Network Situational Awareness with d00gle (2005)
-
Upload
dug-song -
Category
Technology
-
view
1.556 -
download
1
description
Transcript of Network Situational Awareness with d00gle (2005)
![Page 2: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/2.jpg)
Background
Time to update dsniff!• Suite of traffic interception tools for penetration testing
Last public release almost exactly 4 years ago• dsniff's ARP/DNS, SSH/SSL Man-In-The-Middle techniques to
intercept switched, encrypted traffic are quite common now
• Interesting traffic analysis tools are still rare
Total Information Awareness, CALEA, why should thegovernment have all the fun?
dsniff becomes d00gle...
![Page 3: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/3.jpg)
The Crumbling Perimeter
![Page 4: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/4.jpg)
Environment
Vulnerability-aware Internet perimeter• client-side exploits, VPN clients, worms / viruses, wardriving
Little / no access control / encryption internally• internal firewalls / IPSs cannot disrupt business processes
Unpatched production systems• legacy software, heterogeneous hardware, rare change management
windows for non-critical upgrades
Limited visibility• little / no instrumentation for measurement / monitoring
![Page 5: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/5.jpg)
Client Attack
Something to do at cafes, airports, hotels
Identify interesting users to target• corporate VPN users on vulnerable hosts
• unsophisticated, unencrypted users
Standard MITM, TCP injection, protocol downgrade, client-sideattacks apply
Leverage into an attack on the home / corporate network
![Page 6: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/6.jpg)
Network Attack!
What is the organizational reporting structure?
What are the passwords for this user?
For this router / switch?
What does this user have access to?
Where are the shared public resources (fileservers, intranetwebservers, login servers), and what are they running?
Where are the remote loghosts?
Has anyone detected the intrusion?
![Page 7: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/7.jpg)
Our Goals
Intelligence, Surveillance, Reconnaissance
Extract as much information as we can passively
Assemble it into a coherent relational database
Perform data correlation and analysis real-time
Support interesting queries and visualization of the data
Enable rapid prototyping of new traffic analysis tools
Maintain dsniff's tool-oriented modularity
Share the code (GPL) to encourage experimentation
![Page 8: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/8.jpg)
Data collected
Login / authentication information
Phone numbers / calls
E-mail messages
Instant messages
WWW usage
Connection information
Host inventory: IP, mac address, hostname/DHCP name, OSversion, open ports / services / applications
Interactive / encrypted sessions
![Page 9: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/9.jpg)
Why Python?
C extension modules for performance-critical code
Portability, maintainability, modularity
Easy to learn, but still powerful
Python versus C lines of code:• dsniff - 1700 vs 6800 LOC
• p0f2 - 519 vs 1798 LOC
• vomit - 54 vs 1864 LOC
Great for lazy programmers like me!
![Page 10: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/10.jpg)
Example Code
6-line sniffer :-)
import dsniff
class TestSniff(dsniff.FlowDecode): ip_protos = (1, 6, 17) def handle_data(self, flow, buf): return repr(buf)
dsniff.main()
![Page 11: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/11.jpg)
Dependencies
New Python modules:• pypcap - portable packet capture
• pyevent - portable event-based programming
• libdnet - portable low-level network APIs
• dpkt - fast packet dissection
![Page 12: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/12.jpg)
Architecture
Simple Python modules + glue
FlowDecode subclasses handle flow start, data, and end events
Decodes can be registered dynamically with the flow engine forarbitrary Ethernet / IP / RPC program triggers
Each module can be run as a separate command-line tool
Can use any Python DB-API compliant database backend(default sqlite)
UI is served by simple standalone Python webserver
![Page 13: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/13.jpg)
*snarf
authsnarf - Password sniffer for AIM, Citrix ICA, CVS, FTP,Cisco HSRP, HTTP, IMAP, IRC, LDAP, Meeting Maker, NFS,Napster, NNTP, Oracle SQL*Net, OSPF, PC Anywhere, POP,Postgres, Halflife, QuakeWorld (many games), RIP, Rlogin,Cisco VOIP, Sybase and Microsoft SQL, Microsoft SMB, SMTP,SNMP, NAI Sniffer, SOCKS, Telnet, VRRP, X11, YP/NIS,various web login forms
urlsnarf - Record all visited URLs and browser versions
mailsnarf - Record all e-mail messages in SMTP and POP traffic
msgsnarf - Record all AIM, ICB, IRC, Jabber, MSN, Yahooinstant messages
![Page 14: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/14.jpg)
vomit
Voice Over Misconfigured Internet Telephones
Original version by Niels Provos ([email protected])
Records all SIP/Cisco SCCP phone calls:• Watches control channel for call setup
• Intercepts negotiated media channel, saving the voice data as a WAVfile
Rip offline to MP3 with appropriate ID3 tags
![Page 15: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/15.jpg)
netics
Original version by Marius Eriksen ([email protected])
Attempts to identify interactive, encrypted sessions on anyprotocol or port
Interactivity heuristic:• small client packet sizes
• ratio of client/server segments
• interpacket arrival time
Encryption heuristic:• Ueli Maurer's universal randomness test
![Page 16: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/16.jpg)
p0f
Straight Python port of p0fv2 by Michal Zalewski
Passive OS fingerprinting of IP endpoints based on TCP SYN,SYN/ACK parameters
• operating system and version
• host uptime (TCP timestamp option)
• distance (TTL inference)
• link type (maximum segment size)
![Page 17: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/17.jpg)
nmapv
Passive application fingerprinting• service protocol
• specific application name and version
Simple hack of nmap's regex-based service response match• nmap version scan minus the scan - just match replies
• some entries (e.g. SSL) need modification
![Page 18: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/18.jpg)
Query interface
Google is smarter than me - ape their interface
Query language is simple (text, wildcards, +/-), but moreadvanced queries possible with search operators (e.g."app:Apache*")
Query engine maps Google-style queries to SQL
Would like to support stored queries, and a simple query history
![Page 19: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/19.jpg)
Related work
Python fragroute• evade dsniff detection! :-)
Arbor Networks Peakflow• scalable traffic monitoring, engineering, and behavioral analysis for
service providers and enterprises
![Page 20: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/20.jpg)
Future work
User / social network profiling
Semantic analysis of conversation data
Auto-focus
Speech transcription for full-text VOIP search? :-)
Other Big Brother stuff
Contributions and derived work from users like you!
![Page 21: Network Situational Awareness with d00gle (2005)](https://reader034.fdocuments.us/reader034/viewer/2022052618/554f4ba2b4c905423f8b4d64/html5/thumbnails/21.jpg)
Conclusion
Everything you do on a network is observable in some way
What is your network saying about you? :-)
http://monkey.org/~dugsong/dpkt/http://monkey.org/~dugsong/pypcap/http://monkey.org/~dugsong/pyevent/http://monkey.org/~dugsong/dsniff/