is safe (mostly).

Why people like IDS.

Why people like anything passive.

Passive Discovery Analysis:Speed

Real-Time

But…At first use

Passive Discovery Analysis:Coverage

Good for discovering the ‘basics’

Bad for discovering the ‘details’

Some things only/better discovered passivelySome things discovered equally well passively or

actively MANY things only discovered actively

Passive Discovery Analysis:Accuracy

Depends…

IF you are content with poor coverage, you can have perfectly accurate passive scanning.

Hybrid Discovery Approach

Realizing active and passive discovery are complementary techniques…

Why should you have to choose?

Hybrid Network Discovery Defined

Gathering network inventory data using both active and passive techniques integrated

into a single system.

Hybrid Advantages

Independent active/passive engines:• Double the hassle• Substantially more turbidity• Waste resources• Manually resolve conflicts

Hybrid approach:• Single configuration• Uses less bandwidth than pure active• Single output

Hybrid Discovery: Introducing PAPMap

Combines passive and active scanning techniques for network discovery.

Operates as a drop-in replacement for nmap.

Utilizes nmap for active discovery.

A complete and functional hybrid scanner.

PAPMap v1.0 Requirements

R-1. Takes same command line as nmap.

R-2. Produces almost same output as nmap.

R-3. Runs nmap scan then switches to passive listening mode and updates output anytime a change in TCP port open/closed state detected.

PAPMap v2.0 Requirements

v1.0 plus…R-1. Linux versionR-2. UDP port discoveryR-3. Passive app-layer service detectionR-4. Hybrid Features:

a. Integrated active port scansb. Integrated active service detectionc. Scheduled active rescansd. Optimized active rescanse. Passive-first mode

PAPMap History

V1.0 released July 2004 @ ruxcon.au• “Proof of concept”• Windows only• TCP port discovery only

• V2.0 released… now.• Ready for primetime…

PAPMap Basic Usage: Part I

nmap:

% nmap –oX nmap-results.xml 192.168.1.0/24

papmap:

% papmap –oX nmap-results.xml 192.168.1.0/24

PAPMap Basic Usage: Part II

1. Executes nmap

2. Loads nmap XML output into in-memory database

3. Starts listening promiscuously on network

PAPMap Basic Usage: Part III

4. Line output to stdout indicating new status of the port.

5. Nmap XML file is updated to reflect real-time state of network being mapped (but updates cached to avoid flailing disk).

6. Monitoring continues until user quits.

PAPMap Features:TCP Port Discovery

Port is listening IF…

SYN sent TO port AND

SYN/ACK reply FROM port

Port is NOT listening IF…

SYN sent TO port AND

RST reply FROM port

No reply to a SYN:Is port closed?

Did I drop a packet?

Was SYN malformed?

Firewall?

PAPMap Features:UDP Port Discovery

UDP Is Always Hard…

Port is active IF…Traffic coming from port

BUTIs it listening or just a client?And how do I know if it closes?

Evidence…ICMP UnreachablesSending to multiple destinationsActive probing results

PAPMap Features:Service Detection

1. Reassemble TCP Stream

2. Grab initial banner prior to client-side command

3. Match against null probe signature database

4. Match client-side command to client probe command database

5. Grab subsequent banner

6. Match against probe signature database

7. Output identified service in same format as-if nmap had actively probed for it.

Uses same file format as nmap services probes.

PAPMap Features:Hybrid Host/Port Scans

IF a new host is detected passively…

Launch nmap scan against host to determine open ports

IF a new port is detected passively…

Launch nmap service detection against port to identify service

PAPMap Features:Active rescans

On a scheduled time interval…

Relaunch nmap and rescan to update with newest active information

Optimization…

Any port state determined passively within N seconds of active rescan, do not actively probe.

PAPMap Features:Passive-first/only mode

Start building discovery database in passive mode without first actively scanning from nmap.

Combine with active rescans or use as a pure passive tool.

PAPMap v2.0 Demo

PAPMap Status

v2.0 released at Pacsec ’04

Source and binaries freely available right now at:http://www.cambia.com/papmap

Questions

?